News from 2018

• 05 Apr Node v9.11.1 (Current)

  No additional commits.

  An infrastructure issue caused a non-functioning msi installer for x64 to be promoted. The patch release is to ensure that all binaries and installers work as expected.

  Windows 32-bit Installer: https://nodejs.org/dist/v9.11.1/node-v9.11.1-x86.msi
  Windows 64-bit Installer: https://nodejs.org/dist/v9.11.1/node-v9.11.1-x64.msi
  Windows 32-bit Binary: https://nodejs.org/dist/v9.11.1/win-x86/node.exe
  Windows 64-bit Binary: https://nodejs.org/dist/v9.11.1/win-x64/node.exe
  macOS 64-bit Installer: https://nodejs.org/dist/v9.11.1/node-v9.11.1.pkg
  macOS 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-darwin-x64.tar.gz
  Linux 32-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-x86.tar.xz
  Linux 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-x64.tar.xz
  Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-ppc64le.tar.xz
  Linux s390x 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-s390x.tar.xz
  AIX 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-aix-ppc64.tar.gz
  SunOS 32-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-sunos-x86.tar.xz
  SunOS 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-sunos-x64.tar.xz
  ARMv6 32-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-armv6l.tar.xz
  ARMv7 32-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-armv7l.tar.xz
  ARMv8 64-bit Binary: https://nodejs.org/dist/v9.11.1/node-v9.11.1-linux-arm64.tar.xz
  Source Code: https://nodejs.org/dist/v9.11.1/node-v9.11.1.tar.gz
  Other release files: https://nodejs.org/dist/v9.11.1/
  Documentation: https://nodejs.org/docs/v9.11.1/api/

  Read more...

• 04 Apr Node v9.11.0 (Current)
  • deps:
    • Updated ICU to 61.1 (Steven R. Loomis) #19621 Includes CLDR 33 (many new languages and data improvements).
  • fs:
    • Emit 'ready' event for ReadStream and WriteStream (Sameer Srivastava) #19408
  • n-api:
    • Bump version of n-api supported (Michael Dawson) #19497
  • net:
    • Emit 'ready' event for Socket (Sameer Srivastava) #19408
  • Added new collaborators
    • mafintosh Mathias Buus

  Read more...

• 30 Mar Node v9.10.1 (Current)

  No additional commits.

  Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based environments. This has been fixed in our infrastructure and we are doing this release to ensure that the hosted binaries are adhering to our platform support contract.

  Read more...

• 30 Mar Node v8.11.1 (LTS)

  No additional commits.

  Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based environments. This has been fixed in our infrastructure and we are doing this release to ensure that the hosted binaries are adhering to our platform support contract.

  Read more...

• 30 Mar Node v6.14.1 (LTS)

  No additional commits.

  Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based environments. This has been fixed in our infrastructure and we are doing this release to ensure that the hosted binaries are adhering to our platform support contract.

  Read more...

• 30 Mar Node v4.9.1 (Maintenance)

  No additional commits.

  Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based environments. This has been fixed in our infrastructure and we are doing this release to ensure that the hosted binaries are adhering to our platform support contract.

  Read more...

• 28 Mar Node v9.10.0 (Current)
  • Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
  • Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser Host value that is either not subject to DNS resolution or matches localhost or localhost6.
  • Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.
  • Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.

  • Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.

  • cluster:

    • Add support for NODE_OPTIONS="--inspect" (Sameer Srivastava) #19165
  • crypto:
    • Expose the public key of a certificate (Hannes Magnusson) #17690
  • n-api:
    • Add napi_fatal_exception to trigger an uncaughtException in JavaScript (Mathias Buus) #19337
  • path:
    • Fix regression in posix.normalize (Michaël Zasso) #19520
  • stream:
    • Improve stream creation performance (Brian White) #19401
  • Added new collaborators
    • BethGriggs Beth Griggs

  Read more...

• 28 Mar Node v8.11.0 (LTS)
  • Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
  • Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser Host value that is either not subject to DNS resolution or matches localhost or localhost6.
  • Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.
  • Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.
  • Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.

  Read more...

• 28 Mar Node v6.14.0 (LTS)
  • Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
  • Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser Host value that is either not subject to DNS resolution or matches localhost or localhost6.
  • Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.
  • Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.
  • Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.

  Read more...

• 28 Mar Node v4.9.0 (Maintenance)
  • Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
  • Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX an Windows paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.
  • Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.
  • Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.

  Read more...

• 21 Mar March 2018 Security Releases
• 21 Mar Node v9.9.0 (Current)
• 08 Mar Node v9.8.0 (Current)
• 07 Mar Node v8.10.0 (LTS)
• 06 Mar Node v6.13.1 (LTS)
• 02 Mar Node v9.7.1 (Current)
• 01 Mar Node v9.7.0 (Current)
• 23 Feb Node v9.6.1 (Current)
• 22 Feb Node v9.6.0 (Current)
• 13 Feb Node v6.13.0 (LTS)
• 01 Feb Node v9.5.0 (Current)
• 10 Jan Node v9.4.0 (Current)
• 08 Jan Meltdown and Spectre - Impact On Node.js
• 03 Jan Node v8.9.4 (LTS)
• 02 Jan Node v6.12.3 (LTS)