News from 2019
-
August 2019 Security Releases
Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.
-
Node v10.16.3 (LTS)
This is a security release.
Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.
-
Node v8.16.1 (LTS)
This is a security release.
Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.
-
Node v12.8.1 (Current)
This is a security release.
Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.
-
Node v10.16.2 (LTS)
This release patches a regression in the OpenSSL upgrade to 1.1.1c that causes intermittent hangs in machines that have low entropy.
- [
894a9dd230] - deps: cherry-pick c19c5a6 from openssl upstream (Ali Ijaz Sheikh) #28983
- [
-
Node v12.8.0 (Current)
- assert:
- Legacy mode deprecation (
DEP0089) is revoked (Colin Ihrig) #28892
- Legacy mode deprecation (
- crypto:
- n-api:
- Added APIs for per-instance state management (Gabriel Schulhof) #28682
- report:
- Network interfaces get included in the report (Colin Ihrig) #28911
- src:
v8.getHeapCodeStatistics()is now exported (Yuriy Vasiyarov) #27978
- assert:
- Node v10.16.1 (LTS)
-
Node v12.7.0 (Current)
- deps:
- esm:
- Implemented experimental "pkg-exports" proposal. A new
"exports"field can be added to a module'spackage.jsonfile to provide custom subpath aliasing. See proposal-pkg-exports for more information (Guy Bedford) #28568.
- Implemented experimental "pkg-exports" proposal. A new
- http:
- inspector:
- Added
inspector.waitForDebugger()(Aleksei Koziatinskii) #28453.
- Added
- policy:
- Added
--policy-integrity=sriCLI option to mitigate policy tampering. If a policy integrity is specified and the policy does not have that integrity, Node.js will error prior to running any code (Bradley Farias) #28734.
- Added
- readline,tty:
- report:
- Modify
process.report.getReport()to return anObjectinstead of a JSON string (Christopher Hiller) #28630.
- Modify
- src:
- Use cgroups to get memory limits. This improves the way we set the memory ceiling for a Node.js process. Previously we would use the physical memory size to estimate the necessary V8 heap sizes. The physical memory size is not necessarily the correct limit, e.g. if the process is running inside a docker container or is otherwise constrained. This change adds the ability to get a memory limit set by linux cgroups, which is used by docker containers to set resource constraints (Kelvin Jin) #27508.
-
Node v12.6.0 (Current)
- build:
- Experimental support for building Node.js on MIPS architecture is back #27992.
- child_process:
- The promisified versions of
child_process.execandchild_process.execFilenow both return aPromisewhich has the child instance attached to theirchildproperty #28325.
- The promisified versions of
- deps:
- process:
- A new method,
process.resourceUsage()was added. It returns resource usage for the current process, such as CPU time #28018.
- A new method,
- src:
- Fixed an issue related to stdio that could lead to a crash of the process in some circumstances #28490.
- stream:
- Added a
writableFinishedproperty to writable streams. It indicates that all the data has been flushed to the underlying system #28007.
- Added a
- worker:
- Fixed an issue that prevented worker threads to listen for data on stdin #28153.
- meta:
- Added Jiawen Geng to collaborators #28322.
- build:
-
Node v12.5.0 (Current)
- build:
- The startup time is reduced by enabling V8 snapshots by default #28181
- deps:
- Updated
V8to 7.5.288.22 #27375- The numeric separator feature is now enabled by default
- Updated
OpenSSLto 1.1.1c #28211
- Updated
- inspector:
- The
--inspect-publish-uidflag was added to specify ways of the inspector web socket url exposure #27741
- The
- n-api:
- Accessors on napi_define_* are now ECMAScript-compliant #27851
- report:
- The cpu info got added to the report output #28188
- src:
- Restore the original state of the stdio file descriptors on exit to prevent leaving stdio in raw or non-blocking mode #24260
- tools,gyp:
- Introduce MSVS 2019 #27375
- util:
- worker:
worker.terminate()now returns a promise and using the callback is deprecated #28021
- build:
- Node v12.4.0 (Current)
- Node v10.16.0 (LTS)
- Node v12.3.1 (Current)
- Node v12.3.0 (Current)
- Node v12.2.0 (Current)
- Node v11.15.0 (Current)
- Node v12.1.0 (Current)
- Node v12.0.0 (Current)
- Node v8.16.0 (LTS)
- Node v11.14.0 (Current)
- Node v6.17.1 (LTS)
- Node v11.13.0 (Current)
- Node v11.12.0 (Current)
- Node v11.11.0 (Current)
- Node v10.15.3 (LTS)
- February 2019 Security Releases
- Node v11.10.1 (Current)
- Node v10.15.2 (LTS)
- Node v8.15.1 (LTS)
- Node v6.17.0 (LTS)
- Node v11.10.0 (Current)
- Node v11.9.0 (Current)
- Node v10.15.1 (LTS)
- Node v11.8.0 (Current)
- Node v11.7.0 (Current)