Skip to content

build: update node.js to v12.22.6 - autoclosed

Common Ground Bot requested to merge renovate/node-12.x into master

This MR contains the following updates:

Package Type Update Change
node stage minor 12.13.1 -> 12.22.6

Release Notes

nodejs/node

v12.22.6

Compare Source

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.

You can read more about it in:

Commits

v12.22.5

Compare Source

This is a security release.

Notable Changes
  • CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
    • Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
  • CVE-2021-22930: Use after free on close http2 on stream canceling (High)
    • Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
  • CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
    • If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
Commits

v12.22.4

Compare Source

This is a security release.

Notable Changes
  • CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Commits

v12.22.3

Compare Source

Notable Changes

Node.js 12.22.2 introduced a regression in the Windows installer on non-English locales that is being fixed in this release. There is no need to download this release if you are not using the Windows installer.

Commits

v12.22.2

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2021-22918: libuv upgrade - Out of bounds read (Medium)
    • Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
  • CVE-2021-22921: Windows installer - Node Installer Local Privilege Escalation (Medium)
    • Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921
  • CVE-2021-27290: npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High)
  • CVE-2021-23362: npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium)
Commits

v12.22.1

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
Commits

v12.22.0

Compare Source

Notable changes
The legacy HTTP parser is runtime deprecated

The legacy HTTP parser, selected by the --http-parser=legacy command line option, is deprecated with the pending End-of-Life of Node.js 10.x (where it is the only HTTP parser implementation provided) at the end of April 2021. It will now warn on use but otherwise continue to function and may be removed in a future Node.js 12.x release.

The default HTTP parser based on llhttp is not affected. By default it is stricter than the now deprecated legacy HTTP parser. If interoperability with HTTP implementations that send invalid HTTP headers is required, the HTTP parser can be started in a less secure mode with the --insecure-http-parser command line option.

Contributed by Beth Griggs #​37603.

ES Modules

ES Modules are now considered stable.

Contributed by Guy Bedford #​35781

node-api

Updated to node-api version 8 and added an experimental API to allow retrieval of the add-on file name.

Contributed by Gabriel Schulhof #​37652 and #​37195.

New API's to control code coverage data collection

v8.stopCoverage() and v8.takeCoverage() have been added.

Contributed by Joyee Cheung #​33807.

New API to monitor event loop utilization by Worker threads

worker.performance.eventLoopUtilization() has been added.

Contributed by Trevor Norris #​35664.

Commits

v12.21.0

Compare Source

This is a security release.

Notable changes

Vulnerabilities fixed:

  • CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
    • Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
  • CVE-2021-22884: DNS rebinding in --inspect
    • Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
  • CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
Commits

v12.20.2

Compare Source

Notable changes
  • deps:
    • upgrade npm to 6.14.11 (Ruy Adorno) #​37173
Commits

v12.20.1

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits
  • CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html).
  • CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt
Commits

v12.20.0

Compare Source

Notable Changes
Commits

v12.19.1

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8277: Denial of Service through DNS request (High). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses.
Commits

v12.19.0

Compare Source

Notable Changes
Commits

v12.18.4

Compare Source

Notable Changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
  • CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
Commits

v12.18.3

Compare Source

Notable Changes
Commits

v12.18.2

Compare Source

Notable changes
  • deps: V8: backport fb26d0b (Matheus Marchini) #​33573
    • Fixes memory leak in PrototypeUsers::Add
  • src: use symbol to store AsyncWrap resource (Anna Henningsen) #​31745
Commits

v12.18.1

Compare Source

Notable Changes
Commits

v12.18.0

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
  • CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
  • CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Commits

v12.17.0

Compare Source

Notable Changes
ECMAScript Modules - --experimental-modules flag removal

As of Node.js 12.17.0, the --experimental-modules flag is no longer necessary to use ECMAScript modules (ESM). However, the ESM implementation in Node.js remains experimental. As per our stability index: “The feature is not subject to Semantic Versioning rules. Non-backward compatible changes or removal may occur in any future release.” Users should be cautious when using the feature in production environments.

Unlike Node.js 14, using ESM will still emit a runtime experimental warning, either when a module is used a the application's entrypoint or the first time dynamic import() is called.

Please keep in mind that the implementation of ESM in Node.js differs from the developer experience you might be familiar with. Most transpilation workflows support features such as named exports from CommonJS module imports, optional file extensions or JSON modules that the Node.js ESM implementation does not support. It is highly likely that modules from transpiled environments will require a certain degree of refactoring to work in Node.js. It is worth mentioning that many of our design decisions were made with two primary goals. Spec compliance and Web Compatibility. It is our belief that the current implementation offers a future proof model to authoring ESM modules that paves the path to Universal JavaScript. Please read more in our documentation.

The ESM implementation in Node.js is still experimental but we do believe that we are getting very close to being able to call ESM in Node.js “stable”. Removing the flag is a huge step in that direction.

We expect to remove the warning Node.js 12 later this year, possibly in late October, when Node.js 14 will become LTS.

AsyncLocalStorage API (experimental)

The AsyncLocalStorage class has been introduced in the Async Hooks module.

This API allows keeping a context across asynchronous operations. For instance, if a sequence id is stored within an instance of AsyncLocalStorage for each HTTP request entering in a server, it will be possible to retrieve this id without having access the current HTTP request:

const http = require('http');
const { AsyncLocalStorage } = require('async_hooks');

const asyncLocalStorage = new AsyncLocalStorage();

function logWithId(msg) {
  const id = asyncLocalStorage.getStore();
  console.log(`${id !== undefined ? id : '-'}: `, msg);
}

let idSeq = 0;
http.createServer((req, res) => {
  asyncLocalStorage.run(idSeq++, () => {
    logWithId('start');
    // Imagine any chain of async operations here.
    setImmediate(() => {
      logWithId('finish');
      res.end();
    });
  });
}).listen(8080);

In this example, the logWithId function will always know what the current request id is, even when there are multiple requests in parallel.

What can this API be used for

Use cases of this API include:

  • Logging
  • User identification
  • Performance tracking
  • Error tracking and handling
  • Much more!

Note: This API is still experimental and some methods might change in future releases of Node.js

Contributed by Vladimir de Turckheim - #​26540.

REPL previews

If further input is predicable, a suggestion is inserted as preview.

The REPL now supports previews similar to the Chrome DevTools console. An input suggestion is inserted as preview in case further input is predicable. The suggestion may be accepted by either pressing <TAB> or <RIGHT> at the end of the input. On top of that, output is previewed when entering variable names or function calls that have no side effect.

image image

Check the preview in action and try it out on your own. Just access the REPL on your terminal by starting the Node.js executable without any further command.

Contributed by Ruben Bridgewater - #​30907, #​30811.

REPL reverse-i-search

The REPL supports bi-directional reverse-i-search similar to ZSH. It is triggered with <ctrl> + R to search backwards and <ctrl> + S to search forwards.

Entries are accepted as soon as any button is pressed that doesn't correspond with the reverse search. Cancelling is possible by pressing escape or <ctrl> + C.

Changing the direction immediately searches for the next entry in the expected direction from the current position on.

image

Reverse-i-search in action.

Contributed by Ruben Bridgewater - #​31006.

REPL substring-based search

It is now possible to access former history entries very fast by writing the first characters of the formerly entered code you are looking for. Then push <UP> or <DOWN> to go through the history entries that start with those characters.

It works similar to the Fish Shell substring-based history search.

Contributed by Ruben Bridgewater - #​31112.

Error monitoring
Monitoring error events

It is now possible to monitor 'error' events on an EventEmitter without consuming the emitted error by installing a listener using the symbol EventEmitter.errorMonitor:

const myEmitter = new MyEmitter();

myEmitter.on(EventEmitter.errorMonitor, (err) => {
  MyMonitoringTool.log(err);
});

myEmitter.emit('error', new Error('whoops!'));
// Still throws and crashes Node.js

Contributed by Gerhard Stoebich - #​30932.

Monitoring uncaught exceptions

It is now possible to monitor 'uncaughtException' events without overriding the default behavior that exits the process by installing an 'uncaughtExceptionMonitor' listener:

process.on('uncaughtExceptionMonitor', (err, origin) => {
  MyMonitoringTool.logSync(err, origin);
});

// Intentionally cause an exception, but do not catch it.
nonexistentFunc();
// Still crashes Node.js

Contributed by Gerhard Stoebich - #​31257.

File system APIs
New function: fs.readv

This new function (along with its sync and promisified versions) takes an array of ArrayBufferView elements and will write the data it reads sequentially to the buffers.

Contributed by Sk Sajidul Kadir - #​32356.

Optional parameters in fs.read

A new overload is available for fs.read (along with its sync and promisified versions), which allows to optionally pass any of the offset, length and position parameters.

Contributed by Lucas Holmquist - #​31402.

Console groupIndentation option

The Console constructor (require('console').Console) now supports different group indentations.

This is useful in case you want different grouping width than 2 spaces.

const { Console } = require('console');
const customConsole = new Console({
  stdout: process.stdout,
  stderr: process.stderr,
  groupIndentation: 10
});

customConsole.log('foo');
// 'foo'
customConsole.group();
customConsole.log('foo');
//           'foo'

Contributed by rickyes - #​32964.

maxStringLength option for util.inspect()

It is now possible to limit the length of strings while inspecting objects. This is possible by passing through the maxStringLength option similar to:

const { inspect } = require('util');

const string = inspect(['a'.repeat(1e8)], { maxStringLength: 10 });

console.log(string);
// "[ 'aaaaaaaaaa'... 99999990 more characters ]"

Contributed by rosaxny - #​32392.

Stable N-API release 6

The following N-API features are now stable as part of the N-API 6 release:

Stable diagnostic reports

The Diagnostic Report feature is now stable and supports a new --report-compact flag to write the reports in a compact, single-line JSON format, more easily consumable by log processing systems than the default multi-line format designed for human consumption.

Increase of the default server headers timeout

The default value of server.headersTimeout for http and https servers was increased from 40000 to 60000 (60 seconds). This to accomodate for systems like AWS ELB that have a timeout of 60 seconds.

Contributed by Tim Costa - #​30071.

Other changes
  • cli:
    • Added a --trace-sigint CLI flag that will print the current execution stack on SIGINT (legendecas) #​29207.
  • crypto:
    • Various crypto APIs now support Diffie-Hellman secrets (Tobias Nießen) #​31178.
  • dns:
    • Added the dns.ALL flag, that can be passed to dns.lookup() with dns.V4MAPPED to return resolved IPv6 addresses as well as IPv4 mapped IPv6 addresses (murgatroid99) #​32183.
  • module
    • Added a new experimental API to interact with Source Map V3 data (Benjamin Coe) #​31132.
  • worker:
    • Added support for passing a transferList along with workerData to the Worker constructor (Juan José Arboleda) #​32278.
Commits
Semver-minor commits
  • [a35e88caf5] - (SEMVER-MINOR) async_hooks: merge run and exit methods (Andrey Pechkurov) #​31950
  • [3eb34068a2] - (SEMVER-MINOR) async_hooks: prevent sync methods of async storage exiting outer context (Stephen Belanger) #​31950
  • [22db34caa7] - (SEMVER-MINOR) async_hooks: add sync enterWith to ALS (Stephen Belanger) #​31945
  • [16e8b11708] - (SEMVER-MINOR) async_hooks: introduce async-context API (Vladimir de Turckheim) #​26540
  • [f7adfcc1df] - (SEMVER-MINOR) async_hooks: add executionAsyncResource (Matteo Collina) #​30959
  • [984ae304f2] - (SEMVER-MINOR) build: make --without-report a no-op (Colin Ihrig) #​32242
  • [e67b97ee53] - (SEMVER-MINOR) cli: allow --huge-max-old-generation-size in NODE_OPTIONS (Anna Henningsen) #​32251
  • [154b18ffca] - (SEMVER-MINOR) console: support console constructor groupIndentation option (rickyes) #​32964
  • [40253cc1c8] - (SEMVER-MINOR) crypto: add crypto.diffieHellman (Tobias Nießen) #​31178
  • [1977136a19] - (SEMVER-MINOR) crypto: add DH support to generateKeyPair (Tobias Nießen) #​31178
  • [9f85585b13] - (SEMVER-MINOR) crypto: add key type 'dh' (Tobias Nießen) #​31178
  • [6ffe4ed3b5] - (SEMVER-MINOR) deps: upgrade to libuv 1.37.0 (Colin Ihrig) #​32866
  • [2d7a7592ec] - (SEMVER-MINOR) deps: upgrade to libuv 1.36.0 (Colin Ihrig) #​32866
  • [ae83f0f993] - (SEMVER-MINOR) deps: upgrade to libuv 1.35.0 (Colin Ihrig) #​32204
  • [b7d264edaf] - (SEMVER-MINOR) dns: add dns.ALL hints flag constant (murgatroid99) #​32183
  • [fd2486ea44] - (SEMVER-MINOR) doc: update stability of report features (Colin Ihrig) #​32242
  • [90d35adccd] - (SEMVER-MINOR) doc,lib,src,test: make --experimental-report a nop (Colin Ihrig) #​32242
  • [93226a5097] - (SEMVER-MINOR) esm: unflag --experimental-modules (Guy Bedford) #​29866
  • [8c497f8969] - (SEMVER-MINOR) events: allow monitoring error events (Gerhard Stoebich) #​30932
  • [a100709fa8] - (SEMVER-MINOR) fs: make parameters optional for readSync (Lucas Holmquist) #​32460
  • [6601fac06a] - (SEMVER-MINOR) fs: add fs.readv() (Sk Sajidul Kadir) #​32356
  • [16a913f702] - (SEMVER-MINOR) fs: make fs.read params optional (Lucas Holmquist) #​31402
  • [7260ede9e6] - (SEMVER-MINOR) fs: return first folder made by mkdir recursive (Benjamin Coe) #​31530
  • [a15e712ef6] - (SEMVER-MINOR) fs: allow overriding fs for streams (Robert Nagy) #​29083
  • [b5983213c1] - (SEMVER-MINOR) lib: add option to disable __proto__ (Gus Caplan) #​32279
  • [784fb8f08c] - (SEMVER-MINOR) module: add API for interacting with source maps (Benjamin Coe) #​31132
  • [e22d853c5d] - (SEMVER-MINOR) n-api: define release 6 (Gabriel Schulhof) #​32058
  • [f56c4dd933] - (SEMVER-MINOR) n-api: add napi_get_all_property_names (himself65) #​30006
  • [9eeee0d9f2] - (SEMVER-MINOR) perf_hooks: add property flags to GCPerformanceEntry (Kirill Fomichev) #​29547
  • [5ec9295034] - (SEMVER-MINOR) process: report ArrayBuffer memory in memoryUsage() (Anna Henningsen) #​31550
  • [de3603f0a6] - (SEMVER-MINOR) process: allow monitoring uncaughtException (Gerhard Stoebich) #​31257
  • [cf28afeeb6] - (SEMVER-MINOR) readline,repl: improve history up/previous (Ruben Bridgewater) #​31112
  • [a0eb3e4ed2] - (SEMVER-MINOR) readline,repl: skip history entries identical to the current line (Ruben Bridgewater) #​31112
  • [d7e153bddb] - (SEMVER-MINOR) readline,repl: add substring based history search (Ruben Bridgewater) #​31112
  • [936c85c309] - (SEMVER-MINOR) repl: implement reverse search (Ruben Bridgewater) #​31006
  • [bf9ff16412] - (SEMVER-MINOR) repl: add completion preview (Ruben Bridgewater) #​30907
  • [b14440fb5c] - (SEMVER-MINOR) repl: support previews by eager evaluating input (Ruben Bridgewater) #​30811
  • [0b310df532] - (SEMVER-MINOR) src: unconditionally include report feature (Colin Ihrig) #​32242
  • [394487e3e8] - (SEMVER-MINOR) src: create a getter for kernel version (Juan José Arboleda) #​31732
  • [4ec25b4865] - (SEMVER-MINOR) src,cli: support compact (one-line) JSON reports (Sam Roberts) #​32254
  • [b038ad91f5] - (SEMVER-MINOR) src,lib: make ^C print a JS stack trace (legendecas) #​29207
  • [6348fae690] - (SEMVER-MINOR) tls: expose SSL_export_keying_material (simon) #​31814
  • [6aa3869688] - (SEMVER-MINOR) util: add maxStrLength option to inspect function (unknown) #​32392
  • [eda6665799] - (SEMVER-MINOR) vm: add code cache support for SourceTextModule (Gus Caplan) #​31278
  • [5c81b8d814] - (SEMVER-MINOR) wasi: add returnOnExit option (Colin Ihrig) #​32101
  • [ca4e65273f] - (SEMVER-MINOR) worker: support MessagePort to workers data (Juan José Arboleda) #​32278
  • [217e3dfea6] - (SEMVER-MINOR) worker: allow URL in Worker constructor (Antoine du HAMEL) #​31664
  • [ab8f38b551] - (SEMVER-MINOR) worker: add ability to take heap snapshot from parent thread (Anna Henningsen) #​31569
Semver-patch commits
Documentation commits
Other commits

v12.16.3

Compare Source

Notable Changes
  • Dependencies:
    • Updated OpenSSL to 1.1.1g (Hassaan Pasha) #​32971.
    • Updated c-ares to 1.16.0 (Anna Henningsen) #​32246.
    • Updated experimental uvwasi to 0.0.6 (Colin Ihrig) #​32309.
  • ESM (experimental):
    • Additional warnings are no longer printed for modules that use conditional exports or package name self resolution (Guy Bedford) #​31845.
Commits

v12.16.2

Compare Source

Notable Changes
  • doc:
    • add ronag to collaborators (Robert Nagy) #​31498
    • add GeoffreyBooth to collaborators (Geoffrey Booth) #​31306
  • deps:
    • upgrade npm to 6.13.6 (Ruy Adorno) #​31304
    • update openssl to 1.1.1e (Hassaan Pasha) #​32328
Commits

v12.16.1

Compare Source

Notable changes

Node.js 12.16.0 included 6 regressions that are being fixed in this release

Accidental Unflagging of Self Resolving Modules:

12.16.0 included a large update to the ESM implementation. One of the new features, Self Referential Modules, was accidentally released without requiring the --experimental-modules flag. This release is being made to appropriately flag the feature.

Process Cleanup Changed Introduced WASM-Related Assertion:

A change during Node.js process cleanup led to a crash in combination with specific usage of WASM. This has been fixed by partially reverted said change. A regression test and a full fix are being worked on and will likely be included in future 12.x and 13.x releases.

Use Largepages Runtime Option Introduced Linking Failure:

A Semver-Minor change to introduce --use-largepages as a runtime option introduced a linking failure. This had been fixed in master but regressed as the fix has not yet gone out in a Current release. The feature has been reverted, but will be able to reland with a fix in a future Semver-Minor release.

Async Hooks was Causing an Exception When Handling Errors:

Changes in async hooks internals introduced a case where an internal api call could be called with undefined causing a process to crash. The change to async hooks was reverted. A regression test and fix has been proposed and the change could re land in a future Semver-Patch release if the regression is reliably fixed.

New Enumerable Read-Only Property on EventEmitter breaks @​types/extend

A new property for enumerating events was added to the EventEmitter class. This broke existing code that was using the @types/extend module for extending classses as @types/extend was attemping to write over the existing field which the new change made read-only. As this is the first property on EventEmitter that is read-only this feature could be considered Semver-Major. The new feature has been reverted but could re land in a future Semver-Minor release if a non breaking way of applying it is found.

Exceptions in the HTTP parser were not emitting an uncaughtException

A refactoring to Node.js interanls resulted in a bug where errors in the HTTP parser were not being emitted by process.on('uncaughtException'). The fix to this bug has been included in this release.

Commits
  • [51fdd759b9] - async_hooks: ensure event after been emitted on runInAsyncScope (legendecas) #​31784
  • [7a1b0ac06f] - Revert "build: re-introduce --use-largepages as no-op" (Myles Borins) #​31782
  • [a53eeca2a9] - Revert "build: switch realpath to pwd" (Myles Borins) #​31782
  • [6d432994e6] - Revert "build: warn upon --use-largepages config option" (Myles Borins) #​31782
  • [a5bc00af12] - Revert "events: allow monitoring error events" (Myles Borins)
  • [f0b2d875d9] - module: 12.x self resolve flag as experimental modules (Guy Bedford) #​31757
  • [42b68a4e24] - src: inform callback scopes about exceptions in HTTP parser (Anna Henningsen) #​31801
  • [065a32f064] - Revert "src: make --use-largepages a runtime option" (Myles Borins) #​31782
  • [3d5beebc62] - Revert "src: make large_pages node.cc include conditional" (Myles Borins) #​31782
  • [43d02e20e0] - src: keep main-thread Isolate attached to platform during Dispose (Anna Henningsen) #​31795
  • [7a5954ef26] - src: fix -Winconsistent-missing-override warning (Colin Ihrig) #​30549

v12.16.0

Compare Source

Notable changes
New assert APIs

The assert module now provides experimental assert.match() and assert.doesNotMatch() methods. They will validate that the first argument is a string and matches (or does not match) the provided regular expression:

const assert = require('assert').strict;

assert.match('I will fail', /pass/);
// AssertionError [ERR_ASSERTION]: The input did not match the regular ...

assert.doesNotMatch('I will fail', /fail/);
// AssertionError [ERR_ASSERTION]: The input was expected to not match the ...

This is an experimental feature.

Ruben Bridgewater #​30929.

Advanced serialization for IPC

The child_process and cluster modules now support a serialization option to change the serialization mechanism used for IPC. The option can have one of two values:

  • 'json' (default): JSON.stringify() and JSON.parse() are used. This is how message serialization was done before.
  • 'advanced': The serialization API of the v8 module is used. It is based on the HTML structured clone algorithm and is able to serialize more built-in JavaScript object types, such as BigInt, Map, Set etc. as well as circular data structures.

Anna Henningsen #​30162.

CLI flags

The new --trace-exit CLI flag makes Node.js print a stack trace whenever the Node.js environment is exited proactively (i.e. by invoking the process.exit() function or pressing Ctrl+C).

legendecas #​30516.

The new --trace-uncaught CLI flag makes Node.js print a stack trace at the time of throwing uncaught exceptions, rather than at the creation of the Error object, if there is any. This option is not enabled by default because it may affect garbage collection behavior negatively.

Anna Henningsen #​30025.

The --disallow-code-generation-from-strings V8 CLI flag is now whitelisted in the NODE_OPTIONS environment variable.

Shelley Vohr #​30094.

New crypto APIs

For DSA and ECDSA, a new signature encoding is now supported in addition to the existing one (DER). The verify and sign methods accept a dsaEncoding option, which can have one of two values:

  • 'der' (default): DER-encoded ASN.1 signature structure encoding (r, s).
  • 'ieee-p1363': Signature format r || s as proposed in IEEE-P1363.

Tobias Nießen #​29292.

A new method was added to Hash: Hash.prototype.copy. It makes it possible to clone the internal state of a Hash object into a new Hash object, allowing to compute the digest between updates:

// Calculate a rolling hash.
const crypto = require('crypto');
const hash = crypto.createHash('sha256');

hash.update('one');
console.log(hash.copy().digest('hex'));

hash.update('two');
console.log(hash.copy().digest('hex'));

hash.update('three');
console.log(hash.copy().digest('hex'));

// Etc.

Ben Noordhuis #​29910.

Dependency updates

libuv was updated to 1.34.0. This includes fixes to uv_fs_copyfile() and uv_interface_addresses() and adds two new functions: uv_sleep() and uv_fs_mkstemp().

Colin Ihrig #​30783.

V8 was updated to 7.8.279.23. This includes performance improvements to object destructuring, RegExp match failures and WebAssembly startup time. The official release notes are available at https://v8.dev/blog/v8-release-78.

Michaël Zasso #​30109.

New EventEmitter APIs

The new EventEmitter.on static method allows to async iterate over events:

const { on, EventEmitter } = require('events');

(async () => {

  const ee = new EventEmitter();

  // Emit later on
  process.nextTick(() => {
    ee.emit('foo', 'bar');
    ee.emit('foo', 42);
  });

  for await (const event of on(ee, 'foo')) {
    // The execution of this inner block is synchronous and it
    // processes one event at a time (even with await). Do not use
    // if concurrent execution is required.
    console.log(event); // prints ['bar'] [42]
  }

})();

Matteo Collina #​27994.

It is now possible to monitor 'error' events on an EventEmitter without consuming the emitted error by installing a listener using the symbol EventEmitter.errorMonitor:

const myEmitter = new MyEmitter();

myEmitter.on(EventEmitter.errorMonitor, (err) => {
  MyMonitoringTool.log(err);
});

myEmitter.emit('error', new Error('whoops!'));
// Still throws and crashes Node.js

Gerhard Stoebich #​30932.

Using async functions with event handlers is problematic, because it can lead to an unhandled rejection in case of a thrown exception:

const ee = new EventEmitter();

ee.on('something', async (value) => {
  throw new Error('kaboom');
});

The experimental captureRejections option in the EventEmitter constructor or the global setting change this behavior, installing a .then(undefined, handler) handler on the Promise. This handler routes the exception asynchronously to the Symbol.for('nodejs.rejection') method if there is one, or to the 'error' event handler if there is none.

const ee1 = new EventEmitter({ captureRejections: true });
ee1.on('something', async (value) => {
  throw new Error('kaboom');
});

ee1.on('error', console.log);

const ee2 = new EventEmitter({ captureRejections: true });
ee2.on('something', async (value) => {
  throw new Error('kaboom');
});

ee2[Symbol.for('nodejs.rejection')] = console.log;

Setting EventEmitter.captureRejections = true will change the default for all new instances of EventEmitter.

EventEmitter.captureRejections = true;
const ee1 = new EventEmitter();
ee1.on('something', async (value) => {
  throw new Error('kaboom');
});

ee1.on('error', console.log);

This is an experimental feature.

Matteo Collina #​27867.

Performance Hooks are no longer experimental

The perf_hooks module is now considered a stable API.

legendecas #​31101.

Introduction of experimental WebAssembly System Interface (WASI) support

A new core module, wasi, is introduced to provide an implementation of the WebAssembly System Interface specification. WASI gives sandboxed WebAssembly applications access to the underlying operating system via a collection of POSIX-like functions.

This is an experimental feature.

Colin Ihrig #​30258.

Commits

v12.15.0

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
  • CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
  • CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.

Commits

v12.14.1

Compare Source

Notable changes
  • crypto: fix key requirements in asymmetric cipher (Tobias Nießen) #​30249
  • deps:
    • update llhttp to 2.0.1 (Fedor Indutny) #​30553
    • update nghttp2 to 1.40.0 (gengjiawen) #​30493
  • v8: mark serdes API as stable (Anna Henningsen) #​30234
Commits

v12.14.0

Compare Source

This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable changes
Commits

Configuration

📅 Schedule: "after 10pm every weekday,before 5am every weekday,every weekend" (UTC).

🚦 Automerge: Disabled due to failing status checks.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box.

This MR has been generated by Renovate Bot.

Edited by Common Ground Bot

Merge request reports