Weekly Update - Oct 2nd, 2015

Minwoo Jung

Minwoo Jung

Node.js News — October 2nd

Node.js v4.1.2 release proposal

Node.js v4.1.2 Release proposal

This week we have one release proposal: Node.js v4.1.2, complete changelog from previous releases can be found on GitHub.

Node.js v4.1.2 Notable changes

  • buffer: Fixed a bug introduced in v4.1.0 where allocating a new zero-length buffer can result in the next allocation of a TypedArray in JavaScript not being zero-filled. In certain circumstances this could result in data leakage via reuse of memory space in TypedArrays, breaking the normally safe assumption that TypedArrays should be always zero-filled. (Trevor Norris) #2931.
  • http: Guard against response-splitting of HTTP trailing headers added via response.addTrailers() by removing new-line ([\r\n]) characters from values. Note that standard header values are already stripped of new-line characters. The expected security impact is low because trailing headers are rarely used. (Ben Noordhuis) #2945.
  • npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full details (Kat Marchán) #2958
    • Upgrades graceful-fs on multiple dependencies to no longer rely on monkey-patching fs
    • Fix npm link for pre-release / RC builds of Node
  • v8: Update post-mortem metadata to allow post-mortem debugging tools to find and inspect:
    • JavaScript objects that use dictionary properties (Julien Gilli) #2959
    • ScopeInfo and thus closures (Julien Gilli) #2974

Node.js Help Repository

Node.js Help is open. Need help with Node? Please feel free to ask. Want to help others with issues? You can start simply, by answering open questions.

Please do come over to our Node.js Help to create a new issue if you have any questions.

Known issues

See https://github.com/nodejs/node/labels/confirmed-bug for complete and current list of known issues.

  • Some problems with unreferenced timers running during beforeExit are still to be resolved. See #1264.
  • Surrogate pair in REPL can freeze terminal. #690
  • Calling dns.setServers() while a DNS query is in progress can cause the process to crash on a failed assertion. #894
  • url.resolve may transfer the auth portion of the url when resolving between two full hosts, see #1435.

Security Updates

Please contact [email protected] if you wish to report a vulnerability in Node.js.

Community Updates

If you have spotted or written something about Node.js, do come over to our Evangelism team repo and suggest it on the Issues page, specifically the Weekly Updates issue.

Upcoming Events

Have an event about Node.js coming up? You can put your events here through the Evangelism team repo and announce it in the Issues page, specifically the Weekly Updates issue.