Joyee Cheung
87855a571b
lib: only build the ESM facade for builtins when they are needed
...
We previously build the ESM facade (synthetic modules re-exporting
builtin's exports) for builtins even when they are not directly
import'ed (which rarely happens for internal builtins as that
requires --expose-internals). This patch removes
the eager generation to avoid the overhead and the extra
promises created in facade building when it's not reqested by the user.
When the facade is needed the ESM loader that can be requested
it in the translator on-demand.
Drive-by: set the ModuleWrap prototype to null in the built-in
snapshot.
PR-URL: https://github.com/nodejs/node/pull/51669
Reviewed-By: Michaël Zasso <targos@protonmail.com >
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com >
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com >
2024-02-21 00:15:44 +01:00
Joyee Cheung
3e57b93963
src: compile code eagerly in snapshot builder
...
By default V8 only compiles the top-level function and
skips code generation for inner functions - that would
only be done when those inner functions are invoked.
Since builtins are compiled as wrapped functions, most
functions that look visually top-level are not actually
included in the built-in code cache. For most of the
builtins this is not too bad because usually only a subset of
all builtin functions are needed by a particular
application and including all their code in the binary
would incur an unnecessary size overhead. But there is also
a subset of more commonly used builtins and it would be
better to include the inner functions in the built-in
code cache because they are more universally used by
most applications.
This patch changes the compilation strategy to eager compilation
(including inner functions) for the following scripts:
1. Primordials (internal/per_context/*), in all situations.
2. Bootstrap scripts (internal/bootstrap/*) and main scripts
(internal/main/*), when being compiled for built-in code
cache.
3. Any scripts loaded during built-in snapshot generation.
We can't compile the code eagerly during snapshot generation
and include them into the V8 snapshot itself just now because
we need to start the inspector before context deserialization
for coverage collection to work. So leave that as a TODO.
With this patch the binary size increases by about 666KB
(~0.6% increase) in return the worker startup can be 18-19% faster.
PR-URL: https://github.com/nodejs/node/pull/51672
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
2024-02-20 21:40:12 +00:00
Joyee Cheung
7851af051a
lib: create global console properties at snapshot build time
...
It is safe to create the console properties for the global
console at snapshot build time. Streams must still be created
lazily however because they need special synchronization for
the handles.
PR-URL: https://github.com/nodejs/node/pull/51700
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com >
Reviewed-By: Chengzhong Wu <legendecas@gmail.com >
Reviewed-By: Moshe Atlow <moshe@atlow.co.il >
2024-02-20 18:25:31 +00:00
Shi Pujin
2eaee2820e
test: skip test-http-correct-hostname on loong64
...
PR-URL: https://github.com/nodejs/node/pull/51663
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Adrian Estrada <edsadr@gmail.com >
Reviewed-By: Michael Dawson <midawson@redhat.com >
2024-02-20 10:51:14 -05:00
Tobias Nießen
57f9298090
doc,crypto: further clarify RSA_PKCS1_PADDING support
...
PR-URL: https://github.com/nodejs/node/pull/51799
Reviewed-By: Filip Skokan <panva.ip@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Michael Dawson <midawson@redhat.com >
2024-02-20 10:23:54 -05:00
Cheng Zhao
079c3460cd
doc: add zcbenz to collaborators
...
Fixes: https://github.com/nodejs/node/issues/51479
PR-URL: https://github.com/nodejs/node/pull/51812
Reviewed-By: Matteo Collina <matteo.collina@gmail.com >
Reviewed-By: Michaël Zasso <targos@protonmail.com >
2024-02-20 20:51:48 +09:00
Rafael Gonzaga
9642532784
test: increase platform timeout zlib-brotli-16gb
...
PR-URL: https://github.com/nodejs/node/pull/51792
Reviewed-By: Matteo Collina <matteo.collina@gmail.com >
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
Reviewed-By: Moshe Atlow <moshe@atlow.co.il >
Reviewed-By: Michaël Zasso <targos@protonmail.com >
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com >
2024-02-19 19:17:59 +00:00
Geoffrey Booth
0550bc149c
typings: lib/internal/vm.js
...
PR-URL: https://github.com/nodejs/node/pull/50112
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
Reviewed-By: Chengzhong Wu <legendecas@gmail.com >
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com >
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com >
Reviewed-By: Rich Trott <rtrott@gmail.com >
2024-02-19 01:19:44 +00:00
Filip Skokan
fe2299089d
doc,crypto: add changelog and note about disabled RSA_PKCS1_PADDING
...
PR-URL: https://github.com/nodejs/node/pull/51782
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
2024-02-18 15:04:19 +00:00
Ben Richeson
17187dd2ed
test_runner: check if timeout was cleared by own callback
...
PR-URL: https://github.com/nodejs/node/pull/51673
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com >
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Moshe Atlow <moshe@atlow.co.il >
2024-02-18 11:08:44 +00:00
Joyee Cheung
ec3040f721
sea: update stability index
...
The design is relatively stable now and it's more suitable to
describe it as being "in active developement".
PR-URL: https://github.com/nodejs/node/pull/51774
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Moshe Atlow <moshe@atlow.co.il >
Reviewed-By: Debadree Chatterjee <debadree333@gmail.com >
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
2024-02-17 18:03:26 +00:00
Joyee Cheung
72df124e38
build: encode non-ASCII Latin1 characters as one byte in JS2C
...
Previously we had two encodings for JS files:
1. If a file contains only ASCII characters, encode it as a one-byte
string (interpreted as uint8_t array during loading).
2. If a file contains any characters with code point above 127,
encode it as a two-byte string (interpreted as uint16_t array
during loading).
This was done because V8 only supports Latin-1 and UTF16 encoding
as underlying representation for strings. To store the JS code
as external strings to save encoding cost and memory overhead
we need to follow the representations supported by V8.
Notice that there is a gap in the Latin1 range (128-255) that we
encoded as two-byte, which was an undocumented TODO for a long
time. That was fine previously because then files that contained
code points beyond the 0-127 range contained code points >255.
Now we have undici which contains code points in the range 0-255
(minus a replaceable code point >255). So this patch adds handling
for the 128-255 range to reduce the size overhead caused by encoding
them as two-byte. This could reduce the size of the binary by
~500KB and helps future files with this kind of code points.
Drive-by: replace `’` with `'` in undici.js to make it a Latin-1
only string. That could be removed if undici updates itself to
replace this character in the comment.
PR-URL: https://github.com/nodejs/node/pull/51605
Reviewed-By: Daniel Lemire <daniel@lemire.me >
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev >
2024-02-17 17:09:24 +00:00
Luigi Pinca
6db72fcae4
test: remove test-cli-node-options flaky designation
...
The last trace of failure dates back to 2023-09-24.
Fixes: https://github.com/nodejs/node/issues/50295
PR-URL: https://github.com/nodejs/node/pull/51716
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com >
Reviewed-By: Michaël Zasso <targos@protonmail.com >
2024-02-17 06:44:18 +00:00
Luigi Pinca
78273ed0d1
test: remove test-domain-error-types flaky designation
...
There is no recent trace of failure for this test.
Fixes: https://github.com/nodejs/node/issues/38063
PR-URL: https://github.com/nodejs/node/pull/51717
Reviewed-By: Michaël Zasso <targos@protonmail.com >
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com >
2024-02-16 19:27:04 +00:00
Rafael Gonzaga
0ffb501c5d
doc: add entry to stewards
...
PR-URL: https://github.com/nodejs/node/pull/51760
Refs: https://github.com/nodejs-private/node-private/issues/514
Reviewed-By: Michael Dawson <midawson@redhat.com >
Reviewed-By: Richard Lau <rlau@redhat.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
Reviewed-By: Tobias Nießen <tniessen@tnie.de >
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Matteo Collina <matteo.collina@gmail.com >
2024-02-16 18:02:55 +00:00
Cheng Zhao
c682fbfbe2
src: check empty before accessing string
...
Fix an assertion when running dotnev tests with GN build:
assertion !empty() failed: string::front(): string is empty
which was caused by calling value.front() without verifying the value is
not empty.
PR-URL: https://github.com/nodejs/node/pull/51665
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de >
2024-02-16 14:33:37 +00:00
Joyee Cheung
ec3c7bc2c4
vm: implement isContext() directly in JS land with private symbol
...
We are now directly checking the existence of a private symbol
in the object to determine if an object is a ContextifyContext
anyway, so there is no need to implement it in C++ anymore.
PR-URL: https://github.com/nodejs/node/pull/51685
Reviewed-By: Michaël Zasso <targos@protonmail.com >
Reviewed-By: Chengzhong Wu <legendecas@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de >
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com >
2024-02-16 08:12:35 +00:00
Richard Lau
68fd5cbd5a
test: fix internet/test-inspector-help-page
...
The webpage at the URL referenced by `node --inspect` was retitled when
it was recently moved.
Update the test to match the new title "Debugging Node.js" (formerly
"Debugging Guide").
Refs: https://github.com/nodejs/nodejs.org/pull/6265
PR-URL: https://github.com/nodejs/node/pull/51693
Reviewed-By: Michaël Zasso <targos@protonmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com >
2024-02-16 04:09:27 +00:00
Jean Burellier
53aed8838c
doc: update technical priorities for 2023
...
PR-URL: https://github.com/nodejs/node/pull/47523
Reviewed-By: Matteo Collina <matteo.collina@gmail.com >
Reviewed-By: Michael Dawson <midawson@redhat.com >
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com >
Reviewed-By: Moshe Atlow <moshe@atlow.co.il >
2024-02-15 17:08:17 -05:00
Michael Dawson
9936d4586d
build: build opt to set local location of headers
...
Some linux distroes install headers through their
package managers. When headers are locally installed
we'd like them to be used.
Add a build time configuration option
--use-prefix-to-find-headers that will will suggest to
node-gyp to look for headers based on the prefix
A PR to node-gyp will use this value when building
addons to automatially find and use the headers
if they have been installed locally
Signed-off-by: Michael Dawson <midawson@redhat.com >
PR-URL: https://github.com/nodejs/node/pull/51525
Reviewed-By: Richard Lau <rlau@redhat.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
2024-02-15 16:41:37 -05:00
Michaël Zasso
7fb80e5d27
deps: update timezone to 2024a
...
PR-URL: https://github.com/nodejs/node/pull/51723
Refs: https://github.com/unicode-org/icu/releases/tag/release-74-2
Refs: https://github.com/nodejs/node/pull/51721
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
Reviewed-By: LiviaMedeiros <livia@cirno.name >
Reviewed-By: Steven R Loomis <srl295@gmail.com >
Reviewed-By: Richard Lau <rlau@redhat.com >
2024-02-15 19:46:31 +00:00
Michaël Zasso
3f4f642ede
deps: update icu to 74.2
...
Refs: https://github.com/unicode-org/icu/releases/tag/release-74-2
PR-URL: https://github.com/nodejs/node/pull/51723
Refs: https://github.com/nodejs/node/pull/51721
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
Reviewed-By: LiviaMedeiros <livia@cirno.name >
Reviewed-By: Steven R Loomis <srl295@gmail.com >
Reviewed-By: Richard Lau <rlau@redhat.com >
2024-02-15 19:46:30 +00:00
Michaël Zasso
1c147423d0
tools: fix update-icu.sh
...
The name of the sources MD5 file has changed.
Refs: https://github.com/unicode-org/icu/releases/tag/release-74-2
PR-URL: https://github.com/nodejs/node/pull/51723
Refs: https://github.com/nodejs/node/pull/51721
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
Reviewed-By: LiviaMedeiros <livia@cirno.name >
Reviewed-By: Steven R Loomis <srl295@gmail.com >
Reviewed-By: Richard Lau <rlau@redhat.com >
2024-02-15 19:46:29 +00:00
Node.js GitHub Bot
fc801687ea
deps: update undici to 6.6.2
...
PR-URL: https://github.com/nodejs/node/pull/51667
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com >
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com >
Reviewed-By: Matteo Collina <matteo.collina@gmail.com >
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Michaël Zasso <targos@protonmail.com >
2024-02-15 13:47:14 +00:00
Antoine du Hamel
10c6596f6d
doc: fix globals.md introduction
...
Splitting the introduction sentence in two paragraphs so it's
clearer the list of variables only apply to the second sentence.
PR-URL: https://github.com/nodejs/node/pull/51742
Reviewed-By: Jithil P Ponnan <jithil@outlook.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Chemi Atlow <chemi@atlow.co.il >
Reviewed-By: Moshe Atlow <moshe@atlow.co.il >
2024-02-15 08:30:44 +00:00
Santiago Gimeno
36dcd399c0
deps: upgrade libuv to 1.48.0
...
PR-URL: https://github.com/nodejs/node/pull/51697
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com >
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Debadree Chatterjee <debadree333@gmail.com >
2024-02-14 14:27:35 -03:00
RafaelGSS
e9f395e77a
lib: use cache fs internals against path traversal
...
PR-URL: https://github.com/nodejs-private/node-private/pull/516
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2259914
Reviewed-By: Moshe Atlow <moshe@atlow.co.il >
CVE-ID: CVE-2024-21891
2024-02-14 14:27:35 -03:00
Matteo Collina
9052ef43dc
zlib: pause stream if outgoing buffer is full
...
Signed-off-by: Matteo Collina <hello@matteocollina.com >
PR-URL: https://github.com/nodejs-private/node-private/pull/540
Reviewed-By: Robert Nagy <ronagy@icloud.com >
Ref: https://hackerone.com/reports/2284065
CVE-ID: CVE-2024-22025
2024-02-14 14:27:34 -03:00
Tobias Nießen
6d14352c51
src,deps: disable setuid() etc if io_uring enabled
...
Within Node.js, attempt to determine if libuv is using io_uring. If it
is, disable process.setuid() and other user identity setters.
We cannot fully prevent users from changing the process's user identity,
but this should still prevent some accidental, dangerous scenarios.
PR-URL: https://github.com/nodejs-private/node-private/pull/528
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com >
CVE-ID: CVE-2024-22017
2024-02-14 14:27:34 -03:00
Tobias Nießen
42e659cb9d
deps: disable io_uring support in libuv by default
...
setuid() does not affect libuv's internal io_uring operations if
initialized before the call to setuid(). This potentially allows the
process to perform privileged operations despite presumably having
dropped such privileges through a call to setuid(). Similar concerns
apply to other functions that modify the process's user identity.
This commit changes libuv's io_uring behavior from opt-out (through
UV_USE_IO_URING=0) to opt-in (through UV_USE_IO_URING=1) until we figure
out a better long-term solution.
PR-URL: https://github.com/nodejs-private/node-private/pull/528
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com >
CVE-ID: CVE-2024-22017
2024-02-14 14:27:34 -03:00
Paolo Insogna
03a5c34a82
http: add maximum chunk extension size
...
PR-URL: https://github.com/nodejs-private/node-private/pull/518
Fixes: https://hackerone.com/reports/2233486
Reviewed-By: Matteo Collina <matteo.collina@gmail.com >
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com >
CVE-ID: CVE-2024-22019
2024-02-14 14:27:34 -03:00
RafaelGSS
834ae3785b
test,doc: clarify wildcard usage
...
Follow-up: https://github.com/nodejs/node/pull/51209
PR-URL: https://github.com/nodejs-private/node-private/pull/517
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2257156
CVE-ID: CVE-2024-21890
2024-02-14 14:27:34 -03:00
Tobias Nießen
10ecf40067
src: fix HasOnly(capability) in node::credentials
...
SYS_capget with _LINUX_CAPABILITY_VERSION_3 returns the process's
permitted capabilities as two 32-bit values. To determine if the only
permitted capability is indeed CAP_NET_BIND_SERVICE, it is necessary to
check both of those values.
Not doing so creates a vulnerability that potentially allows
unprivileged users to inject code into a privileged Node.js process
through environment variables such as NODE_OPTIONS.
PR-URL: https://github.com/nodejs-private/node-private/pull/505
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com >
CVE-ID: CVE-2024-21892
2024-02-14 14:27:34 -03:00
Tobias Nießen
46ce278079
fs: protect against modified Buffer internals in possiblyTransformPath
...
Use encodeUtf8String from the encoding_binding internal binding to
convert the result of path.resolve() to a Uint8Array instead of using
Buffer.from(), whose result can be manipulated by the user by
monkey-patching internals such as Buffer.prototype.utf8Write.
HackerOne report: https://hackerone.com/reports/2218653
PR-URL: https://github.com/nodejs-private/node-private/pull/497
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com >
CVE-ID: CVE-2024-21896
2024-02-14 14:27:34 -03:00
Michael Dawson
54cd268059
crypto: disable PKCS#1 padding for privateDecrypt
...
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2269177
Disable RSA_PKCS1_PADDING for crypto.privateDecrypt() in order
to protect against the Marvin attack.
Includes a security revert flag that can be used to restore
support.
Signed-off-by: Michael Dawson <midawson@redhat.com >
PR-URL: https://github.com/nodejs-private/node-private/pull/525
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2269177
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com >
CVE-ID: CVE-2023-46809
2024-02-14 14:26:59 -03:00
RafaelGSS
b43171c6f6
2024-02-14, Version 21.6.2 (Current)
...
This is a security release.
Notable changes:
crypto:
* disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525
deps:
* upgrade libuv to 1.48.0 (Santiago Gimeno) https://github.com/nodejs/node/pull/51698
* disable io_uring support in libuv by default (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/528
fs:
* protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/497
http:
* add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/518
lib:
* update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/538
* use cache fs internals against path traversal (RafaelGSS) https://github.com/nodejs-private/node-private/pull/516
src:
* fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505
src,deps:
* disable setuid() etc if io_uring enabled (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/528
test,doc:
* clarify wildcard usage (RafaelGSS) https://github.com/nodejs-private/node-private/pull/517
zlib:
* pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/540
PR-URL: https://github.com/nodejs-private/node-private/pull/543
2024-02-14 14:12:25 -03:00
marco-ippolito
5405aa5b90
2024-02-14, Version 20.11.1 'Iron' (LTS)
...
This is a security release.
Notable changes:
crypto:
* disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525
deps:
* upgrade libuv to 1.48.0 (Santiago Gimeno) https://github.com/nodejs/node/pull/51699
* update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/51614
* upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/51614
* disable io\_uring support in libuv by default (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/529
* fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) https://github.com/nodejs/node/pull/51737
fs:
* protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/49
http:
* add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/519
lib:
* update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/539
* use cache fs internals against path traversal (RafaelGSS) https://github.com/nodejs-private/node-private/pull/516
src:
* fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505
src,deps:
* disable setuid() etc if io\_uring enabled (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/529
test,doc:
* clarify wildcard usage (RafaelGSS) https://github.com/nodejs-private/node-private/pull/517
zlib:
* pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/541
PR-URL: https://github.com/nodejs-private/node-private/pull/544
2024-02-14 14:10:22 -03:00
marco-ippolito
2a5a150772
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
...
This is a security release.
Notable changes:
crypto:
* update root certificates to NSS 3.95 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/50805
* disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525
deps:
* upgrade npm to 10.2.4 (npm team) https://github.com/nodejs/node/pull/50751
* update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/51614
* upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614
* fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) https://github.com/nodejs/node/pull/51614
http:
* add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520
lib:
* update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536
src:
* fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505
test:
* skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) https://github.com/nodejs/node/pull/49621
tools:
* add macOS notarization verification step (Ulises Gascón) https://github.com/nodejs/node/pull/50833
* use macOS keychain to notarize the releases (Ulises Gascón) https://github.com/nodejs/node/pull/50715
* remove unused file (Ulises Gascon) https://github.com/nodejs/node/pull/50622
* add macOS notarization stapler (Ulises Gascón) https://github.com/nodejs/node/pull/50625
* improve macOS notarization process output readability (Ulises Gascón) https://github.com/nodejs/node/pull/50389
* remove unused `version` function (Ulises Gascón) https://github.com/nodejs/node/pull/50390
win,tools:
* upgrade Windows signing to smctl (Stefan Stojanovic) https://github.com/nodejs/node/pull/50956
zlib:
* pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542
PR-URL: https://github.com/nodejs-private/node-private/pull/545
2024-02-14 14:05:41 -03:00
Dmitry Semigradsky
bf39716735
doc: updates for better json generating
...
PR-URL: https://github.com/nodejs/node/pull/51592
Reviewed-By: Chemi Atlow <chemi@atlow.co.il >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Filip Skokan <panva.ip@gmail.com >
2024-02-13 21:37:42 +00:00
Cheng Zhao
544cfc5ef1
doc: document the GN build
...
PR-URL: https://github.com/nodejs/node/pull/51676
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com >
Reviewed-By: Debadree Chatterjee <debadree333@gmail.com >
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
2024-02-12 10:39:30 +00:00
Node.js GitHub Bot
a8de25ed15
tools: update lint-md-dependencies to rollup@4.10.0
...
PR-URL: https://github.com/nodejs/node/pull/51720
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Michaël Zasso <targos@protonmail.com >
Reviewed-By: Moshe Atlow <moshe@atlow.co.il >
2024-02-11 11:51:02 +00:00
Node.js GitHub Bot
8a41d9b636
tools: update github_reporter to 1.6.0
...
PR-URL: https://github.com/nodejs/node/pull/51658
Reviewed-By: Moshe Atlow <moshe@atlow.co.il >
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
2024-02-06 00:46:47 +00:00
Node.js GitHub Bot
9578c451b4
deps: update c-ares to 1.26.0
...
PR-URL: https://github.com/nodejs/node/pull/51582
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com >
2024-02-05 18:18:16 +00:00
Luigi Pinca
0f80e29419
test: remove duplicate entry for flaky test
...
Refs: https://github.com/nodejs/node/blob/5acd42ed9e65/test/parallel/parallel.status#L28-L30
PR-URL: https://github.com/nodejs/node/pull/51654
Reviewed-By: Richard Lau <rlau@redhat.com >
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io >
Reviewed-By: Moshe Atlow <moshe@atlow.co.il >
Reviewed-By: Filip Skokan <panva.ip@gmail.com >
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com >
2024-02-05 17:55:45 +00:00
Marco Ippolito
9448c61e08
http: split set-cookie when using setHeaders
...
PR-URL: https://github.com/nodejs/node/pull/51649
Fixes: https://github.com/nodejs/node/issues/51599
Reviewed-By: Paolo Insogna <paolo@cowtech.it >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com >
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com >
2024-02-04 17:36:16 +00:00
Aras Abbasi
c975384264
lib: enable WebSocket by default
...
PR-URL: https://github.com/nodejs/node/pull/51594
Reviewed-By: Matteo Collina <matteo.collina@gmail.com >
Reviewed-By: Paolo Insogna <paolo@cowtech.it >
Reviewed-By: Robert Nagy <ronagy@icloud.com >
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com >
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com >
2024-02-04 14:03:39 +00:00
dependabot[bot]
9a4052c4fe
meta: bump codecov/codecov-action from 3.1.4 to 4.0.1
...
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action ) from 3.1.4 to 4.0.1.
- [Release notes](https://github.com/codecov/codecov-action/releases )
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md )
- [Commits](eaaf4bedf3...e0b68c6749support@github.com >
PR-URL: https://github.com/nodejs/node/pull/51648
Refs: e0b68c6749duhamelantoine1995@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com >
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com >
2024-02-04 10:28:07 +00:00
dependabot[bot]
eca4b1a403
meta: bump actions/download-artifact from 4.1.0 to 4.1.1
...
Bumps [actions/download-artifact](https://github.com/actions/download-artifact ) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/download-artifact/releases )
- [Commits](f44cd7b40b...6b208ae046support@github.com >
PR-URL: https://github.com/nodejs/node/pull/51644
Refs: 6b208ae046marcoippolito54@gmail.com >
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com >
2024-02-03 18:49:56 +00:00
dependabot[bot]
9c194a517f
meta: bump actions/upload-artifact from 4.0.0 to 4.3.0
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.0.0 to 4.3.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](c7d193f32e...26f96dfa69support@github.com >
PR-URL: https://github.com/nodejs/node/pull/51643
Refs: 26f96dfa69marcoippolito54@gmail.com >
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com >
Reviewed-By: Luigi Pinca <luigipinca@gmail.com >
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com >
2024-02-03 18:49:47 +00:00
dependabot[bot]
ca26b5434a
meta: bump step-security/harden-runner from 2.6.1 to 2.7.0
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.6.1 to 2.7.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](eb238b55ef...63c24ba6bdsupport@github.com >
PR-URL: https://github.com/nodejs/node/pull/51641
Refs: 63c24ba6bdmarcoippolito54@gmail.com >
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com >
2024-02-03 18:49:39 +00:00
