Node.js v18.20.2 #5
Open
+140,783
−160,524
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The warning message was inadvertently changed to a newer version of g++ than the one being checked for when a refactor PR was merged to v18.x-staging. Refs: nodejs#47667 PR-URL: nodejs#51695 Reviewed-By: Ruy Adorno <ruyadorno@google.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
PR-URL: nodejs#51792 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
PR-URL: nodejs#51782 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
PR-URL: nodejs#51799 Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
PR-URL: nodejs#51800 Fixes: nodejs#51789 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Replace the setInterval with a queueMicrotask to make test less flaky. Fixes: nodejs#51883 PR-URL: nodejs#51943 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Original commit message:
[symbol-as-weakmap-key] Implement Symbol as WeakMap Keys
Allow non-registered symbols as keys in weakmap and weakset.
Allow non-registered symbols as target and unregisterToken in
WeakRef and FinalizationRegistry.
Bug: v8:12947
Change-Id: Ieb63bda66e3cc378879ac651e23300b71caed627
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865056
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83313}
Refs: v8/v8@c400af4
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Original commit message:
[symbol-as-weakmap-key] Add tests to check weak collection size
... after gc.
This CL also adds a runtime test function GetWeakCollectionSize
to get the weak collection size.
Bug: v8:12947
Change-Id: I4aff39165a54b63b3d690bfea71c2a439da01d00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905071
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#83464}
Refs: v8/v8@7f5daed
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Original commit message:
[symbol-as-weakmap-key] Stage the feature
Bug: v8:12947
Change-Id: I0a151a6b301ee93675cc9f87a4fa24cb1be76462
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3928061
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83483}
Refs: v8/v8@9a98f96
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Original commit message:
[symbol-as-weakmap-key] Fix DCHECKs and add CanBeHeldWeakly
There are a few DCHECKs that weren't updated to allow for Symbols as
weak collection keys. This CL updates those DCHECKs and also does the
following refactors for clarity:
- Add Object::CanBeHeldWeakly
- Rename GotoIfCannotBeWeakKey -> GotoIfCannotBeHeldWeakly to align with
spec AO name
Bug: chromium:1370400, chromium:1370402, v8:12947
Change-Id: I380840c8377497feae97e3fca37555dae0dcc255
Fixed: chromium:1370400, chromium:1370402
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3928150
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83507}
Refs: v8/v8@94e8282
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Original commit message:
[inspector] Support Symbols in EntryPreview
The Symbols-as-WeakMap-keys proposal allows non-Symbol.for Symbol values
in weak collections, which means it can show in EntryPreviews.
Also apparently Symbols in regular Maps and Sets were also unsupported.
Bug: v8:13350, v8:12947
Change-Id: Ib10476fa2f3c7f59af67933f0bf61640be1bbd97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3930037
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83518}
Refs: v8/v8@3dd9576
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Original commit message:
[symbol-as-weakmap-key] Fix DCHECKs when clearing JS weakrefs
Bug: chromium:1372500, v8:12947
Fixed: chromium:1372500
Change-Id: Id6330de5886e4ea72544b307c358e2190ea47d9c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942586
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83632}
Refs: v8/v8@1fada6b
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Original commit message:
[symbol-as-weakmap-key] Ship the proposal
I2S with 3 LGTMs:
https://groups.google.com/a/chromium.org/g/blink-dev/c/E6pDZP_TiBA/m/ZcXLwiz8AAAJ
Bug: v8:12947
Change-Id: Ibce4abc8b0610afb2041d44cc9ed136db8b62c0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4004610
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84128}
Refs: v8/v8@705e374
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
PR-URL: nodejs#49855 Backport-PR-URL: nodejs#51004 Fixes: nodejs#49848 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
In preparation of https://chromium-review.googlesource.com/c/v8/v8/+/4707972 which changes the return value to v8::Data. PR-URL: nodejs#48943 Backport-PR-URL: nodejs#51004 Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
This is a non-ABI breaking solution for v8/v8@b60a03d and v8/v8@0aa622e which are necessary for backporting vm-related memory fixes to v18.x. PR-URL: nodejs#49874 Backport-PR-URL: nodejs#51004 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
There is no need to initialize the internal fields to undefined and then initialize them to something else in the caller. Simply pass the internal fields into the constructor to initialize them just once. PR-URL: nodejs#49391 Backport-PR-URL: nodejs#51004 Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Previously when managing the importModuleDynamically callback of vm.compileFunction(), we use an ID number as the host defined option and maintain a per-Environment ID -> CompiledFnEntry map to retain the top-level referrer function returned by vm.compileFunction() in order to pass it back to the callback, but it would leak because with how we used v8::Persistent to maintain this reference, V8 would not be able to understand the cycle and would just think that the CompiledFnEntry was supposed to live forever. We made an attempt to make that reference known to V8 by making the CompiledFnEntry weak and using a private symbol to make CompiledFnEntry strongly references the top-level referrer function in nodejs#46785, but that turned out to be unsound, because the there's no guarantee that the top-level function must be alive while import() can still be initiated from that function, since V8 could discard the top-level function and only keep inner functions alive, so relying on the top-level function to keep the CompiledFnEntry alive could result in use-after-free which caused a revert of that fix. With this patch we use a symbol in the host defined options instead of a number, because with the stage-3 symbol-as-weakmap-keys proposal we could directly use that symbol to keep the referrer alive using a WeakMap. As a bonus this also keeps the other kinds of referrers alive as long as import() can still be initiated from that Script/Module, so this also fixes the long-standing crash caused by vm.Script being GC'ed too early when its importModuleDynamically callback still needs it. PR-URL: nodejs#48510 Backport-PR-URL: nodejs#51004 Refs: nodejs#44211 Refs: nodejs#42080 Refs: nodejs#47096 Refs: nodejs#43205 Refs: nodejs#38695 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Previously we maintain a strong persistent reference to the ModuleWrap to retrieve the ID-to-ModuleWrap mapping from the HostImportModuleDynamicallyCallback using the number ID stored in the host-defined options. As a result the ModuleWrap would be kept alive until the Environment is shut down, which would be a leak for user code. With the new symbol-based host-defined option we can just get the ModuleWrap from the JS-land WeakMap so there's now no need to maintain this strong reference. This would at least fix the leak for vm.SyntheticModule. vm.SourceTextModule is still leaking due to the strong persistent reference to the v8::Module. PR-URL: nodejs#48510 Backport-PR-URL: nodejs#51004 Refs: nodejs#44211 Refs: nodejs#42080 Refs: nodejs#47096 Refs: nodejs#43205 Refs: nodejs#38695 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Replace the persistent handles to v8::Module and v8::UnboundScript with an internal reference that V8's GC is aware of to fix the leaks. PR-URL: nodejs#48510 Backport-PR-URL: nodejs#51004 Refs: nodejs#44211 Refs: nodejs#42080 Refs: nodejs#47096 Refs: nodejs#43205 Refs: nodejs#38695 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
PR-URL: nodejs#49671 Backport-PR-URL: nodejs#51004 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
Previously we simply create a lot of the target objects and check if the process crash due to OOM. Due to how we use emphemeron GC to handle memory management, which is inefficient but necessary for correctness, the tests can produce false positives as the GC isn't efficient enough to catch up with a very fast heap growth. This patch uses a new checkIfCollectable() utility to terminate the test early once we detect that any of the target object can actually be garbage collected. This should lower the chance of false positives. As a drive-by this also allows us to use setImmediate() to grow the heap even faster to make the tests run faster. PR-URL: nodejs#49671 Backport-PR-URL: nodejs#51004 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
Similar to the test-vm-source-text-module-leak fix, use a snapshot to force a thorough GC in order to prevent false positives. PR-URL: nodejs#49710 Backport-PR-URL: nodejs#51004 Refs: nodejs/reliability#669 Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
This makes it possile to hit the in-isolate compilation cache when host-defined options are not necessary. PR-URL: nodejs#49950 Backport-PR-URL: nodejs#51004 Refs: nodejs#35375 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Set a default host-defined option for vm.compileFunction so that it's consistent with vm.Script. PR-URL: nodejs#50137 Backport-PR-URL: nodejs#51004 Refs: nodejs#35375 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Instead of using the public versions of the vm APIs internally, use the internal versions so that we can skip unnecessary argument validation. The public versions would need special care to the generation of host-defined options to hit the isolate compilation cache when imporModuleDynamically isn't used, while internally it's almost always used, so this allows us to handle the host-defined options separately. PR-URL: nodejs#50137 Backport-PR-URL: nodejs#51004 Refs: nodejs#35375 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Users cannot access any API that can be used to return a module or module namespace in this callback without --experimental-vm-modules anyway, so this would eventually lead to a rejection. This patch rejects in this case with our own error message and use a constant host-defined option for the rejection, so that scripts with the same source can still be compiled using the compilation cache if no `import()` is actually called in the script. PR-URL: nodejs#50137 Backport-PR-URL: nodejs#51004 Refs: nodejs#35375 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: nodejs#50515 Backport-PR-URL: nodejs#51973 Reviewed-By: Steven R Loomis <srl295@gmail.com> Reviewed-By: LiviaMedeiros <livia@cirno.name> Refs: nodejs#51933
PR-URL: nodejs#51461 Backport-PR-URL: nodejs#51973 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Refs: nodejs#51933
PR-URL: nodejs#50803 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: nodejs#50910 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
PR-URL: nodejs#51105 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
PR-URL: nodejs#51274 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
Fix `internet/test-inspector-help-page` to handle the relative redirect of `https://nodejs.org/en/docs/inspector` to `/en/docs/guides/debugging-getting-started`. Previously this URL redirected to an absolute URL. PR-URL: nodejs#51121 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
c-ares has made intentional changes to the behavior of TXT records to comply with RFC 7208, which concatenates multiple strings for the same TXT record into a single string. Multiple TXT records are not concatenated. Also, response handling has changed, such that a response which is completely invalid in formatting is thrown away as a malicious forged/spoofed packet rather than returning EBADRESP. This is one step toward RFC 9018 (EDNS COOKIES) which will require the message to at least be structurally valid to validate against spoofed records. Fix By: Brad House (@bradh352) PR-URL: nodejs#50743 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Fixes: nodejs#50741 Refs: nodejs#50444
PR-URL: nodejs#51385 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
This should get rid of the following GCC warning: ISO C90 does not support ‘long long’ [-Wlong-long] PR-URL: nodejs#51410 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
PR-URL: nodejs#51582 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
PR-URL: nodejs#51846 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Original commit message:
Fix reading integer-indexed import assertions in dynamic import
Use GetPropertyOrElement instead of GetProperty to read import assertion
values from the import assertions object, to support cases in which the
key is an integer index such as `"0"`.
The added test case, when using GetProperty, triggers the following DCHECK in
debug builds:
https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/lookup-inl.h;l=108;drc=515f187ba067ee4a99fdf5198cca2c97abd342fd
In release builds it silently fails to read the property, and thus throws about
it not being a valid string.
Bug: v8:14069
Change-Id: Ifd4645b7bd9bfd07f06fa33727441d27eabc4d32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4614489
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#88267}
Refs: v8/v8@d90d453
PR-URL: nodejs#50077
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
PR-URL: nodejs#52184 Refs: nodejs#51136 Refs: nodejs#52165 (comment) Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Add a flag for each experimental feature to indicate its presence. That way, if we compile with `NAPI_EXPERIMENTAL` turned on, we'll be able to distinguish between what `NAPI_EXPERIMENTAL` used to mean on an old version of the headers when compiling against such an old version, and what it means on a new version of Node.js. PR-URL: nodejs#50991 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Vladimir Morozov <vmorozov@microsoft.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Backport-PR-URL: nodejs#51804 (cherry picked from commit 727dd28)
* Create macro for checking new string arguments.
* Create macro for combining env check and inside-gc check.
PR-URL: nodejs#50664
Reviewed-By: Vladimir Morozov <vmorozov@microsoft.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Backport-PR-URL: nodejs#51804
(cherry picked from commit 5e250bd)
We define a new type called `node_api_nogc_env` as the `const` version of `napi_env` and `node_api_nogc_finalize` as a variant of `napi_finalize` that accepts a `node_api_nogc_env` as its first argument. We then modify those APIs which do not affect GC state as accepting a `node_api_nogc_env`. APIs accepting finalizer callbacks are modified to accept `node_api_nogc_finalize` callbacks. Thus, the only way to attach a `napi_finalize` callback, wherein Node-APIs affecting GC state may be called is to call `node_api_post_finalizer` from a `node_api_nogc_finalize` callback. In keeping with the process of introducing new Node-APIs, this feature is guarded by `NAPI_EXPERIMENTAL`. Since this feature modifies APIs already marked as stable, it is additionally guared by `NODE_API_EXPERIMENTAL_NOGC_ENV`, so as to provide a further buffer to adoption. Nevertheless, both guards must be removed upon releasing a new version of Node-API. PR-URL: nodejs#50060 Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Vladimir Morozov <vmorozov@microsoft.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Backport-PR-URL: nodejs#51804 (cherry picked from commit 7a216d5)
PR-URL: nodejs#50209 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Christian Clauss <cclauss@me.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Fixes: nodejs#51993 PR-URL: nodejs#52005 Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
Notable changes: Added support for import attributes: Support has been added for import attributes, to replace the old import assertions syntax. This will aid migration by making the new syntax available across all currently supported Node.js release lines. For more details, see * [nodejs#50134](nodejs#50134) * [nodejs#51622](nodejs#51622) Doc deprecation for `dirent.path`: Please use newly added `dirent.parentPath` instead. Experimental node-api feature flags Introduces an experimental feature to segregate finalizers that affect GC state. A new type called `node_api_nogc_env` has been introduced as the const version of `napi_env` and `node_api_nogc_finalize` as a variant of `napi_finalize` that accepts a `node_api_nogc_env` as its first argument. This feature can be turned off by defining `NODE_API_EXPERIMENTAL_NOGC_ENV_OPT_OUT`. Root certificates updated to NSS 3.98: Certificates added: * Telekom Security TLS ECC Root 2020 * Telekom Security TLS RSA Root 2023 Certificates removed: * Security Communication Root CA Updated dependencies: * ada updated to 2.7.6. * base64 updated to 0.5.2. * c-ares updated to 1.27.0. * corepack updated to 0.25.2. * ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1. * npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes. * simdutf8 updated to 4.0.8. * Timezone updated to 2024a. * zlib updated to 1.3.0.1-motley-40e35a7. vm: fix V8 compilation cache support for vm.Script: Previously repeated compilation of the same source code using `vm.Script` stopped hitting the V8 compilation cache after v16.x when support for `importModuleDynamically` was added to `vm.Script`, resulting in a performance regression that blocked users (in particular Jest users) from upgrading from v16.x. The recent fixes allow the compilation cache to be hit again for `vm.Script` when `--experimental-vm-modules` is not used even in the presence of the `importModuleDynamically` option, so that users affected by the performance regression can now upgrade. Ongoing work is also being done to enable compilation cache support for `vm.CompileFunction`. PR-URL: nodejs#52165
PR-URL: nodejs#52165
Co-Authored-By: Anna Henningsen <anna@addaleax.net> PR-URL: nodejs-private/node-private#561 Fixes: https://hackerone.com/reports/2319584 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> CVE-ID: CVE-2024-27983
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs-private/node-private#577 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
PR-URL: nodejs-private/node-private#558 Refs: nodejs-private/node-private#556 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2024-27982
This is a security release. Notable changes: * CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High) * CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium) * llhttp version 9.2.1 * undici version 5.28.4 PR-URL: nodejs-private/node-private#573
An undocumented feature of the Win32 CreateProcess API allows spawning batch files directly but is potentially insecure because arguments are not escaped (and sometimes cannot be unambiguously escaped), hence why they are refused starting today. PR-URL: nodejs-private/node-private#564 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2024-27980
This is a security release. Notable changes: src: * disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#564 PR-URL: nodejs-private/node-private#578
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
v18.20.2