News from 2018
-
Node v10.7.0 (Current)
- console:
- The
console.timeLog()method has been implemented. #21312
- The
- deps:
- http:
- Added support for passing both
timeoutandagentoptions tohttp.request. #21204
- Added support for passing both
- inspector:
- Expose the original console API in
require('inspector').console. #21659
- Expose the original console API in
- napi:
- Added experimental support for functions dealing with bigint numbers. #21226
- process:
- trace_events:
- Added process_name metadata. #21477
- Added new collaborators
- codebytere - Shelley Vohr
- console:
-
Node v10.6.0 (Current)
- dns:
- An experimental promisified version of the dns module is now available. Give
it a try with
require('dns').promises. #21264
- An experimental promisified version of the dns module is now available. Give
it a try with
- fs:
fs.lchownhas been undeprecated now that libuv supports it. #21498
- lib:
- n-api:
- Add API for asynchronous functions. #17887
- util:
util.inspectis now able to return a result instead of throwing when the maximum call stack size is exceeded during inspection. #20725
- vm:
- Add
script.createCachedData(). This API replaces theproduceCachedDataoption of theScriptconstructor that is now deprecated. #20300
- Add
- worker:
- Support for relative paths has been added to the
Workerconstructor. Paths are interpreted relative to the current working directory. #21407
- Support for relative paths has been added to the
- dns:
- Node v10.5.0 (Current)
-
Node v8.11.3 (LTS)
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
- http2
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
-
Node v6.14.3 (LTS)
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
- [
7dbcfc6217] - src: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) nodejs-private/node-private#121
-
Node v9.11.2 (Current)
- Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
- http2
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
- tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
-
Node v10.4.1 (Current)
- Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
- http2
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
- tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
- n-api: Prevent use-after-free in napi_delete_async_work
-
June 2018 Security Releases
(Update 12-June-2018) Security releases available
Updates are now available for all active Node.js release lines. These include the fix for the vulnerabilities identified in the initial announcement (below).
We recommend that all users upgrade as soon as possible.
- Node v10.4.0 (Current)
-
Node v10.3.0 (Current)
- deps:
- upgrade npm to 6.1.0 (Rebecca Turner) #20190
- fs:
- fix reads with pos > 4GB (Mathias Buus) #21003
- net:
- new option to allow IPC servers to be readable and writable by all users (Bartosz Sosnowski) #19472
- stream:
- fix removeAllListeners() for Stream.Readable to work as expected when no arguments are passed (Kael Zhang) #20924
- Added new collaborators
- jdlaton John-David Dalton
- deps:
- Node v10.2.1 (Current)
- Node v10.2.0 (Current)
- Node v8.11.2 (LTS)
- Node v10.1.0 (Current)
- Node v6.14.2 (LTS)
- Node v10.0.0 (Current)
- Node v9.11.1 (Current)
- Node v9.11.0 (Current)
- Node v9.10.1 (Current)
- Node v8.11.1 (LTS)
- Node v6.14.1 (LTS)
- Node v4.9.1 (Maintenance)
- Node v9.10.0 (Current)
- Node v8.11.0 (LTS)
- Node v6.14.0 (LTS)
- Node v4.9.0 (Maintenance)
- March 2018 Security Releases
- Node v9.9.0 (Current)
- Node v9.8.0 (Current)
- Node v8.10.0 (LTS)
- Node v6.13.1 (LTS)
- Node v9.7.1 (Current)
- Node v9.7.0 (Current)
- Node v9.6.1 (Current)
- Node v9.6.0 (Current)
- Node v6.13.0 (LTS)
- Node v9.5.0 (Current)
- Node v9.4.0 (Current)
- Meltdown and Spectre - Impact On Node.js
- Node v8.9.4 (LTS)
- Node v6.12.3 (LTS)