Skip to content

chore(deps): update node.js to >= 10.24.1

GitLab CI requested to merge renovate/node-10.x into develop

This MR contains the following updates:

Package Type Update Change
node (source) engines minor >= 10 -> >= 10.24.1

Release Notes

nodejs/node (node)

v10.24.1: 2021-04-06, Version 10.24.1 'Dubnium' (LTS), @​mylesborins

Compare Source

This is a security release.

Notable Changes

Vulerabilties fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
Commits

v10.24.0: 2021-02-23, Version 10.24.0 'Dubnium' (LTS), @​richardlau

Compare Source

This is a security release.

Notable changes

Vulnerabilities fixed:

  • CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
    • Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
  • CVE-2021-22884: DNS rebinding in --inspect
    • Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
  • CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
Commits

v10.23.3: 2021-02-09, Version 10.23.3 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes

The update to npm 6.14.11 has been relanded so that npm correctly reports its version.

Commits

v10.23.2: 2021-01-26, Version 10.23.2 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes

Release keys have been synchronized with the main branch.

  • deps:
    • upgrade npm to 6.14.11 (Darcy Clarke) #​36838
Commits

v10.23.1: 2021-01-04, Version 10.23.1 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits
  • CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html).
  • CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt
Commits

v10.23.0: 2020-10-27, Version 10.23.0 'Dubnium' (LTS), @​richardlau

Compare Source

Notable changes
  • deps:
    • upgrade npm to 6.14.8 (Ruy Adorno) #​34834
  • n-api:
    • create N-API version 7 (Gabriel Schulhof) #​35199
    • expose napi_build_version variable (NickNaso) #​27835
  • tools:
    • add debug entitlements for macOS 10.15+ (Gabriele Greco) #​34378
Commits

v10.22.1: 2020-09-15, Version 10.22.1 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
Commits

v10.22.0: 2020-07-21, Version 10.22.0 'Dubnium' (LTS), @​BethGriggs prepared by @​richardlau

Compare Source

Notable changes
  • deps:
    • upgrade npm to 6.14.6 (claudiahdz) #​34246
    • upgrade openssl sources to 1.1.1g (Hassaan Pasha) #​32982
  • n-api:
    • add napi_detach_arraybuffer (legendecas) #​29768
Commits

v10.21.0: 2020-06-02, Version 10.21.0 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
  • CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
  • CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
Commits

v10.20.1: 2020-04-12, Version 10.20.1 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

Due to release process failures, Node.js v10.20.0 shipped with source and header tarballs that did not properly match the final release commit that was used to build the binaries. We recommend that Node.js v10.20.0 not be used, particularly in any applications using native add-ons or where compiling Node.js from source is involved.

Node.js v10.20.1 is a clean release with the correct sources and is strongly recommended in place of v10.20.0.

v10.20.0: 2020-04-08, Version 10.20.0 'Dubnium' (LTS), @​BethGriggs

Compare Source

macOS package notarization and a change in builder configuration

The macOS binaries for this release, and future 10.x releases, are now being compiled on macOS 10.15 (Catalina) with Xcode 11 to support package notarization, a requirement for installing .pkg files on macOS 10.15 and later. Previous builds of Node.js 10.x were compiled on macOS 10.10 (Yosemite) with a minimum deployment target of macOS 10.7 (Lion). As binaries are still being compiled to support a minimum of macOS 10.7 (Lion) we do not anticipate this having a negative impact on Node.js 10.x users with older versions of macOS.

Notable changes
  • buffer: add {read|write}Big[U]Int64{BE|LE} methods (garygsc) #​19691
  • build: macOS package notarization (Rod Vagg) #​31459
  • deps:
    • update npm to 6.14.3 (Myles Borins) #​32368
    • upgrade openssl sources to 1.1.1e (Hassaan Pasha) #​32328
    • upgrade to libuv 1.34.2 (cjihrig) #​31477
  • n-api:
    • add napi_get_all_property_names (himself65) #​30006
    • add APIs for per-instance state management (Gabriel Schulhof) #​28682
    • define release 6 #​32058
    • turn NAPI_CALL_INTO_MODULE into a function (Anna Henningsen) #​26128
  • tls:
    • expose keylog event on TLSSocket (Alba Mendez) #​27654
    • support TLS min/max protocol defaults in CLI (Sam Roberts) #​27946
  • url: handle quasi-WHATWG URLs in urlToOptions() (cjihrig) #​26226
Commits

v10.19.0: 2020-02-06, Version 10.19.0 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
  • CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
  • CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.

Commits

v10.18.1: 2020-01-09, Version 10.18.1 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes
  • http2: fix session memory accounting after pausing (Michael Lehenbauer) #​30684
  • n-api: correct bug in napi_get_last_error (Octavian Soldea) #​28702
  • tools: update tzdata to 2019c (Myles Borins) #​30479
Commits

v10.18.0: 2019-12-17, Version 10.18.0 'Dubnium' (LTS), @​MylesBorins

Compare Source

This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable changes
Commits

v10.17.0: 2019-10-22, Version 10.17.0 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes
  • crypto:
    • add support for chacha20-poly1305 for AEAD (chux0519) #​24081
    • increase maxmem range from 32 to 53 bits (Tobias Nießen) #​28799
  • deps:
    • update npm to 6.11.3 (claudiahdz) #​29430
    • upgrade openssl sources to 1.1.1d (Sam Roberts) #​29921
  • dns: remove dns.promises experimental warning (cjihrig) #​26592
  • fs: remove experimental warning for fs.promises (Anna Henningsen) #​26581
  • http: makes response.writeHead return the response (Mark S. Everitt) #​25974
  • http2: makes response.writeHead return the response (Mark S. Everitt) #​25974
  • n-api:
    • make func argument of napi_create_threadsafe_function optional (legendecas) #​27791
    • mark version 5 N-APIs as stable (Gabriel Schulhof) #​29401
    • implement date object (Jarrod Connolly) #​25917
  • process: add --unhandled-rejections flag (Ruben Bridgewater) #​26599
  • stream:
    • implement Readable.from async iterator utility (Guy Bedford) #​27660
    • make Symbol.asyncIterator support stable (Matteo Collina) #​26989
Commits

v10.16.3: 2019-08-15, Version 10.16.3 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

This is a security release.

Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.

Vulnerabilities fixed:

  • CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
  • CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
  • CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
  • CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
  • CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
  • CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)
Commits

v10.16.2: 2019-08-06, Version 10.16.2 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes

This release patches a regression in the OpenSSL upgrade to 1.1.1c that causes intermittent hangs in machines that have low entropy.

Commits

v10.16.1: 2019-07-31, Version 10.16.1 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable changes
  • deps: upgrade openssl sources to 1.1.1c (Sam Roberts) #​28212
  • stream: do not unconditionally call \_read() on resume() (Anna Henningsen) #​26965
  • worker: fix nullptr deref after MessagePort deser failure (Anna Henningsen) #​25076
Commits

v10.16.0: 2019-05-28, Version 10.16.0 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable Changes
  • deps:
    • update ICU to 64.2 (Ujjwal Sharma) #​27361
    • upgrade npm to 6.9.0 (Kat Marchán) #​26244
    • upgrade openssl sources to 1.1.1b (Sam Roberts) #​26327
    • upgrade to libuv 1.28.0 (cjihrig) #​27241
  • events: add once method to use promises with EventEmitter (Matteo Collina) #​26078
  • n-api: mark thread-safe function as stable (Gabriel Schulhof) #​25556
  • repl: support top-level for-await-of (Shelley Vohr) #​23841
  • zlib: add brotli support (Anna Henningsen) #​24938
Commits

v10.15.3: 2019-03-05, Version 10.15.3 'Dubnium' (LTS), @​BethGriggs

Compare Source

Notable Changes
  • doc
    • add antsmartian to collaborators (Anto Aravinth) #​24655
  • http
    • fix error check in Execute() (Brian White) #​25863
  • stream
    • fix end-of-stream for HTTP/2 (Anna Henningsen) #​24926
Commits

v10.15.2

Compare Source

v10.15.1: 2019-01-29, Version 10.15.1 'Dubnium' (LTS), @​codebytere

Compare Source

Notable Changes
  • doc:

    • add oyyd to collaborators (Ouyang Yadong) #​24300
  • tls:

    • throw if protocol too long (Andre Jodat-Danbrani) #​23606
Commits

v10.15.0: 2018-12-26, Version 10.15.0 'Dubnium' (LTS), @​MylesBorins

Compare Source

The 10.14.0 security release introduced some unexpected breakages on the 10.x release line. This is a special release to fix a regression in the HTTP binary upgrade response body and add a missing CLI flag to adjust the max header size of the http parser.

Notable Changes
  • cli:
    • add --max-http-header-size flag (cjihrig) #​24811
  • http:
    • add maxHeaderSize property (cjihrig) #​24860
Commits

v10.14.2: 2018-12-11, Version 10.14.2 'Dubnium' (LTS), @​MylesBorins prepared by @​codebytere

Compare Source

This LTS release comes with 374 commits. This includes 165 which are test or benchmark related, 77 which are doc related, 29 which are build / tool related and 15 commits which update dependencies.

Notable Changes
Commits

v10.14.1: 2018-11-29, Version 10.14.1 'Dubnium' (LTS), @​MylesBorins

Compare Source

Notable Changes
  • win/msi: Revert changes to installer causing issues on Windows systems.
Commits

v10.14.0: 2018-11-27, Version 10.14.0 'Dubnium' (LTS), @​rvagg

Compare Source

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  • Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  • Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  • Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
  • OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  • OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes
  • deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
  • http:
    • Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
    • A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)
  • url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. Reported by Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)
Commits

v10.13.0: 2018-10-30, Version 10.13.0 'Dubnium' (LTS), @​MylesBorins

Compare Source

This release marks the transition of Node.js 10.x into Long Term Support (LTS) with the codename 'Dubnium'. The 10.x release line now moves in to "Active LTS" and will remain so until April 2020. After that time it will move in to "Maintenance" until end of life in April 2021.

Notable Changes

This release only includes minimal changes necessary to fix known regressions prior to LTS.

Commits
  • [2ba6010082] - buffer: fix crash for invalid index types (Anna Henningsen)
  • [2cd68be69d] - build: spawn make test-ci with -j1 (Refael Ackermann) #​23733
  • [1003f4c975] - deps: fix wrong default for v8 handle zapping (Refael Ackermann) #​23801

v10.12.0: 2018-10-10, Version 10.12.0 (Current), @​targos

Compare Source

Notable changes
  • assert
    • The diff output is now a tiny bit improved by sorting object properties when inspecting the values that are compared with each other. #​22788
  • cli
    • The options parser now normalizes _ to - in all multi-word command-line flags, e.g. --no_warnings has the same effect as --no-warnings. #​23020
    • Added bash completion for the node binary. To generate a bash completion script, run node --completion-bash. The output can be saved to a file which can be sourced to enable completion. #​20713
  • crypto
    • Added support for PEM-level encryption. #​23151
    • Added an API asymmetric key pair generation. The new methods crypto.generateKeyPair and crypto.generateKeyPairSync can be used to generate public and private key pairs. The API supports RSA, DSA and EC and a variety of key encodings (both PEM and DER). #​22660
  • fs
    • Added a recursive option to fs.mkdir and fs.mkdirSync. If this option is set to true, non-existing parent folders will be automatically created. #​21875
  • http2
    • Added a 'ping' event to Http2Session that is emitted whenever a non-ack PING is received. #​23009
    • Added support for the ORIGIN frame. #​22956
    • Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect protocol support to allow use of WebSockets over HTTP/2. #​23284
  • module
    • Added module.createRequireFromPath(filename). This new method can be used to create a custom require function that will resolve modules relative to the filename path. #​19360
  • process
    • Added a 'multipleResolves' process event that is emitted whenever a Promise is attempted to be resolved multiple times, e.g. if the resolve and reject functions are both called in a Promise executor. #​22218
  • url
    • Added url.fileURLToPath(url) and url.pathToFileURL(path). These methods can be used to correctly convert between file: URLs and absolute paths. #​22506
  • util
    • Added the sorted option to util.inspect(). If set to true, all properties of an object and Set and Map entries will be sorted in the returned string. If set to a function, it is used as a compare function. #​22788
    • The util.instpect.custom symbol is now defined in the global symbol registry as Symbol.for('nodejs.util.inspect.custom'). #​20857
    • Added support for BigInt numbers in util.format(). #​22097
  • V8 API
    • A number of V8 C++ APIs have been marked as deprecated since they have been removed in the upstream repository. Replacement APIs are added where necessary. #​23159
  • Windows
    • The Windows msi installer now provides an option to automatically install the tools required to build native modules. #​22645
  • Workers
    • Debugging support for Workers using the DevTools protocol has been implemented. #​21364
    • The public inspector module is now enabled in Workers. #​22769
  • Added new collaborators:
Commits

v10.11.0: 2018-09-20, Version 10.11.0 (Current), @​targos

Compare Source

Notable Changes
  • fs
    • Fixed fsPromises.readdir withFileTypes. #​22832
  • http2
    • Added http2stream.endAfterHeaders property. #​22843
  • util
    • Added util.types.isBoxedPrimitive(value). #​22620
  • Added new collaborators:
  • The Technical Steering Committee has new members:
Commits

v10.10.0: 2018-09-06, Version 10.10.0 (Current), @​targos

Compare Source

Notable Changes
  • child_process:
    • TypedArray and DataView values are now accepted as input by execFileSync and spawnSync. #​22409
  • coverage:
    • Native V8 code coverage information can now be output to disk by setting the environment variable NODE_V8_COVERAGE to a directory. #​22527
  • deps:
  • fs:
    • The methods fs.read, fs.readSync, fs.write, fs.writeSync, fs.writeFile and fs.writeFileSync now all accept TypedArray and DataView objects. #​22150
    • A new boolean option, withFileTypes, can be passed to to fs.readdir and fs.readdirSync. If set to true, the methods return an array of directory entries. These are objects that can be used to determine the type of each entry and filter them based on that without calling fs.stat. #​22020
  • http2:
    • The http2 module is no longer experimental. #​22466
  • os:
    • Added two new methods: os.getPriority and os.setPriority, allowing to manipulate the scheduling priority of processes. #​22407
  • process:
    • Added process.allowedNodeEnvironmentFlags. This object can be used to programmatically validate and list flags that are allowed in the NODE_OPTIONS environment variable. #​19335
  • src:
    • Deprecated option variables in public C++ API. #​22515
    • Refactored options parsing. #​22392
  • vm:
    • Added vm.compileFunction, a method to create new JavaScript functions from a source body, with options similar to those of the other vm methods. #​21571
  • Added new collaborators:
Commits

v10.9.0: 2018-08-15, Version 10.9.0 (Current), @​rvagg

Compare Source

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  • CVE-2018-0732 (OpenSSL)
  • CVE-2018-7166 (Node.js)
  • CVE-2018-12115 (Node.js)
Notable Changes
  • buffer:
    • Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
    • Fix unintentional exposure of uninitialized memory in Buffer.alloc() (CVE-2018-7166)
  • deps:
  • http: http.get() and http.request() (and https variants) can now accept three arguments to allow for a URL and an options object (Sam Ruby) #​21616
  • Added new collaborators
Commits

v10.8.0: 2018-08-01, Version 10.8.0 (Current), @​targos

Compare Source

Notable Changes
  • deps:
    • Upgrade npm to 6.2.0. #​21592
      • npm has moved. This release updates various URLs to point to the right places for bugs, support, and MRs.
      • Fix the regular expression matching in xcode_emulation in node-gyp to also handle version numbers with multiple-digit major versions which would otherwise break under use of XCode 10.
      • The npm tree has been significantly flattened. Tarball size for the npm package has gone from 8MB to 4.8MB.
      • Changelogs: 6.2.0-next.0, 6.2.0-next.1, 6.2.0.
Commits

v10.7.0: 2018-07-18, Version 10.7.0 (Current), @​targos

Compare Source

Notable Changes
  • console:
    • The console.timeLog() method has been implemented. #​21312
  • deps:
    • Upgrade to libuv 1.22.0. #​21731
    • Upgrade to ICU 62.1 (Unicode 11, CLDR 33.1). #​21728
  • http:
    • Added support for passing both timeout and agent options to http.request. #​21204
  • inspector:
    • Expose the original console API in require('inspector').console. #​21659
  • napi:
    • Added experimental support for functions dealing with bigint numbers. #​21226
  • process:
    • The process.hrtime.bigint() method has been implemented. #​21256
    • Added the --title command line argument to set the process title on startup. #​21477
  • trace_events:
  • Added new collaborators
Commits

v10.6.0: 2018-07-04, Version 10.6.0 (Current), @​targos

Compare Source

Notable Changes
  • dns:
    • An experimental promisified version of the dns module is now available. Give it a try with require('dns').promises. #​21264
  • fs:
    • fs.lchown has been undeprecated now that libuv supports it. #​21498
  • lib:
    • Atomics.wake is being renamed to Atomics.notify in the ECMAScript specification (reference). Since Node.js now has experimental support for worker threads, we are being proactive and added a notify alias, while emitting a warning if wake is used. #​21413 #​21518
  • n-api:
    • Add API for asynchronous functions. #​17887
  • util:
    • util.inspect is now able to return a result instead of throwing when the maximum call stack size is exceeded during inspection. #​20725
  • vm:
    • Add script.createCachedData(). This API replaces the produceCachedData option of the Script constructor that is now deprecated. #​20300
  • worker:
    • Support for relative paths has been added to the Worker constructor. Paths are interpreted relative to the current working directory. #​21407
Commits

v10.5.0: 2018-06-20, Version 10.5.0 (Current), @​targos

Compare Source

Notable Changes
  • crypto:
    • Support for crypto.scrypt() has been added. #​20816
  • fs:
  • Worker Threads:
    • Support for multi-threading has been added behind the --experimental-worker flag in the worker_threads module. This feature is experimental and may receive breaking changes at any time. #​20876
Commits

v10.4.1: 2018-06-12, Version 10.4.1 (Current), @​evanlucas

Compare Source

Notable Changes
  • Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
  • http2
    • (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
    • (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
  • tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
  • n-api: Prevent use-after-free in napi_delete_async_work
Commits

v10.4.0: 2018-06-06, Version 10.4.0 (Current), @​MylesBorins

Compare Source

Notable Changes
  • deps:
    • update V8 to 6.7.288.43 (Michaël Zasso) #​19989
  • stream:
    • ensure Stream.pipeline re-throws errors without callback (Blaine Bublitz) #​20437
Commits

v10.3.0: 2018-05-29, Version 10.3.0 (Current), @​MylesBorins

Compare Source

Notable Changes
  • deps:
    • upgrade npm to 6.1.0 (Rebecca Turner) #​20190
  • fs:
    • fix reads with pos > 4GB (Mathias Buus) #​21003
  • net:
    • new option to allow IPC servers to be readable and writable by all users (Bartosz Sosnowski) #​19472
  • stream:
    • fix removeAllListeners() for Stream.Readable to work as expected when no arguments are passed (Kael Zhang) #​20924
  • Added new collaborators
Commits

v10.2.1: 2018-05-24, Version 10.2.1 (Current), @​MylesBorins

Compare Source

Notable Changes

This is a follow up release to fix two regressions that were introduced in v10.2.0.

Commits

v10.2.0: 2018-05-23, Version 10.2.0 (Current), @​MylesBorins

Compare Source

Notable Changes
  • addons:
    • Fixed a memory leak for users of AsyncResource and N-API. (Michael Dawson) #​20668
  • assert:
    • The error parameter of assert.throws() can be an object containing regular expressions now. (Ruben Bridgewater) #​20485
  • crypto:
    • The authTagLength option has been made more flexible. (Tobias Nießen) #​20235, #​20039
  • esm:
    • Builtin modules (e.g. fs) now provide named exports in ES6 modules. (Gus Caplan) #​20403
  • http:
    • Handling of close and aborted events has been made more consistent. (Robert Nagy) #​20075, #​20611
  • module:
    • add --preserve-symlinks-main (David Goldstein) #​19911
  • timers:
    • timeout.refresh() has been added to the public API. (Jeremiah Senkpiel) #​20298
  • Embedder support:
    • Functions for creating V8 Isolate and Context objects with Node.js-specific behaviour have been added to the API. (Allen Yonghuang Wang) #​20639
    • Node.js Environments clean up resources before exiting now. (Anna Henningsen) #​19377
    • Support for multi-threaded embedding has been improved. (Anna Henningsen) #​20542, #​20539, #​20541
Commits

v10.1.0: 2018-05-08, Version 10.1.0 (Current), @​MylesBorins

Compare Source

Notable Changes
  • console:
    • make console.table() use colored inspect (TSUYUSATO Kitsune) #​20510
  • fs:
    • move fs/promises to fs.promises (cjihrig) #​20504
  • http:
    • added aborted property to request (Robert Nagy) #​20094
  • n-api:
    • initialize a module via a special symbol (Gabriel Schulhof) #​20161
  • src:
    • add public API to expose the main V8 Platform (Allen Yonghuang Wang) #​20447
Commits

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports

Loading