Releases: nodejs/node
2023-02-16, Version 19.6.1 (Current), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-23919: OpenSSL errors not cleared in error stack (Medium)
- CVE-2023-23918: Experimental Policies bypass via
process.mainModule.require
(High) - CVE-2023-23920: Insecure loading of ICU data through ICU_DATA environment variable (Low)
More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.
This security release includes OpenSSL security updates as outlined in the recent
OpenSSL security advisory and undici
security update.
Commits
- [
97d9d55d2f
] - build: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) nodejs-private/node-private#374 - [
8ac90e6372
] - crypto: clear OpenSSL error on invalid ca cert (RafaelGSS) nodejs-private/node-private#368 - [
10a4c47e3a
] - deps: update undici to 5.19.1 (Node.js GitHub Bot) #46634 - [
b10fc75e4a
] - deps: update undici to 5.18.0 (Node.js GitHub Bot) #46502 - [
e9b64ea8b9
] - deps: update undici to 5.17.1 (Node.js GitHub Bot) #46502 - [
66a24cec47
] - deps: cherry-pick Windows ARM64 fix for openssl (Richard Lau) #46573 - [
d8559aa6f5
] - deps: update archs files for quictls/openssl-3.0.8+quic (RafaelGSS) #46573 - [
dc477f547d
] - deps: upgrade openssl sources to quictls/openssl-3.0.8+quic (RafaelGSS) #46573 - [
2aae197670
] - lib: makeRequireFunction patch when experimental policy (RafaelGSS) nodejs-private/node-private#358 - [
6d17b693ec
] - policy: makeRequireFunction on mainModule.require (RafaelGSS) nodejs-private/node-private#358
2023-02-16, Version 18.14.1 'Hydrogen' (LTS), @RafaelGSS prepared by @juanarbol
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
- CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
- CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
- CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
- CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.
This security release includes OpenSSL security updates as outlined in the recent
OpenSSL security advisory.
Commits
- [
8393ebc72d
] - build: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) nodejs-private/node-private#379 - [
004e34d046
] - crypto: clear OpenSSL error on invalid ca cert (RafaelGSS) #46572 - [
5e0142a852
] - deps: cherry-pick Windows ARM64 fix for openssl (Richard Lau) #46572 - [
f71fe278a6
] - deps: update archs files for quictls/openssl-3.0.8+quic (RafaelGSS) #46572 - [
2c6817e42b
] - deps: upgrade openssl sources to quictls/openssl-3.0.8+quic (RafaelGSS) #46572 - [
f0afa0bfe5
] - deps: update undici to 5.19.1 (Node.js GitHub Bot) #46634 - [
c26a34c13e
] - deps: update undici to 5.18.0 (Node.js GitHub Bot) #46634 - [
db93ee4a15
] - deps: update undici to 5.17.1 (Node.js GitHub Bot) #46634 - [
b4e49fb02c
] - deps: update undici to 5.16.0 (Node.js GitHub Bot) #46634 - [
90994e6a2c
] - deps: update undici to 5.15.1 (Node.js GitHub Bot) #46634 - [
00302fc7ac
] - deps: update undici to 5.15.0 (Node.js GitHub Bot) #46634 - [
0e3b796cc5
] - lib: makeRequireFunction patch when experimental policy (RafaelGSS) nodejs-private/node-private#371 - [
7cccd5565f
] - policy: makeRequireFunction on mainModule.require (RafaelGSS) nodejs-private/node-private#371
2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
- CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
- CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
Fixed by an update to undici:
- CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
- See GHSA-5r9g-qh6m-jxff for more information.
- CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
- See GHSA-r6ch-mqf9-qc9w for more information.
More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.
This security release includes OpenSSL security updates as outlined in the recent
OpenSSL security advisory.
Commits
- [
7fef050447
] - build: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) nodejs-private/node-private#374 - [
b558e9f476
] - crypto: clear OpenSSL error on invalid ca cert (RafaelGSS) nodejs-private/node-private#375 - [
160adb7ffc
] - crypto: clear OpenSSL error queue after calling X509_check_private_key() (Filip Skokan) #45495 - [
d0ece30948
] - crypto: clear OpenSSL error queue after calling X509_verify() (Takuro Sato) #45377 - [
2d9ae4f184
] - deps: update undici to v5.19.1 (Matteo Collina) nodejs-private/node-private#388 - [
d80e8312fd
] - deps: cherry-pick Windows ARM64 fix for openssl (Richard Lau) #46568 - [
de5c8d2c2f
] - deps: update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS) #46568 - [
1a8ccfe908
] - deps: upgrade openssl sources to OpenSSL_1_1_1t+quic (RafaelGSS) #46568 - [
693789780b
] - doc: clarify release notes for Node.js 16.19.0 (Richard Lau) #45846 - [
f95ef064f4
] - lib: makeRequireFunction patch when experimental policy (RafaelGSS) nodejs-private/node-private#358 - [
b02d895137
] - policy: makeRequireFunction on mainModule.require (RafaelGSS) nodejs-private/node-private#358 - [
d7f83c420c
] - test: avoid left behind child processes (Richard Lau) #46276
2023-02-16, Version 14.21.3 'Fermium' (LTS), @richardlau
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
- CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.
This security release includes OpenSSL security updates as outlined in the recent
OpenSSL security advisory.
This security release also includes an npm update for Node.js 14 to address a number
of CVEs which either do not affect Node.js or are low severity in the context of Node.js. You
can get more details for the individual CVEs in
nodejs-dependency-vuln-assessments.
Commits
- [
97a0443f13
] - build: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) nodejs-private/node-private#374 - [
9e6221529b
] - deps: cherry-pick Windows ARM64 fix for openssl (Richard Lau) #46566 - [
0d5f86451d
] - deps: update archs files for OpenSSL-1.1.1t (RafaelGSS) #46566 - [
8c11d17b40
] - deps: upgrade openssl sources to 1.1.1t (RafaelGSS) #46566 - [
224e93c9ef
] - deps: upgrade npm to 6.14.18 (Ruy Adorno) #45936 - [
d73ea4de13
] - doc: clarify release notes for Node.js 14.21.2 (Richard Lau) #45846 - [
f7892c16be
] - lib: makeRequireFunction patch when experimental policy (RafaelGSS) nodejs-private/node-private#358 - [
fa115ee8ac
] - module: protect against prototype mutation (Antoine du Hamel) #44007 - [
83975b7fb4
] - policy: makeRequireFunction on mainModule.require (RafaelGSS) nodejs-private/node-private#358 - [
a5f8798d7a
] - test: avoid left behind child processes (Richard Lau) #46276
2023-02-02, Version 18.14.0 'Hydrogen' (LTS), @BethGriggs prepared by @juanarbol
Notable changes
Updated npm to 9.3.1
Based on the list of guidelines we've established on integrating npm
and node
,
here is a grouped list of the breaking changes with the reasoning as to why they
fit within the guidelines linked above. Note that all the breaking changes were
made in 9.0.0.
All subsequent minor and patch releases after npm@9.0.0
do not contain any
breaking changes.
Engines
Explanation: the node engines supported by
npm@9
make it safe to allownpm@9
as the default in any LTS version of14
or16
, as well as anything later than or including18.0.0
npm
is now compatible with the following semver range for node:^14.17.0 || ^16.13.0 || >=18.0.0
Filesystem
Explanation: when run as root previous versions of npm attempted to manage file ownership automatically on the user's behalf. this behavior was problematic in many cases and has been removed in favor of allowing users to manage their own filesystem permissions
npm
will no longer attempt to modify ownership of files it creates.
Auth
Explanation: any errors thrown from users having unsupported auth configurations will show
npm config fix
in the remediation instructions, which will allow the user to automatically have their auth config fixed.
- The presence of auth related settings that are not scoped to a specific
registry found in a config file is no longer supported and will throw errors.
Login
Explanation: the default
auth-type
has changed and users can opt back into the old behavior withnpm config set auth-type=legacy
.login
andadduser
have also been seperated making each command more closely match it's name instead of being aliases for each other.
- Legacy auth types
sso
,saml
&legacy
have been consolidated into"legacy"
. auth-type
defaults to"web"
login
andadduser
are now separate commands that send different data to the registry.auth-type
config valuesweb
andlegacy
only try their respective methods,
npm no longer tries them all and waits to see which one doesn't fail.
Tarball Packing
Explanation: previously using multiple ignore/allow lists when packing was an undefined behavior, and now the order of operations is strictly defined when packing a tarball making it easier to follow and should only affect users relying on the previously undefined behavior.
npm pack
now follows a strict order of operations when applying ignore rules.
If afiles
array is present in thepackage.json
, then rules in.gitignore
and.npmignore
files from the root will be ignored.
Display/Debug/Timing Info
Explanation: these changes center around the display of information to the terminal including timing and debug log info. We do not anticipate these changes breaking any existing workflows.
- Links generated from git urls will now use
HEAD
instead ofmaster
as the default ref. timing
has been removed as a value for--loglevel
.--timing
will show timing information regardless of--loglevel
, except when--silent
.- When run with the
--timing
flag,npm
now writes timing data to a file
alongside the debug log data, respecting thelogs-dir
option and falling
back to<CACHE>/_logs/
dir, instead of directly inside the cache directory. - The timing file data is no longer newline delimited JSON, and instead each run
will create a uniquely named<ID>-timing.json
file, with the<ID>
portion
being the same as the debug log. npm
now outputs some json errors on stdout. Previouslynpm
would output
all json formatted errors on stderr, making it difficult to parse as the
stderr stream usually has logs already written to it.
Config/Command Deprecations or Removals
Explanation:
install-links
is the only config or command in the list that has an effect on package installs. We fixed a number of issues that came up during prereleases with this change. It will also only be applied to new package trees created without a package-lock.json file. Any install with an existing lock file will not be changed.
- Deprecate boolean install flags in favor of
--install-strategy
. npm config set
will no longer accept deprecated or invalid config options.install-links
config defaults to"true"
.node-version
config has been removed.npm-version
config has been removed.npm access
subcommands have been renamed.npm birthday
has been removed.npm set-script
has been removed.npm bin
has been removed (usenpx
ornpm exec
to execute binaries).
Other notable changes
- doc:
- add parallelism note to os.cpus() (Colin Ihrig) #45895
- http:
- stream:
- implement finished() for ReadableStream and WritableStream (Debadree Chatterjee) #46205
Commits
- [
1352f08778
] - assert: removeassert.snapshot
(Moshe Atlow) #46112 - [
4ee3238643
] - async_hooks: refactor to usevalidateObject
(Deokjin Kim) #46004 - [
79e0bf9b64
] - benchmark: include webstreams benchmark (Rafael Gonzaga) #45876 - [
ed1ac82469
] - benchmark,tools: use os.availableParallelism() (Deokjin Kim) #46003 - [
16ee02f2eb
] - (SEMVER-MINOR) buffer: add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947 - [
3bf2371a57
] - build: add extra semi check (Jiawen Geng) #46194 - [
560ee24157
] - build: fix arm64 cross-compile from powershell (Stefan Stojanovic) #45890 - [
48e3ad3aca
] - build: add option to disable shared readonly heap (Anna Henningsen) #45887 - [
52a7887b94
] - (SEMVER-MINOR) crypto: add CryptoKey Symbol.toStringTag (Filip Skokan) #46042 - [
a558774a40
] - crypto: add cipher update/final methods encoding validation (vitpavlenko) #45990 - [
599d1dc841
] - crypto: ensure auth tag set for chacha20-poly1305 (Ben Noordhuis) #46185 - [
24a101698c
] - crypto: return correct bit length in KeyObject's asymmetricKeyDetails (Filip Skokan) #46106 - [
2de50fef84
] - (SEMVER-MINOR) crypto: add KeyObject Symbol.toStringTag (Filip Skokan) #46043 - [
782b6f6f9f
] - crypto: ensure exported webcrypto EC keys use uncompressed point format (Ben Noordhuis) #46021 - [
7a97f3f43b
] - crypto: fix CryptoKey prototype WPT (Filip Skokan) #45857 - [
1a8aa50aa2
] - crypto: fix CryptoKey WebIDL conformance (Filip Skokan) #45855 - [
c6436450ee
] - crypto: fix error when getRandomValues is called without arguments (Filip Skokan) #45854 - [
4cdf0002c5
] - debugger: refactor console in lib/internal/debugger/inspect.js (Debadree Chatterjee) #45847 - [
b7fe8c70fa
] - deps: update simdutf to 3.1.0 (Node.js GitHub Bot) #46257 - [
eaeb870cd7
] - deps: upgrade npm to 9.3.1 (npm team) #46242 - [
7c03a3d676
] - deps: upgrade npm to 9.3.0 (npm team) #46193 - [
340d76accb
] - deps: cherrypick simdutf patch (Jiawen Geng) #46194 - [
cce2af4306
] - deps: bump googletest to 2023.01.13 (Jiawen Geng) #46198 - [
d251a66bed
] - deps: add /deps/**/.github/ to .gitignore (Luigi Pinca) #46091 - [
874054f469
] - deps:...
2023-02-02, Version 19.6.0 (Current), @ruyadorno
Notable changes
ESM: Leverage loaders when resolving subsequent loaders
Loaders now apply to subsequent loaders, for example: --experimental-loader ts-node --experimental-loader loader-written-in-typescript
.
Upgrade npm to 9.4.0
Added --install-strategy=linked
option for installations similar to pnpm.
Other notable changes
- [
a7c9daa497
] - (SEMVER-MINOR) fs: add statfs() functions (Colin Ihrig) #46358 - [
34d70ce615
] - (SEMVER-MINOR) vm: expose cachedDataRejected for vm.compileFunction (Anna Henningsen) #46320 - [
b4ac794923
] - (SEMVER-MINOR) v8: support gc profile (theanarkh) #46255 - [
d52f60009a
] - (SEMVER-MINOR) src,lib: add constrainedMemory API for process (theanarkh) #46218 - [
5ad6c2088e
] - (SEMVER-MINOR) buffer: add isAscii method (Yagiz Nizipli) #46046 - [
fbdc3f7316
] - (SEMVER-MINOR) test_runner: add reporters (Moshe Atlow) #45712
Commits
- [
524eec70e2
] - benchmark: add trailing commas (Antoine du Hamel) #46370 - [
f318a85408
] - benchmark: remove buffer benchmarks redundancy (Brian White) #45735 - [
6186b3ea14
] - benchmark: introduce benchmark combination filtering (Brian White) #45735 - [
5ad6c2088e
] - (SEMVER-MINOR) buffer: add isAscii method (Yagiz Nizipli) #46046 - [
8c6c4338a6
] - build: export more OpenSSL symbols on Windows (Mohamed Akram) #45486 - [
d795d93901
] - build: fix MSVC 2022 Release compilation (Vladimir Morozov (REDMOND)) #46228 - [
8e363cf8e8
] - crypto: includehmac.h
incrypto_util.h
(Adam Langley) #46279 - [
c1f3e13c65
] - deps: update acorn to 8.8.2 (Node.js GitHub Bot) #46363 - [
813b160bd7
] - deps: upgrade npm to 9.4.0 (npm team) #46353 - [
9c2f3cea70
] - deps: update undici to 5.15.0 (Node.js GitHub Bot) #46213 - [
312e10c1e3
] - deps: update to uvwasi 0.0.15 (Colin Ihrig) #46253 - [
c7024eec16
] - doc: correct thesed
command for macOS in release process docs (Juan José) #46397 - [
996bac044b
] - doc: include webstreams in finished() and Duplex.from() parameters (Debadree Chatterjee) #46312 - [
891d18d55c
] - doc: pass string totextEncoder.encode
as input (Deokjin Kim) #46421 - [
968db213f8
] - doc: add tip for session.post function (theanarkh) #46354 - [
a64d7f4e31
] - doc: add documentation for socket.destroySoon() (Luigi Pinca) #46337 - [
975788899f
] - doc: fix commit message using test instead of deps (Tony Gorez) #46313 - [
1d44017f52
] - doc: add v8 fast api contribution guidelines (Yagiz Nizipli) #46199 - [
e2698c05fb
] - doc: fix small typo error (0xflotus) #46186 - [
f39fb8c001
] - doc: mark some parameters as optional in webstreams (Deokjin Kim) #46269 - [
7a9af38128
] - doc: update output of example inevents.getEventListeners
(Deokjin Kim) #46268 - [
729642f30b
] - esm: delete preload mock test (Geoffrey Booth) #46402 - [
7aac21e90a
] - esm: leverage loaders when resolving subsequent loaders (Maël Nison) #43772 - [
a7c9daa497
] - (SEMVER-MINOR) fs: add statfs() functions (Colin Ihrig) #46358 - [
1ec6270efa
] - http: res.setHeaders first implementation (Marco Ippolito) #46109 - [
d4370259e9
] - inspector: allow opening inspector whenNODE_V8_COVERAGE
is set (Moshe Atlow) #46113 - [
b966ef9a42
] - lib: remove unnecessary ObjectGetValueSafe (Chengzhong Wu) #46335 - [
2b06d66289
] - lib: cache parsed source maps to reduce memory footprint (Chengzhong Wu) #46225 - [
c38673df91
] - meta: update AUTHORS (Node.js GitHub Bot) #46399 - [
c10e602547
] - meta: update AUTHORS (Node.js GitHub Bot) #46303 - [
9dc026b14a
] - meta: add .mailmap entry (Rich Trott) #46303 - [
7c514574f7
] - meta: move evanlucas to emeritus (Evan Lucas) #46274 - [
3a3a6d87f1
] - module: move test reporter loading (Geoffrey Booth) #45923 - [
4ae2492a33
] - readline: fix detection of carriage return (Antoine du Hamel) #46306 - [
43cad78b7a
] - src: stop tracing agent before shutting down libuv (Santiago Gimeno) #46380 - [
360a3f3094
] - src: get rid of fp arithmetic in ParseIPv4Host (Tobias Nießen) #46326 - [
e7b507a8cf
] - src: use UNREACHABLE instead of CHECK(falsy) (Tobias Nießen) #46317 - [
4c59b60ee8
] - src: add support for ETW stack walking (José Dapena Paz) #46203 - [
640d111f95
] - src: refactor EndsInANumber in node_url.cc and adds IsIPv4NumberValid (Miguel Teixeira) #46227 - [
fb7bee2b6e
] - src: fix c++ exception on bad command line arg (Ben Noordhuis) #46290 - [
18c95ec4bd
] - src: remove unreachable UNREACHABLE (Tobias Nießen) #46281 - [
35bf93b01a
] - src: replace custom ASCII validation with simdutf one (Anna Henningsen) #46271 - [
8307a4bbcd
] - src: replace unreachable code with static_assert (Tobias Nießen) #46250 - [
7cf0da020a
] - src: use explicit C++17 fallthrough (Tobias Nießen) #46251 - [
d52f60009a
] - (SEMVER-MINOR) src,lib: add constrainedMemory AP...
2023-01-24, Version 19.5.0 (Current), @RafaelGSS
Notable Changes
- http:
- (SEMVER-MINOR) join authorization headers (Marco Ippolito) #45982
- lib::
- add webstreams to Duplex.from() (Debadree Chatterjee) #46190
- stream:
- implement finished() for ReadableStream and WritableStream (Debadree Chatterjee) #46205
Commits
- [
def36946da
] - assert: removeassert.snapshot
(Moshe Atlow) #46112 - [
e1c56ec3fd
] - benchmark,tools: use os.availableParallelism() (Deokjin Kim) #46003 - [
370f621d4d
] - build: add extra semi check (Jiawen Geng) #46194 - [
476c6f892d
] - crypto: avoid hang when no algorithm available (Richard Lau) #46237 - [
8b22310940
] - (SEMVER-MINOR) crypto: add CryptoKey Symbol.toStringTag (Filip Skokan) #46042 - [
78be87b9f9
] - crypto: add cipher update/final methods encoding validation (vitpavlenko) #45990 - [
dc0cdaa101
] - crypto: ensure auth tag set for chacha20-poly1305 (Ben Noordhuis) #46185 - [
1146f02dc5
] - crypto: return correct bit length in KeyObject's asymmetricKeyDetails (Filip Skokan) #46106 - [
961710bb72
] - (SEMVER-MINOR) crypto: add KeyObject Symbol.toStringTag (Filip Skokan) #46043 - [
9cfdac6c82
] - deps: V8: cherry-pick e39af94dd18e (Lu Yahan) #46142 - [
26cde8efb7
] - deps: update simdutf to 3.1.0 (Node.js GitHub Bot) #46257 - [
3f9fb37130
] - deps: cherrypick simdutf patch (Jiawen Geng) #46194 - [
4ff2822836
] - deps: bump googletest to 2023.01.13 (Jiawen Geng) #46198 - [
49556247d2
] - deps: add /deps/**/.github/ to .gitignore (Luigi Pinca) #46091 - [
0c4df83e0d
] - deps: add simdutf version to metadata (Mike Roth) #46145 - [
69aafc3ddd
] - deps: update simdutf to 2.1.0 (Node.js GitHub Bot) #46128 - [
a266daccb5
] - deps: update corepack to 0.15.3 (Node.js GitHub Bot) #46037 - [
6cd70573eb
] - deps: upgrade npm to 9.3.1 (npm team) #46242 - [
679aae2da8
] - deps: upgrade npm to 9.3.0 (npm team) #46193 - [
38dd5061f2
] - dgram: sync the old handle state to new handle (theanarkh) #46041 - [
e36af49b35
] - doc: fix mismatched arguments ofNodeEventTarget
(Deokjin Kim) #45678 - [
58b836f7c4
] - doc: update events API example to have runnable code (Deokjin Kim) #45760 - [
5c350298b4
] - doc: add note to tls docs about secureContext availability (Tim Gerk) #46224 - [
90924ce198
] - doc: add text around collaborative expectations (Michael Dawson) #46121 - [
2d328355d4
] - doc: update to match changed--dns-result-order
default (Mordy Tikotzky) #46148 - [
1015a606b7
] - doc: add Node-API media link (Kevin Eady) #46189 - [
6e355efcff
] - doc: update http.setMaxIdleHTTPParsers arguments (Debadree Chatterjee) #46168 - [
f18ab9405a
] - doc: use "file system" instead of "filesystem" (Rich Trott) #46178 - [
1b45713b00
] - doc: https update default request timeout (Marco Ippolito) #46184 - [
4c88721e2f
] - doc: make options of readableStream.pipeTo as optional (Deokjin Kim) #46180 - [
538c53f010
] - doc: add PerformanceObserver.supportedEntryTypes to doc (theanarkh) #45962 - [
eef7489d24
] - doc: duplex and readable from uncaught execption warning (Marco Ippolito) #46135 - [
686fe585b5
] - doc: remove outdated sections frommaintaining-v8
(Antoine du Hamel) #46137 - [
2e826ad528
] - doc: fix (EC)DHE remark in TLS docs (Tobias Nießen) #46114 - [
2e22b29add
] - doc: fix ERR_TLS_RENEGOTIATION_DISABLED text (Tobias Nießen) #46122 - [
e222a2f1d1
] - doc: fix spelling in SECURITY.md (Vaishno Chaitanya) #46124 - [
7718e82f0d
] - doc: abort controller emits error in child process (Debadree Chatterjee) #46072 - [
76408bc1ed
] - doc: fixevent.cancelBubble
documentation (Deokjin Kim) #45986 - [
82023f2570
] - doc: update output of example in inspector (Deokjin Kim) #46073 - [
a42fc512b6
] - doc: add personal pronouns option (Filip Skokan) #46118 - [
fafae5955d
] - doc: mention how to run ncu-ci citgm (Rafael Gonzaga) #46090 - [
e1fd2f24d9
] - doc: include updating release optional step (Rafael Gonzaga) #46089 - [
1996e610fd
] - doc: describe argument ofSymbol.for
(Deokjin Kim) #46019 - [
b002330216
] - doc,crypto: fix WebCryptoAPI import keyData and export return (Filip Skokan) #46076 - [
fa3e0c86c7
] - esm: markimportAssertions
as required (Antoine du Hamel) #46164 - [
f85a8e4c59
] - events: addinitEvent
to Event (Deokjin Kim) #46069 - [
5bdfaae680
] - events: change status ofevent.returnvalue
to legacy (Deokjin Kim) #46175 - [
ad7846fe97
] - events: change status ofevent.cancelBubble
to legacy (Deokjin Kim) #46146 - [
5304c89682
] - events: change status ofevent.srcElement
to legacy (Deokjin Kim) #46085 - [
3dcdab3f16
] - events: check signal before listener (Deokjin Kim) #46054 - [
907d67de76
] - http: refactor to use `valid...
2023-01-06, Version 19.4.0 (Current), @RafaelGSS
Notable Changes
- buffer:
- (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947
- http:
- (SEMVER-MINOR) improved timeout defaults handling (Paolo Insogna) #45778
- net:
- add autoSelectFamily global getter and setter (Paolo Insogna) #45777
- os:
- (SEMVER-MINOR) add availableParallelism() (Colin Ihrig) #45895
- util:
- add fast path for text-decoder fatal flag (Yagiz Nizipli) #45803
Commits
- [
54b748acc0
] - async_hooks: refactor to usevalidateObject
(Deokjin Kim) #46004 - [
cf2ff81f26
] - benchmark: include webstreams benchmark (Rafael Gonzaga) #45876 - [
6e3d7f8c2d
] - bootstrap: optimize modules loaded in the built-in snapshot (Joyee Cheung) #45849 - [
d181b76374
] - bootstrap: make CJS loader snapshotable (Joyee Cheung) #45849 - [
508e830765
] - bootstrap: include event_target into the built-in snapshot (Joyee Cheung) #45849 - [
dd77c05480
] - bootstrap: support module_wrap binding in snapshot (Joyee Cheung) #45849 - [
fbe399c75c
] - (SEMVER-MINOR) buffer: add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947 - [
233a66f937
] - build: fix arm64 cross-compile from powershell (Stefan Stojanovic) #45890 - [
e7b98a3da2
] - build: add option to disable shared readonly heap (Anna Henningsen) #45887 - [
777c551edf
] - crypto: ensure exported webcrypto EC keys use uncompressed point format (Ben Noordhuis) #46021 - [
f7dba5bef7
] - crypto: fix globalThis.crypto this check (Filip Skokan) #45857 - [
56f3ad101b
] - crypto: fix CryptoKey prototype WPT (Filip Skokan) #45857 - [
c9747f1140
] - crypto: use globalThis.crypto over require('crypto').webcrypto (Filip Skokan) #45817 - [
6eede72241
] - crypto: fix CryptoKey WebIDL conformance (Filip Skokan) #45855 - [
c9802862b7
] - crypto: fix error when getRandomValues is called without arguments (Filip Skokan) #45854 - [
3d09754186
] - debugger: refactor console in lib/internal/debugger/inspect.js (Debadree Chatterjee) #45847 - [
fdda2ff53b
] - deps: V8: cherry-pick 30861a39323d (Aaron Friel) #45851 - [
71bf513062
] - deps: patch V8 to 10.8.168.25 (Michaël Zasso) #45996 - [
0552b13232
] - deps: update simdutf to 2.0.9 (Node.js GitHub Bot) #45975 - [
e73be1b3b9
] - deps: update to uvwasi 0.0.14 (Colin Ihrig) #45970 - [
e4323f01c1
] - deps: fix updater github workflow job (Yagiz Nizipli) #45972 - [
05fee67238
] - Revert "deps: disable avx512 for simutf on benchmark ci" (Yagiz Nizipli) #45948 - [
98fc94a444
] - deps: disable avx512 for simutf on benchmark ci (Yagiz Nizipli) #45803 - [
344c5ec0ea
] - deps: add simdutf dependency (Yagiz Nizipli) #45803 - [
7bdad948c8
] - deps: V8: backport 8ca9f77d0f7c (Anna Henningsen) #45871 - [
29f90cf5af
] - deps: update timezone to 2022g (Node.js GitHub Bot) #45731 - [
99fec0bf64
] - deps: update undici to 5.14.0 (Node.js GitHub Bot) #45812 - [
faee973fa7
] - deps: V8: cherry-pick bc831f8ba33b (Yagiz Nizipli) #45788 - [
e2944109c6
] - deps: V8: cherry-pick bf0bd4868dde (Michaël Zasso) #45908 - [
e113d169ee
] - doc: update isUtf8 description (Yagiz Nizipli) #45973 - [
9e16406066
] - doc: sort http.createServer() options alphabetically (Luigi Pinca) #45680 - [
49253e1a8f
] - doc: use console.error for error case in timers and tls (Deokjin Kim) #46002 - [
8be1b666a7
] - doc: fix wrong output of example inurl.protocol
(Deokjin Kim) #45954 - [
9251dce8b2
] - doc: useos.availableParallelism()
in async_context and cluster (Deokjin Kim) #45979 - [
952e03ae66
] - doc: make EventEmitterAsyncResource'soptions
as optional (Deokjin Kim) #45985 - [
71cc3b3712
] - doc: replace single executable champion in strategic initiatives doc (Darshan Sen) #45956 - [
eaf6b63637
] - doc: update error message of example in repl (Deokjin Kim) #45920 - [
d8b5b7da75
] - doc: fix typos in packages.md (Eric Mutta) #45957 - [
4457e051c9
] - doc: remove port from example inurl.hostname
(Deokjin Kim) #45927 - [
908f4fab52
] - doc: show output of example in http (Deokjin Kim) #45915 - [
faf5c23084
] - (SEMVER-MINOR) doc: add parallelism note to os.cpus() (Colin Ihrig) #45895 - [
9ed547b73c
] - doc: fix wrong output of example inurl.password
(Deokjin Kim) #45928 - [
a89f8c1337
] - doc: fix some history entries indeprecations.md
(Antoine du Hamel) #45891 - [
cf30fca23f
] - doc: add tip for NODE_MODULE (theanarkh) #45797 - [
d500445aec
] - doc: reduce likelihood of mismerges during release (Richard Lau) #45864 - [
e229f060e3
] - doc: add backticks to webcrypto rsaOaepParams (Filip Skokan) #45883 - [
dfa58c1947
] - doc: remove release cleanup step (Michaël Zasso) #45858 - [
b93a9670a8
] - doc: add stream/promises pipeline and finished to doc (Marco Ippolito) #45832 - [
c86f4a17d6
] - doc: remove Juan Jose keys (Rafael Gonzaga) ...
2023-01-05, Version 18.13.0 'Hydrogen' (LTS), @danielleadams
Notable changes
Add support for externally shared js builtins
By default Node.js is built so that all dependencies are bundled into the Node.js binary itself. Some Node.js distributions prefer to manage dependencies externally. There are existing build options that allow dependencies with native code to be externalized. This commit adds additional options so that dependencies with JavaScript code (including WASM) can also be externalized. This addition does not affect binaries shipped by the Node.js project but will allow other distributions to externalize additional dependencies when needed.
Contributed by Michael Dawson in #44376
Introduce File
The File class is part of the FileAPI. It can be used anywhere a Blob can, for example in URL.createObjectURL
and FormData
. It contains two properties that Blobs do not have: lastModified
, the last time the file was modified in ms, and name
, the name of the file.
Contributed by Khafra in #45139
Support function mocking on Node.js test runner
The node:test
module supports mocking during testing via a top-level mock
object.
test('spies on an object method', (t) => {
const number = {
value: 5,
add(a) {
return this.value + a;
},
};
t.mock.method(number, 'add');
assert.strictEqual(number.add(3), 8);
assert.strictEqual(number.add.mock.calls.length, 1);
});
Contributed by Colin Ihrig in #45326
Other notable changes
- build:
- disable v8 snapshot compression by default (Joyee Cheung) #45716
- crypto:
- update root certificates (Luigi Pinca) #45490
- deps:
- update ICU to 72.1 (Michaël Zasso) #45068
- doc:
- add doc-only deprecation for headers/trailers setters (Rich Trott) #45697
- add Rafael to the tsc (Michael Dawson) #45691
- deprecate use of invalid ports in
url.parse
(Antoine du Hamel) #45576 - add lukekarrys to collaborators (Luke Karrys) #45180
- add anonrig to collaborators (Yagiz Nizipli) #45002
- deprecate url.parse() (Rich Trott) #44919
- lib:
- drop fetch experimental warning (Matteo Collina) #45287
- net:
- (SEMVER-MINOR) add autoSelectFamily and autoSelectFamilyAttemptTimeout options (Paolo Insogna) #44731
- src:
- test_runner:
- tls:
- tools:
- update certdata.txt (Luigi Pinca) #45490
- util:
Commits
- [
40123a6bb0
] - (SEMVER-MINOR) async_hooks: add hook to stop propagation (Gerhard Stöbich) #45386 - [
9925d20ed8
] - benchmark: add variety of inputs to text-encoder (Yagiz Nizipli) #45787 - [
5e167bd658
] - benchmark: make benchmarks runnable in older versions of Node.js (Joyee Cheung) #45746 - [
a1421623ac
] - benchmark: add v8 serialize benchmark (Yagiz Nizipli) #45476 - [
fcf61884cc
] - benchmark: add text-encoder benchmark (Yagiz Nizipli) #45450 - [
762d285c98
] - benchmark: add parameters to text-decoder benchmark (Yagiz Nizipli) #45363 - [
ab891ecbff
] - benchmark: fix text-decoder benchmark (Yagiz Nizipli) #45363 - [
1ed312a737
] - benchmark: add blob benchmark (Yagiz Nizipli) #44990 - [
2ee3d81277
] - bootstrap: merge main thread and worker thread initializations (Joyee Cheung) #44869 - [
e638ea4f48
] - bootstrap: check more metadata when loading the snapshot (Joyee Cheung) #44132 - [
bfcf4f0046
] - buffer: make decodeUTF8 params loose (Yagiz Nizipli) #45610 - [
3a7f3d5993
] - (SEMVER-MINOR) buffer: introduce File (Khafra) #45139 - [
345b847aa6
] - buffer: fix validation of options inBlob
constructor (Antoine du Hamel) #45156 - [
1ddc438444
] - build: disable v8 snapshot compression by default (Joyee Cheung) #45716 - [
bd1a2fbd91
] - build: add python 3.11 support for android (Mohammed Keyvanzadeh) #45765 - [
2b0ace302d
] - build: rework gyp files for zlib (Richard Lau) #45589 - [
5ab7a30a06
] - build: avoid redefined macro (Michaël Zasso) #45544 - [
f58b32c22e
] - build: fix env.h for cpp20 (Jiawen Geng) #45516 - [
1de1f679ec
] - Revert "build: remove precompiled header and debug information for host builds" (Stefan Stojanovic) #45432 - [
89d1eb58b0
] - build: add --v8-disable-object-print flag (MURAKAMI Masahiko) #45458 - [
f2a4def232
] - build: make scripts in gyp run with right python (Jiawen Geng) #45435 - [
473a879c91
] - build: workaround for node-core-utils (Jiawen Geng) #45199 - [
abcc034c61
] - build: fix icu-small build with ICU 72.1 (Steven R. Loomis) #45195 - [
8a99221a21
] - build: remove unused language files (Ben Noordhuis) #45138 - [
3fb44f9413
] - build: add GitHub token to auto-start-ci workflow (Richard Lau) #45185 - [
2aac993bb2
] - build: add version info to timezone update PR (Darshan Sen) #45021 - [
0db19b3c60
] - build: support Python 3.11 (Luigi Pinca) #45191 - [
fb008a2e9b
] - build,deps,src: fix Intel VTune profiling support (Shi Lei) #45248 - [
61bc27a5b4
] - build,win: pass --debug-nghttp2 to configure (Santiago Gimeno) #45209 - [
7b68c06988
] - child_process: validate arguments for null bytes (Darshan Sen) #44782 - [
bac6b7d900
] - crypto: simplify lazy loading of internal modules (Antoin...
2022-12-14, Version 19.3.0 (Current), @targos
Notable Changes
Updated npm to 9.2.0
Based on the list of guidelines we've established on integrating npm
and node
,
here is a grouped list of the breaking changes with the reasoning as to why they
fit within the guidelines linked above. Note that all the breaking changes were
made in 9.0.0.
All subsequent minor and patch releases after npm@9.0.0
do not contain any
breaking changes.
Engines
Explanation: the node engines supported by
npm@9
make it safe to allownpm@9
as the default in any LTS version of14
or16
, as well as anything later than or including18.0.0
npm
is now compatible with the following semver range for node:^14.17.0 || ^16.13.0 || >=18.0.0
Filesystem
Explanation: when run as root previous versions of npm attempted to manage file ownership automatically on the user's behalf. this behavior was problematic in many cases and has been removed in favor of allowing users to manage their own filesystem permissions
npm
will no longer attempt to modify ownership of files it creates.
Auth
Explanation: any errors thrown from users having unsupported auth configurations will show
npm config fix
in the remediation instructions, which will allow the user to automatically have their auth config fixed.
- The presence of auth related settings that are not scoped to a specific
registry found in a config file is no longer supported and will throw errors.
Login
Explanation: the default
auth-type
has changed and users can opt back into the old behavior withnpm config set auth-type=legacy
.login
andadduser
have also been seperated making each command more closely match it's name instead of being aliases for each other.
- Legacy auth types
sso
,saml
&legacy
have been consolidated into"legacy"
. auth-type
defaults to"web"
login
andadduser
are now separate commands that send different data to the registry.auth-type
config valuesweb
andlegacy
only try their respective methods,
npm no longer tries them all and waits to see which one doesn't fail.
Tarball Packing
Explanation: previously using multiple ignore/allow lists when packing was an undefined behavior, and now the order of operations is strictly defined when packing a tarball making it easier to follow and should only affect users relying on the previously undefined behavior.
npm pack
now follows a strict order of operations when applying ignore rules.
If afiles
array is present in thepackage.json
, then rules in.gitignore
and.npmignore
files from the root will be ignored.
Display/Debug/Timing Info
Explanation: these changes center around the display of information to the terminal including timing and debug log info. We do not anticipate these changes breaking any existing workflows.
- Links generated from git urls will now use
HEAD
instead ofmaster
as the default ref. timing
has been removed as a value for--loglevel
.--timing
will show timing information regardless of--loglevel
, except when--silent
.- When run with the
--timing
flag,npm
now writes timing data to a file
alongside the debug log data, respecting thelogs-dir
option and falling
back to<CACHE>/_logs/
dir, instead of directly inside the cache directory. - The timing file data is no longer newline delimited JSON, and instead each run
will create a uniquely named<ID>-timing.json
file, with the<ID>
portion
being the same as the debug log. npm
now outputs some json errors on stdout. Previouslynpm
would output
all json formatted errors on stderr, making it difficult to parse as the
stderr stream usually has logs already written to it.
Config/Command Deprecations or Removals
Explanation:
install-links
is the only config or command in the list that has an effect on package installs. We fixed a number of issues that came up during prereleases with this change. It will also only be applied to new package trees created without a package-lock.json file. Any install with an existing lock file will not be changed.
- Deprecate boolean install flags in favor of
--install-strategy
. npm config set
will no longer accept deprecated or invalid config options.install-links
config defaults to"true"
.node-version
config has been removed.npm-version
config has been removed.npm access
subcommands have been renamed.npm birthday
has been removed.npm set-script
has been removed.npm bin
has been removed (usenpx
ornpm exec
to execute binaries).
Other notable changes
- [
03db415540
] - build: disable v8 snapshot compression by default (Joyee Cheung) #45716 - [
9f51b9e50d
] - doc: add doc-only deprecation for headers/trailers setters (Rich Trott) #45697 - [
b010820c4e
] - doc: add Rafael Gonzaga to the TSC (Michael Dawson) #45691 - [
b8b13dccd9
] - (SEMVER-MINOR) net: add autoSelectFamily and autoSelectFamilyAttemptTimeout options (Paolo Insogna) #44731 - [
5d7cd363ab
] - (SEMVER-MINOR) src: add uvwasi version (Jithil P Ponnan) #45639 - [
4165dcddf0
] - (SEMVER-MINOR) test_runner: add t.after() hook (Colin Ihrig) #45792 - [
d1bd7796ad
] - (SEMVER-MINOR) test_runner: don't use a symbol for runHook() (Colin Ihrig) #45792 - [
691f58e76c
] - tls: remove trustcor root ca certificates (Ben Noordhuis) #45776
Commits
- [
382efdf460
] - benchmark: add variety of inputs to text-encoder (Yagiz Nizipli) #45787 - [
102c2dc071
] - benchmark: make benchmarks runnable in older versions of Node.js (Joyee Cheung) #45746 - [
e2caf7ced9
] - bootstrap: lazy load non-essential modules (Joyee Cheung) #45659 - [
49840d443c
] - buffer: remove unnecessary lazy loading (Antoine du Hamel) #45807 - [
17847683dc
] - buffer: make decodeUTF8 params loose (Yagiz Nizipli) #45610 - [
03db415540
] - build: disable v8 snapshot compression by default (Joyee Cheung) #45716 - [
95a23e24f3
] - build: add python 3.11 support for android (Mohammed Keyvanzadeh) #45765 - [
09bc89daba
] - build: rework gyp files for zlib (Richard Lau) #45589 - [
b5b56b6b45
] - crypto: simplify lazy loading of internal modules (Antoine du Hamel) #45809 - [
2e4d37e3f0
] - crypto: fix CipherBase Update int32 overflow (Marco Ippolito) #45769 - [
573eab9235
] - crypto: refactor ArrayBuffer to bigint conversion utils (Antoine du Hamel) #45567 - [
845f805490
] - crypto: refactor verify acceptable key usage functions (Filip Skokan) #45569 - [
7cc9998737
] - crypto: fix ECDH webcrypto public CryptoKey usages (Filip Skokan) #45569 - [
d030963f37
] - crypto: validate CFRG webcrypto JWK import "d" and "x" are a pair (Filip Skokan) #45569 - [
9cd106efdc
] - crypto: use DataError for CFRG webcrypto raw and jwk import key checks (Filip Skokan) #45569 - [
9e2e3de6ce
] - crypto: use DataError for webcrypto keyData import failures (Filip Skokan) #45569 - [
40037b4e79
] - crypto: fix X25519 and X448 webcrypto public CryptoKey usages (Filip Skokan) #45569 - [
de2b6b97b9
] - crypto: ensure "x" is present when importing private CFRG webcrypto keys (Filip Skokan) #45569 - [[
75dbce9a07
](https://git...