nodejs/node

Notable changes

• build:
  • Add --force-context-aware flag to prevent usage of native node addons that aren't context aware #29631
• deprecations:
  • Add documentation-only deprecation for process._tickCallback() #29781
• esm:
  • Using JSON modules is experimental again #29754
• fs:
  • Introduce opendir() and fs.Dir to iterate through directories #29349
• process:
  • Add source-map support to stack traces by using --enable-source-maps #29564
• tls:
  • Honor pauseOnConnect option #29635
  • Add option for private keys for OpenSSL engines #28973

Commits

• [d09f2b4170] - build: build docs on Travis (Richard Lau) #29783
• [03ec4cea30] - build: do not link against librt on linux (Sam Roberts) #29727
• [f91778d2c7] - build: remove unused libatomic on ppc64, s390x (Sam Roberts) #29727
• [ab4c53e0ef] - crypto: remove arbitrary UTF16 restriction (Anna Henningsen) #29795
• [75f3b28d67] - crypto: refactor array buffer view validation (Ruben Bridgewater) #29683
• [5eb013b854] - deps: update archs files for OpenSSL-1.1.1 (Sam Roberts) #29550
• [1766cfcb9e] - deps: upgrade openssl sources to 1.1.1d (Sam Roberts) #29550
• [3d88b76680] - deps: patch V8 to 7.7.299.13 (Michaël Zasso) #29869
• [600478ac13] - dgram: use uv_udp_try_send() (Anna Henningsen) #29832
• [ea6b6abb91] - doc: remove spaces inside code span elements (Nick Schonning) #29329
• [20b9ef92d1] - doc: add more info to fs.Dir and fix typos (Jeremiah Senkpiel) #29890
• [f566cd5801] - doc: remove misleading paragraph about the Legacy URL API (Jakob Krigovsky) #29844
• [a5c2154534] - doc: add explicit bracket for markdown reference links (Nick Schonning) #29808
• [ea9bf4a666] - doc: implement minor CSS improvements (XhmikosR) #29669
• [a0498606a0] - doc: fix return type for crypto.createDiffieHellmanGroup() (exoego) #29696
• [a00cd17b9e] - doc: reuse link indexes for n-api.md (legendecas) #29787
• [aea0253697] - doc: unify place of stability notes (Vse Mozhet Byt) #29799
• [8b4f210bf5] - doc: add missing deprecation code (cjihrig) #29820
• [bede98128f] - doc: remove reference to stale CITGM job (Michael Dawson) #29774
• [014eb67117] - (SEMVER-MINOR) doc: add documentation deprecation for process._tickCallback (Lucas Holmquist) #29781
• [62370efe7e] - doc: add dash between SHA and PR in changelog (Nick Schonning) #29558
• [d1a4aa3ca2] - doc: add missing reference link values (Nick Schonning) #29558
• [de4652f55e] - doc: convert old changlogs SHA links to match newer format (Nick Schonning) #29558
• [60b1f6f303] - doc: complete cut off links in old changelog (Nick Schonning) #29558
• [906245e1a4] - doc: clarify --pending-deprecation effects on Buffer() usage (Rich Trott) #29769
• [401f3e7235] - doc: fix nits in dgram.md (Vse Mozhet Byt) #29761
• [bc48646206] - doc: improve process.ppid 'added in' info (Thomas Watson) #29772
• [0b46bcaaa5] - doc: security maintenance processes (Sam Roberts) #29685
• [f39259c079] - doc: remove redundant escape (XhmikosR) #29716
• [87fb1c297a] - errors: make sure all Node.js errors show their properties (Ruben Bridgewater) #29677
• [df218ce066] - Revert "esm: remove experimental status from JSON modules" (Guy Bedford) #29754
• [e7f604f495] - esm: remove proxy for builtin exports (Bradley Farias) #29737
• [c56f765cf6] - fs: remove options.encoding from Dir.read*() (Jeremiah Senkpiel) #29908
• [b76a2e502c] - (SEMVER-MINOR) fs: introduce opendir() and fs.Dir (Jeremiah Senkpiel) #29349
• [2bcde8309c] - (SEMVER-MINOR) http2: allow passing FileHandle to respondWithFD (Anna Henningsen) #29876
• [a240d45d1a] - http2: support passing options of http2.connect to net.connect (ZYSzys) #29816
• [3f153789b5] - http2: set default maxConcurrentStreams (ZYSzys) #29833
• [6a989da6a0] - http2: use the latest settings (ZYSzys) #29780
• [b2cce13235] - inspector: update faviconUrl (dokugo) #29562
• [60296a3612] - lib: make tick processor detect xcodebuild errors (Ben Noordhuis) #29830
• [9e5d691ee4] - lib: introduce no-mixed-operators eslint rule to lib (ZYSzys) #29834
• [74a69abd12] - lib: stop using prepareStackTrace (Gus Caplan) #29777
• [90562ae356] - module: use v8 synthetic modules (Guy Bedford) #29846
• [20896f74d6] - n-api,doc: clarify napi_finalize related APIs (legendecas) #29797
• [65c475269e] - net: emit close on unconnected socket (Robert Nagy) #29803
• [ae8b2b4ab7] - (SEMVER-MINOR) process: add source-map support to stack traces (bcoe) #29564
• [3f6ce39acf] - src: fix ESM path resolution on Windows (Thomas) #29574
• [6bfe8f47fa] - (SEMVER-MINOR) src: add buildflag to force context-aware addons (Shelley Vohr) #29631
• [6c75cc1b11] - stream: do not deadlock duplexpair (Robert Nagy) #29836
• [320f649539] - stream: add comment about undocumented API (Robert Nagy) #29805
• [5fdf4a474f] - test: remove extra process.exit() (cjihrig) #29873
• [6a5d401f30] - test: remove spaces inside code span elements (Nick Schonning) #29329
• [adee99883a] - test: debug output for dlopen-ping-pong test (Sam Roberts) #29818
• [b309e20661] - test: add test for HTTP server response with Connection: close (Austin Wright) #29836
• [bf1727a3f3] - test: add test for writable.write() argument types (Robert Nagy) #29746
• [3153dd6766] - test: well-defined DH groups now verify clean (Sam Roberts) #29550
• [690a863aaa] - test: simplify force-context-aware test (cjihrig) #29705
• [54ef0fd010] - (SEMVER-MINOR) test: --force-context-aware cli flag (Shelley Vohr) #29631
• [a7b56a5b01] - (SEMVER-MINOR) tls: honor pauseOnConnect option (Robert Jensen) #29635
• [cf7b4056ca] - (SEMVER-MINOR) tls: add option for private keys for OpenSSL engines (Anton Gerasimov) #28973
• [ba4946a520] - tools: prohibit Error.prepareStackTrace() usage (Ruben Bridgewater) #29827
• [79f6cd3606] - tools: update ESLint to v6.5.1 (Rich Trott) #29785
• [6d88f0fef7] - vm: refactor SourceTextModule (Gus Caplan) #29776
• [a7113048e3] - worker: do not use two-arg NewIsolate (Shelley Vohr) #29850

Node.js 8 is due to go End-of-Life on 31st December 2019.

Notable changes

• deps: upgrade openssl sources to 1.0.2s (Sam Roberts) #28230

Commits

• [cc9d005628] - crypto: update root certificates (Sam Roberts) #28808
• [347fcd35e3] - crypto: update root certificates (Sam Roberts) #27374
• [b2a6b3254d] - crypto: update root certificates (Sam Roberts) #25113
• [5682e50325] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836
• [9663ae3546] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389
• [87eee99466] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389
• [da99d3f972] - deps: copy all openssl header files to include dir (Sam Roberts) #28230
• [dc9d645ac4] - deps: upgrade openssl sources to 1.0.2s (Sam Roberts) #28230
• [37e24b19a0] - deps: V8: backport d520ebb (Michaël Zasso) #27358
• [1a5dc6a3e7] - http: check for existance in resetHeadersTimeoutOnReqEnd (Matteo Collina) #26402
• [e45b6a3b98] - http2: do not start reading after write if new write is on wire (Anna Henningsen) #29399
• [559a8e342b] - http2: do not crash on stream listener removal w/ destroyed session (Anna Henningsen) #29459
• [dd285968c4] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389
• [3ee076f03d] - stream: ensure writable.destroy() emits error once (Luigi Pinca) #26057
• [a7e5fe1f06] - test: unskip tests that now pass on AIX (Sam Roberts) #29054
• [65e9b0f5a2] - test: specialize OOM check for AIX (Sam Roberts) #28857
• [7aca9cb09b] - test: fix pty test hangs on aix (Ben Noordhuis) #28600
• [588b761fca] - test: skip stringbytes-external-exceed-max on AIX (Sam Roberts) #28516
• [930647d0fe] - test: skip tests related to CI failures on AIX (Sam Roberts) #28469
• [92a2f8bbe3] - test,win: cleanup exec-timeout processes (João Reis) #28723
• [d57f79726d] - tls: partially backport pull request #26415 (Ben Noordhuis) #26415
• [c582fef5cc] - tools: update certdata.txt (Sam Roberts) #28808
• [4fbadf6a9e] - tools: update certdata.txt (Sam Roberts) #27374
• [529b2ad25f] - tools: update certdata.txt (Sam Roberts) #25113

Notable changes

• build:
  • This release fixes a regression that prevented from building Node.js using
    the official source tarball (Richard Lau) #29712.
• deps:
  • Updated small-icu data to support "unit" style in the Intl.NumberFormat API (Michaël Zasso) #29735.

Commits

• [35e1d8c5ba] - build: include deps/v8/test/torque in source tarball (Richard Lau) #29712
• [ae461964a7] - build,win: goto lint only after defining node_exe (João Reis) #29616
• [588b388181] - crypto: use byteLength in timingSafeEqual (Tobias Nießen) #29657
• [298d92785c] - deps: enable unit data in small-icu (Michaël Zasso) #29735
• [0041f1c0d3] - doc: sync security policy with nodejs.org (Sam Roberts) #29682
• [038cbb08de] - doc: fix output in inspector HeapProfile example (Kirill Fomichev) #29711
• [d86f10cf0b] - doc: add KeyObject to type for crypto.createDecipheriv() argument (exoego) #29689
• [1303e3551f] - doc: clarify description of readable.push() method (imhype) #29687
• [d258e0242c] - doc: clarify stream errors while reading and writing (Robert Nagy) #29653
• [0fc85ff96a] - doc: specify display=fallback for Google Fonts (XhmikosR) #29688
• [c2791dcd9c] - doc: fix some recent nits (Vse Mozhet Byt) #29670
• [7a6b05a26f] - doc: fix 404 links (XhmikosR) #29661
• [2b76cb6dda] - doc: remove align from tables (XhmikosR) #29668
• [3de1fc6958] - doc: document that iv may be null when using createCipheriv() (Ruben Bridgewater) #29684
• [91e4cc7500] - doc: update AUTHORS list (Anna Henningsen) #29608
• [2ea4cc0732] - doc: clarify pipeline stream cleanup (Robert Nagy) #29738
• [ab060bfdab] - doc: clarify fs.symlink() usage (Simon A. Eugster) #29700
• [b5c24dfbe8] - doc: fix type of atime/mtime (TATSUNO Yasuhiro) #29666
• [6579b1a547] - doc,http: indicate callback is optional for message.setTimeout() (Trivikram Kamat) #29654
• [a04fc86723] - http2: optimize the altsvc Max bytes limit, define and use constants (rickyes) #29673
• [d1f4befd09] - module: pass full URL to loader for top-level load (Guy Bedford) #29736
• [3f028551a8] - module: move cjs type check behind flag (Guy Bedford) #29732
• [c3a1303bc2] - src: rename --loader to --experimental-loader (Alex Aubuchon) #29752
• [17c3478d78] - src: fix asan build for gcc/clang (David Carlier) #29383
• [64740d44b5] - src: fix compiler warning in inspector_profiler.cc (Daniel Bevenius) #29660
• [a86b71f745] - src: disconnect inspector before exiting out of fatal exception (Joyee Cheung) #29611
• [8d88010277] - src: try showing stack traces when process._fatalException is not set (Joyee Cheung) #29624
• [2a6b7b0476] - test: fix flaky test-cluster-net-listen-ipv6only-none (Rich Trott) #29681
• [69f26340e9] - tls: simplify setSecureContext() option parsing (cjihrig) #29704
• [c361180c07] - tools: make mailmap processing for author list case-insensitive (Anna Henningsen) #29608
• [ef033d046a] - worker: fix process._fatalException return type (Ruben Bridgewater) #29706
• [04df7dbadb] - worker: keep allocators for transferred SAB instances alive longer (Anna Henningsen) #29637

Notable changes

• crypto:
  • Add oaepLabel option #29489
• deps:
  • Update V8 to 7.7.299.11 #28918
    • More efficient memory handling
    • Stack trace serialization got faster
    • The Intl.NumberFormat API gained new functionality
    • For more information: https://v8.dev/blog/v8-release-77
• events:
  • Add support for EventTarget in once #29498
• fs:
  • Expose memory file mapping flag UV_FS_O_FILEMAP #29260
• inspector:
  • New API - Session.connectToMainThread #28870
• process:
  • Initial SourceMap support via env.NODE_V8_COVERAGE #28960
• stream:
  • Make _write() optional when _writev() is implemented #29639
• tls:
  • Add option to override signature algorithms #29598
• util:
  • Add encodeInto to TextEncoder #29524
• worker:
  • The worker_thread module is now stable #29512

Commits

• [b9c7c9002f] - benchmark: improve process.env benchmarks (Anna Henningsen) #29188
• [6b8951231c] - bootstrap: add exception handling for profiler bootstrap (Shobhit Chittora) #29552
• [c052967636] - bootstrap: provide usable error on missing internal module (Jeremiah Senkpiel) #29593
• [5c24bc6c68] - build: do not indent assignments in Makefile (Joyee Cheung) #29623
• [f90740d734] - build: allow clang 10+ in configure.py (Kamil Rytarowski) #29541
• [c304594536] - build: re-run configure on node_version.h change (Anna Henningsen) #29510
• [f622771079] - build: improve make coverage (Anna Henningsen) #29487
• [c1695c6635] - build: add comment to .travis.yml on how to test Py3 (cclauss) #29473
• [6f50c3f391] - build: update minimum AIX OS level (Michael Dawson) #29476
• [ee18238f55] - build: remove experimental Python 3 tests (Christian Clauss) #29413
• [fe46054b14] - (SEMVER-MINOR) build: reset embedder string to "-node.0" (Michaël Zasso) #28918
• [42fd139279] - build,win: fix Python detection on localized OS (João Reis) #29423
• [f61c5097e2] - console: skip/strip %c formatting (Gus Caplan) #29606
• [68630c5b65] - console,util: fix missing recursion end while inspecting prototypes (Ruben Bridgewater) #29647
• [99c2cd8f08] - crypto: use BoringSSL-compatible flag getter (Shelley Vohr) #29604
• [dd5d944005] - (SEMVER-MINOR) crypto: fix OpenSSL return code handling (Tobias Nießen) #29489
• [54f327b4dc] - (SEMVER-MINOR) crypto: add oaepLabel option (Tobias Nießen) #29489
• [5d60adf38b] - deps: patch V8 to 7.7.299.11 (Michaël Zasso) #29628
• [c718c606c8] - deps: V8: cherry-pick deac757 (Benjamin Coe) #29626
• [e4a51ad980] - deps: patch V8 to 7.7.299.10 (Thomas) #29472
• [bc3c0b2d65] - deps: V8: cherry-pick 35c6d4d (Sam Roberts) #29585
• [fa7de9b27f] - deps: update npm to 6.11.3 (claudiahdz) #29430
• [f5f238de6c] - deps: upgrade to libuv 1.32.0 (cjihrig) #29508
• [7957b392e4] - deps: patch V8 to 7.7.299.8 (Michaël Zasso) #29336
• [90713c6697] - (SEMVER-MINOR) deps: patch V8 to be API/ABI compatible with 7.4 (from 7.7) (Michaël Zasso) #29241
• [e95f866956] - deps: patch V8 to be API/ABI compatible with 7.4 (from 7.6) (Michaël Zasso) #28955
• [4eeb2a99e5] - (SEMVER-MINOR) deps: patch V8 to be API/ABI compatible with 7.4 (from 7.5) (Michaël Zasso) #28005
• [60efc5fd52] - deps: V8: cherry-pick e3d7f8a (cclauss) #29105
• [d1bedbe717] - (SEMVER-MINOR) deps: V8: fix linking issue for MSVS (Refael Ackermann) #28016
• [19e38e0def] - (SEMVER-MINOR) deps: V8: fix BUILDING_V8_SHARED issues (Refael Ackermann) #27375
• [8aaa0abd26] - (SEMVER-MINOR) deps: V8: add workaround for MSVC optimizer bug (Refael Ackermann) #28016
• [07ed874446] - (SEMVER-MINOR) deps: V8: use ATOMIC_VAR_INIT instead of std::atomic_init (Refael Ackermann) #27375
• [1ed3909ca3] - (SEMVER-MINOR) deps: V8: forward declaration of Rtl\*FunctionTable (Refael Ackermann) #27375
• [242f6174e5] - (SEMVER-MINOR) deps: V8: patch register-arm64.h (Refael Ackermann) #27375
• [63093e9d49] - (SEMVER-MINOR) deps: V8: update postmortem metadata generation script (cjihrig) #28918
• [b54ee2185e] - (SEMVER-MINOR) deps: V8: silence irrelevant warning (Michaël Zasso) #26685
• [c6f97bb7ce] - (SEMVER-MINOR) deps: V8: un-cherry-pick bd019bd (Refael Ackermann) #26685
• [5df55c2626] - (SEMVER-MINOR) deps: V8: fix filename manipulation for Windows (Refael Ackermann) #28016
• [80ccae000e] - (SEMVER-MINOR) deps: update V8 to 7.7.299.4 (Michaël Zasso) #28918
• [325de437b3] - doc: update N-API version matrix (Gabriel Schulhof) #29461
• [2707beb8b8] - doc: add code example to process.throwDeprecation property (Juan José Arboleda) #29495
• [edaa2eebd6] - doc: fix some signatures of .end() methods (Vse Mozhet Byt) #29615
• [13d173f131] - doc: remove the suffix number of the anchor link (Maledong) #29468
• [3ba64646ed] - doc: explain stream.finished cleanup (Robert Nagy) #28935
• [84b353cf5d] - doc: fix require call for spawn() in code example (Marian Rusnak) #29621
• [39b17706ea] - doc: make minor improvements to stream.md (Robert Nagy) #28970
• [50b5ad1638] - doc: fix nits in net.md (Vse Mozhet Byt) #29577
• [4954792991] - doc: correct trivial misspelling in AUTHORS (gcr) #29597
• [0074c8adb7] - doc: update list style in misc README docs (Rich Trott) #29594
• [38028ef818] - doc: add missing complete property to http2 docs (Javier Ledezma) #29571
• [55631f4f0a] - doc: add leap second behavior notes for napi methods (Levhita) #29569
• [7fd32619c1] - doc: explain esm options for package authors (Geoffrey Booth) #29497
• [f2217cdafe] - doc: update experimental loader hooks example code (Denis Zavershinskiy) #29373
• [bf08c08384] - doc: use consistent unordered list style (Nick Schonning) #29516
• [ca8e87a6d3] - doc: add Bethany to TSC (Michael Dawson) #29546
• [aa541bbc88] - doc: add Tobias to the TSC (Michael Dawson) #29545
• [9abee075ad] - doc: mention unit for process.hrtime.bigint() (Anna Henningsen) #29482
• [3aea277b72] - doc: add documentation for stream readableFlowing (Chetan Karande) #29506
• [a262e2f8d4] - doc: indent child list items for remark-lint (Nick Schonning) #29488
• [2a5340144c] - doc: space around lists (Nick Schonning) #29467
• [9e63f914da] - doc: exitedAfterDisconnect value can be false (Nimit Aggarwal) #29404
• [b1509e8f8e] - doc: remove wrong escapes (XhmikosR) #29452
• [7dd897f49a] - doc: prepare markdown files for more stringent blank-line linting (Rich Trott) #29447
• [a9d16b5e30] - doc: simplify wording in n-api doc (Michael Dawson) #29441
• [c95e9ca6dc] - doc: update release guide with notes for major releases (James M Snell) #25497
• [a7331da863] - doc: indent ordered list child content (Nick Schonning) #29332
• [32bb58ba9c] - doc: fix unsafe writable stream code example (Chetan Karande) #29425
• [735ef8b235] - doc: async_hooks.createHook promiseResolve option (Ben Noordhuis) #29405
• [844b45bf4f] - doc: change urls directly from 'http' to 'https' (Maledong) #29422
• [4374d28c52] - doc: use consistent indenting for unordered list items (Nick Schonning) #29390
• [835d1cabf6] - doc: start unorded lists at start of line (Nick Schonning) #29390
• [8023e43e1d] - doc: change the 'txt' to 'console' for a command (Maledong) #29389
• [b9c082d764] - esm: make dynamic import work in the REPL (Bradley Farias) #29437
• [0a47d06150] - events: improve performance of EventEmitter.emit (Matteo Collina) #29633
• [9150c4dc72] - (SEMVER-MINOR) events: add support for EventTarget in once (Jenia) #29498
• [67f5de9b34] - fs: remove unnecessary argument check (Robert Nagy) #29043
• [a20a8f48f7] - gyp: make StringIO work in ninja.py (Christian Clauss) #29414
• [31b0b52a71] - http: refactor responseKeepAlive() (Robert Nagy) #28700
• [6a7d24b69c] - http2: do not crash on stream listener removal w/ destroyed session (Anna Henningsen) #29459
• [fa949ca365] - http2: send out pending data earlier (Anna Henningsen) #29398
• [d6ba106f8c] - http2: do not start reading after write if new write is on wire (Anna Henningsen) #29399
• [a268658496] - (SEMVER-MINOR) inspector: new API - Session.connectToMainThread (Eugene Ostroukhov) #28870
• [144aeeac68] - lib: remove the use of util.isFunction (himself65) #29566
• [91d99ce41c] - (SEMVER-MINOR) lib,test: fix error message check after V8 update (Michaël Zasso) #28918
• [13fa966b7b] - module: error for CJS .js load within type: module (Guy Bedford) #29492
• [ce45aae2ab] - module: reintroduce package exports dot main (Guy Bedford) #29494
• [8474b82e35] - n-api: delete callback bundle via reference (Gabriel Schulhof) #29479
• [50d7c39d91] - n-api: mark version 5 N-APIs as stable (Gabriel Schulhof) #29401
• [6b30802471] - perf_hooks: remove non-existent entries from inspect (Kirill Fomichev) #29528
• [c146fff307] - perf_hooks: ignore duplicated entries in observer (Kirill Fomichev) #29442
• [9b4a49c844] - perf_hooks: remove GC callbacks on zero observers count (Kirill Fomichev) #29444
• [b30c40bd5d] - perf_hooks: import http2 only once (Kirill Fomichev) #29419
• [95431eace9] - policy: minor perf opts and cleanup (Bradley Farias) #29322
• [6ba39d4fe4] - (SEMVER-MINOR) process: initial SourceMap support via NODE_V8_COVERAGE (Benjamin Coe) #28960
• [03a3468666] - process: use public readableFlowing property (Chetan Karande) #29502
• [a5bd7e3b2a] - repl: convert var to let and const (Lucas Holmquist) #29575
• [7eae707fd9] - repl: fix bug in fs module autocompletion (zhangyongsheng) #29555
• [596dd9fe34] - repl: add autocomplete support for fs.promises (antsmartian) #29400
• [70a0c170d4] - repl: add missing variable declaration (Lucas Holmquist) #29535
• [3878e1ed31] - src: perform check before running in runMicrotasks() (Jeremy Apthorp) #29581
• [6f8ef2cbab] - src: discard remaining foreground tasks on platform shutdown (Anna Henningsen) #29587
• [f84f1dbd98] - src: fix closing weak HandleWraps on GC (Anna Henningsen) #29640
• [6284b498b4] - src: use libuv to get env vars (Anna Henningsen) #29188
• [3a6bc90c29] - src: re-delete Atomics.wake (Gus Caplan) #29586
• [51a1dfab94] - src: print exceptions from PromiseRejectCallback (Anna Henningsen) #29513
• [4a5ba60e00] - src: modified RealEnvStore methods to use libuv functions (Devendra Satram) #27310
• [67aa5ef12b] - src: make ELDHistogram a HandleWrap (Anna Henningsen) #29317
• [5c3d484c21] - src: check microtasks before running them (Shelley Vohr) #29434
• [010d29d74f] - src: fix ValidateDSAParameters when fips is enabled (Daniel Bevenius) #29407
• [59b464026f] - (SEMVER-MINOR) src: update v8abbr.h for V8 7.7 (cjihrig) #28918
• [78af92dda5] - (SEMVER-MINOR) src,lib: expose memory file mapping flag (João Reis) #29260
• [f016823929] - stream: add test for multiple .push(null) (Chetan Karande) #29645
• [b1008973e9] - stream: cleanup use of internal ended state (Chetan Karande) #29645
• [e71bdadf52] - (SEMVER-MINOR) stream: make _write() optional when _writev() is implemented (Robert Nagy) #29639
• [123437bcc3] - stream: apply special logic in removeListener for readable.off() (Robert Nagy) #29486
• [322bc6f0a6] - stream: do not call _read() after destroy() (Robert Nagy) #29491
• [78cbdf3286] - stream: optimize creation (Robert Nagy) #29135
• [2dc52ad09c] - stream: simplify isUint8Array helper (Anna Henningsen) #29514
• [560511924f] - test: fix race condition in test-worker-process-cwd.js (Ruben Bridgewater) #28609
• [78ee065a11] - test: fix flaky test-inspector-connect-main-thread (Anna Henningsen) #29588
• [87fd55c387] - test: unmark test-worker-prof as flaky (Anna Henningsen) #29511
• [79a277ed10] - test: improve test-worker-message-port-message-before-close (Anna Henningsen) #29483
• [909c669c04] - test: disable core dumps before running crash test (Ben Noordhuis) #29478
• [561d504d71] - test: permit test-signalwrap to work without test runner (Rich Trott) #28306
• [75c559dc3a] - test: remove flaky status for test-statwatcher (Rich Trott) #29392
• [f056d55346] - (SEMVER-MINOR) test: update postmortem metadata test for V8 7.7 (cjihrig) #28918
• [b43d2dd852] - timers: set _destroyed even if there are no destroy-hooks (Jeremiah Senkpiel) #29595
• [6272f82c07] - (SEMVER-MINOR) tls: add option to override signature algorithms (Anton Gerasimov) #29598
• [b7488c2a5c] - tools: cleanup getnodeversion.py for readability (Christian Clauss) #29648
• [7bc2f06e0b] - tools: update ESLint to 6.4.0 (zhangyongsheng) #29553
• [0db7ebe073] - tools: fix iculslocs to support ICU 65.1 (Steven R. Loomis) #29523
• [bc7cc348cc] - tools: python3 compat for inspector code generator (Ben Noordhuis) #29340
• [9de417ad59] - tools: delete v8_external_snapshot.gypi (Ujjwal Sharma) #29369
• [2f81d59e75] - tools: fix GYP ninja generator for Python 3 (Michaël Zasso) #29416
• [027dcff207] - (SEMVER-MINOR) tools: sync gypfiles with V8 7.7 (Michaël Zasso) #28918
• [bbf209b5df] - tty: add color support for mosh (Aditya) #27843
• [ced89ad75d] - util: include reference anchor for circular structures (Ruben Bridgewater) #27685
• [772a5e0658] - (SEMVER-MINOR) util: add encodeInto to TextEncoder (Anna Henningsen) #29524
• [97d8b33ffc] - (SEMVER-MINOR) worker: mark as stable (Anna Henningsen) #29512
• [fa77dc5f3b] - worker: make terminate() resolve for unref’ed Workers (Anna Henningsen) #29484
• [53f23715df] - worker: prevent event loop starvation through MessagePorts (Anna Henningsen) #29315
• [d2b0568890] - worker: make transfer list behave like web MessagePort (Anna Henningsen) #29319

Notable changes

• deps:
  • Update npm to 6.10.3 (isaacs) #29023
• fs:
  • Add recursive option to rmdir() (cjihrig) #29168
  • Allow passing true to emitClose option (Giorgos Ntemiris) #29212
  • Add *timeNs properties to BigInt Stats objects (Joyee Cheung) #21387
• net:
  • Allow reading data into a static buffer (Brian White) #25436

Commits

• [293c9f0d75] - bootstrap: run preload prior to frozen-intrinsics (Bradley Farias) #28940
• [71aaf590c1] - buffer: correct indexOf() error message (Brian White) #29217
• [c900762fe4] - buffer: consolidate encoding parsing (Brian White) #29217
• [054407511e] - buffer: correct concat() error message (Brian White) #29198
• [35bca312ed] - buffer: improve equals() performance (Brian White) #29199
• [449f1fd578] - Revert "build: add full Python 3 tests to Travis CI" (Ben Noordhuis) #29406
• [256da1fdb3] - build: add full Python 3 tests to Travis CI (cclauss) #29360
• [0c4df35db0] - build: hard code doctool in test-doc target (Daniel Bevenius) #29375
• [d6b6a0578b] - build: integrate DragonFlyBSD into gyp build (David Carlier) #29313
• [6a914ed36e] - build: make --without-snapshot imply --without-node-snapshot (Joyee Cheung) #29294
• [def5c3e5d8] - build: test Python 3.6 and 3.7 on Travis CI (cclauss) #29291
• [feafc019b1] - build: move tooltest to before jstest target (Daniel Bevenius) #29220
• [aeafb91e2c] - build: add Python 3 tests to Travis CI (cclauss) #29196
• [bb6e3b5404] - build,win: accept Python 3 if 2 is not available (João Reis) #29236
• [dce5649d9c] - build,win: find Python in paths with spaces (João Reis) #29236
• [2489682eb5] - console: use getStringWidth() for character width calculation (Anna Henningsen) #29300
• [5c3e49d84e] - crypto: don't expose openssl internals (Shelley Vohr) #29325
• [e0537e6978] - crypto: simplify DSA validation in FIPS mode (Tobias Nießen) #29195
• [28ffc9f599] - deps: V8: cherry-pick 597f885 (Benjamin Coe) #29367
• [219c19530e] - (SEMVER-MINOR) deps: update npm to 6.10.3 (isaacs) #29023
• [4a7c4b7366] - doc: escape elements swallowed as HTML in markdown (Nick Schonning) #29374
• [5a16449edf] - doc: add extends for derived classes (Kamat, Trivikram) #29290
• [3fc29b8f9a] - doc: add blanks around code fences (Nick Schonning) #29366
• [187d08be65] - doc: format http2 anchor link and reference (Nick Schonning) #29362
• [6734782f25] - doc: remove multiple consecutive blank lines (Nick Schonning) #29352
• [a94afedc9b] - doc: add devnexen to collaborators (David Carlier) #29370
• [43797d9427] - doc: inconsistent indentation for list items (Nick Schonning) #29330
• [bb72217faf] - doc: heading levels should only increment by one (Nick Schonning) #29331
• [ef76c7d997] - doc: add dco to github pr template (Myles Borins) #24023
• [8599052283] - doc: add https.Server extends tls.Server (Trivikram Kamat) #29256
• [2fafd635d7] - doc: fix nits in esm.md (Vse Mozhet Byt) #29242
• [6a4f156ba4] - doc: add missing extends Http2Session (Trivikram Kamat) #29252
• [1d649e3444] - doc: indicate that Http2ServerRequest extends Readable (Trivikram Kamat) #29253
• [b2f169e628] - doc: indicate that Http2ServerResponse extends Stream (Trivikram Kamat) #29254
• [65de900052] - (SEMVER-MINOR) doc: add emitClose option for fs streams (Rich Trott) #29212
• [ae810cc8d5] - doc,crypto: add extends for derived classes (Kamat, Trivikram) #29302
• [a2c704773a] - doc,errors: add extends to derived classes (Kamat, Trivikram) #29303
• [395245f1eb] - doc,fs: add extends for derived classes (Kamat, Trivikram) #29304
• [8a93b63a6b] - doc,http: add extends for derived classes (Trivikram Kamat) #29255
• [ba29be60ae] - doc,tls: add extends for derived classes (Trivikram Kamat) #29257
• [30b80e5d7c] - errors: provide defaults for unmapped uv errors (cjihrig) #29288
• [a7c8322a54] - esm: support loading data URLs (Bradley Farias) #28614
• [3bc16f917d] - events: improve once() performance (Brian White) #29307
• [ed2293e3d7] - (SEMVER-MINOR) fs: add recursive option to rmdir() (cjihrig) #29168
• [8f47ff16d4] - (SEMVER-MINOR) fs: allow passing true to emitClose option (Giorgos Ntemiris) #29212
• [6ff803d97c] - fs: fix (temporary) for esm package (Robert Nagy) #28957
• [e6353bda1a] - fs: document the Date conversion in Stats objects (Joyee Cheung) #28224
• [365e062e14] - (SEMVER-MINOR) fs: add *timeNs properties to BigInt Stats objects (Joyee Cheung) #21387
• [12cbb3f12f] - gyp: remove semicolons (Python != JavaScript) (MattIPv4) #29228
• [10bae2ec91] - gyp: futurize imput.py to prepare for Python 3 (cclauss) #29140
• [e5a9a8522d] - http: simplify timeout handling (Robert Nagy) #29200
• [87b8f02daa] - lib: add ASCII fast path to getStringWidth() (Anna Henningsen) #29301
• [6e585fb063] - lib: consolidate lazyErrmapGet() (cjihrig) #29285
• [eb2d96fecf] - module: avoid passing unnecessary loop reference (Saúl Ibarra Corretgé) #29275
• [dfc0ef5d88] - (SEMVER-MINOR) net: allow reading data into a static buffer (Brian White) #25436
• [f4f88270e7] - process: improve nextTick performance (Brian White) #25461
• [0e1ccca81d] - querystring: improve performance (Brian White) #29306
• [f8f3af099a] - src: do not crash when accessing empty WeakRefs (Anna Henningsen) #29289
• [b964bdd162] - src: turn GET\_OFFSET() into an inline function (Anna Henningsen) #29357
• [2666e006e1] - src: inline SLICE\_START\_END() in node_buffer.cc (Anna Henningsen) #29357
• [8c6896e5d3] - src: allow --interpreted-frames-native-stack in NODE_OPTIONS (Matheus Marchini) #27744
• [db6e4ce239] - src: expose MaybeInitializeContext to allow existing contexts (Samuel Attard) #28544
• [4d4583e0a2] - src: add large page support for macOS (David Carlier) #28977
• [7809adfb1f] - stream: don't deadlock on aborted stream (Robert Nagy) #29376
• [2efd72f28d] - stream: improve read() performance (Brian White) #29337
• [e939a8747f] - stream: async iterator destroy compat (Robert Nagy) #29176
• [b36a6e9ed5] - stream: do not emit drain if stream ended (Robert Nagy) #29086
• [0ccf90b415] - test: remove Windows skipping of http keepalive request GC test (Rich Trott) #29354
• [83fb133267] - test: fix test-benchmark-net (Rich Trott) #29359
• [bd1e8eacf3] - test: fix flaky test-http-server-keepalive-req-gc (Rich Trott) #29347
• [9a150027da] - test: use print() function in both Python 2 and 3 (Christian Clauss) #29298
• [1f88ca3424] - (SEMVER-MINOR) test: add emitClose: true tests for fs streams (Rich Trott) #29212
• [cd70fd2bc0] - tools: update ESLint to 6.3.0 (cjihrig) #29382
• [350975e312] - tools: use 'from io import StringIO' in ninja.py (cclauss) #29371
• [3f68be1098] - tools: fix mksnapshot blob wrong freeing operator (David Carlier) #29384
• [3802da790b] - tools: update ESLint to 6.2.2 (cjihrig) #29320
• [2df84752c6] - tools: update babel-eslint to 10.0.3 (cjihrig) #29320
• [783c8eeb0b] - tools: fix Python 3 issues in inspector_protocol (cclauss) #29296
• [925141f946] - tools: fix mixup with bytes.decode() and str.encode() (Christian Clauss) #29208
• [a123a20134] - tools: fix Python 3 issues in tools/icu/icutrim.py (cclauss) #29213
• [eceebd3ef1] - tools: fix Python 3 issues in gyp/generator/make.py (cclauss) #29214
• [5abbd51c60] - util: do not throw when inspecting detached ArrayBuffer (Anna Henningsen) #29318

Notable changes

This release fixes two regressions in the http module:

• Fixes an event listener leak in the HTTP client. This resulted in lots of
  warnings during npm/yarn installs (Robert Nagy) #29245.
• Fixes a regression preventing the 'end' event from being emitted for
  keepalive requests in case the full body was not parsed (Matteo Collina) #29263.

Commits

• [3cc8fca299] - crypto: handle i2d_SSL_SESSION() error return (Ben Noordhuis) #29225
• [ae0a0e97ba] - http: reset parser.incoming when server request is finished (Anna Henningsen) #29297
• [dedbd119c5] - http: fix event listener leak (Robert Nagy) #29245
• [f8f8754d43] - Revert "http: reset parser.incoming when server response is finished" (Matteo Collina) #29263
• [a6abfcb423] - src: remove unused using declarations (Daniel Bevenius) #29222
• [ff6330a6ac] - test: fix 'timeout' typos (cjihrig) #29234
• [3c7a1a9090] - test, http: add regression test for keepalive 'end' event (Matteo Collina) #29263

Notable changes

• crypto:
  • Added an oaepHash option to asymmetric encryption which allows users to specify a hash function when using OAEP padding (Tobias Nießen) #28335.
• deps:
  • Updated V8 to 7.6.303.29 (Michaël Zasso) #28955.
    • Improves the performance of various APIs such as JSON.parse and methods
      called on frozen arrays.
    • Adds the Promise.allSettled method.
    • Improves support of BigInt in Intl methods.
    • For more information: https://v8.dev/blog/v8-release-76
  • Updated libuv to 1.31.0 (cjihrig) #29070.
    • UV_FS_O_FILEMAP has been added for faster access to memory mapped files on Windows.
    • uv_fs_mkdir() now returns UV_EINVAL for invalid filenames on Windows. It previously returned UV_ENOENT.
    • The uv_fs_statfs() API has been added.
    • The uv_os_environ() and uv_os_free_environ() APIs have been added.
• fs:
  • Added fs.writev, fs.writevSync and filehandle.writev (promise version) methods. They allow to write an array of ArrayBufferViews to a file descriptor (Anas Aboureada) #25925, (cjihrig) #29186.
• http:
  • Added three properties to OutgoingMessage.prototype: writableObjectMode, writableLength and writableHighWaterMark #29018.
• stream:
  • Added an new property readableEnded to readable streams. Its value is set to true when the 'end' event is emitted. (Robert Nagy) #28814.
  • Added an new property writableEnded to writable streams. Its value is set to true after writable.end() has been called. (Robert Nagy) #28934.

Commits

• [5008b46159] - benchmark: allow easy passing of process flags (Brian White) #28986
• [9057814206] - buffer: improve copy() performance (Brian White) #29066
• [c7a4525bbe] - buffer: improve ERR_BUFFER_OUT_OF_BOUNDS default (cjihrig) #29098
• [f42eb01d1d] - build: enable linux large pages LLVM lld linkage support (David Carlier) #28938
• [5c5ef4e858] - build: remove unused option (Rich Trott) #29173
• [fbe25c7fb7] - build: remove unnecessary Python semicolon (MattIPv4) #29170
• [e51f924964] - build: add a testclean target (Daniel Bevenius) #29094
• [0a63e2d9ff] - build: support py3 for configure.py (cclauss) #29106
• [b04f9e1f57] - build: reset embedder string to "-node.0" (Michaël Zasso) #28955
• [b085b94fce] - console: minor timeLogImpl() refactor (cjihrig) #29100
• [54197eac4d] - (SEMVER-MINOR) crypto: extend RSA-OAEP support with oaepHash (Tobias Nießen) #28335
• [a17d398989] - deps: V8: cherry-pick e3d7f8a (cclauss) #29105
• [2c91c65961] - deps: upgrade to libuv 1.31.0 (cjihrig) #29070
• [53c7fac310] - deps: patch V8 to be API/ABI compatible with 7.4 (from 7.6) (Michaël Zasso) #28955
• [7b8eb83895] - (SEMVER-MINOR) deps: patch V8 to be API/ABI compatible with 7.4 (from 7.5) (Michaël Zasso) #28005
• [7d411f47b2] - deps: V8: backport b33af60 (Gus Caplan) #28671
• [492b7cb8c3] - (SEMVER-MINOR) deps: V8: cherry-pick d2ccc59 (Michaël Zasso) #28016
• [945955ff86] - deps: cherry-pick 13a04aba from V8 upstream (Jon Kunkee) #28602
• [9b3c115efb] - (SEMVER-MINOR) deps: V8: cherry-pick 3b8c624 (Michaël Zasso) #28016
• [533b2d4a08] - (SEMVER-MINOR) deps: V8: fix linking issue for MSVS (Refael Ackermann) #28016
• [c9f8d28f71] - (SEMVER-MINOR) deps: V8: fix BUILDING_V8_SHARED issues (Refael Ackermann) #27375
• [f24caeff2f] - (SEMVER-MINOR) deps: V8: add workaround for MSVC optimizer bug (Refael Ackermann) #28016
• [94c8d068f8] - (SEMVER-MINOR) deps: V8: use ATOMIC_VAR_INIT instead of std::atomic_init (Refael Ackermann) #27375
• [d940403c20] - (SEMVER-MINOR) deps: V8: forward declaration of Rtl\*FunctionTable (Refael Ackermann) #27375
• [ac0c075cad] - (SEMVER-MINOR) deps: V8: patch register-arm64.h (Refael Ackermann) #27375
• [eefbc0773f] - (SEMVER-MINOR) deps: V8: update postmortem metadata generation script (cjihrig) #28016
• [33f3e383da] - (SEMVER-MINOR) deps: V8: silence irrelevant warning (Michaël Zasso) #26685
• [434c127651] - (SEMVER-MINOR) deps: V8: un-cherry-pick bd019bd (Refael Ackermann) #26685
• [040e7dabe4] - (SEMVER-MINOR) deps: V8: fix filename manipulation for Windows (Refael Ackermann) #28016
• [cfe2484e04] - deps: update V8 to 7.6.303.29 (Michaël Zasso) #28955
• [6f7b561295] - dns: update lookupService() first arg name (cjihrig) #29040
• [ad28f555a1] - doc: improve example single-test command (David Guttman) #29171
• [edbe38d52d] - doc: mention N-API as recommended approach (Michael Dawson) #28922
• [ebfe6367f0] - doc: fix introduced_in note in querystring.md (Ben Noordhuis) #29014
• [9ead4eceeb] - doc: note that stream error can close stream (Robert Nagy) #29082
• [5ea9237d2b] - doc: clarify async iterator leak (Robert Nagy) #28997
• [1b6d7c0d00] - doc: fix nits in child_process.md (Vse Mozhet Byt) #29024
• [375d1ee58b] - doc: improve UV_THREADPOOL_SIZE description (Tobias Nießen) #29033
• [7b7b8f21cb] - doc: documented default statusCode (Natalie Fearnley) #28982
• [17d9495afa] - doc: make unshift doc compliant with push doc (EduardoRFS) #28953
• [3bfca0b7e4] - doc, lib, src, test, tools: fix assorted typos (XhmikosR) #29075
• [b7696b41e5] - events: give subclass name in unhandled 'error' message (Anna Henningsen) #28952
• [d79d142e0c] - fs: use fs.writev() internally (Robert Nagy) #29189
• [82eeadb216] - fs: use consistent buffer array validation (cjihrig) #29186
• [81f3eb5bb1] - fs: add writev() promises version (cjihrig) #29186
• [435683610b] - fs: validate writev fds consistently (cjihrig) #29185
• [bb19d8212a] - (SEMVER-MINOR) fs: add fs.writev() which exposes syscall writev() (Anas Aboureada) #25925
• [178caa56ae] - fs: add default options for *stat() (Tony Brix) #29114
• [f194626ffb] - fs: validate fds as int32s (cjihrig) #28984
• [c5edeb9776] - http: simplify drain() (Robert Nagy) #29081
• [6b9e372198] - http: follow symbol naming convention (Robert Nagy) #29091
• [2e5008848e] - http: remove redundant condition (Luigi Pinca) #29078
• [13a497912d] - http: remove duplicate check (Robert Nagy) #29022
• [16e001112c] - (SEMVER-MINOR) http: add missing stream-like properties to OutgoingMessage (Robert Nagy) #29018
• [c396b2a5b2] - http: buffer writes even while no socket assigned (Robert Nagy) #29019
• [f9b61d2bc7] - (SEMVER-MINOR) http,stream: add writableEnded (Robert Nagy) #28934
• [964dff8a9e] - http2: remove unused FlushData() function (Anna Henningsen) #29145
• [66249bbcad] - inspector: use const for contextGroupId (gengjiawen) #29076
• [cb162298eb] - module: pkg exports validations and fallbacks (Guy Bedford) #28949
• [491b46d605] - module: refine package name validation (Guy Bedford) #28965
• [925e40cfa7] - module: add warning when import,export is detected in CJS context (Giorgos Ntemiris) #28950
• [17319e7f44] - net: use callback to properly propagate error (Robert Nagy) #29178
• [7f11c72cc5] - readline: close dumb terminals on Control+D (cjihrig) #29149
• [3c346b8bad] - readline: close dumb terminals on Control+C (cjihrig) #29149
• [e474c6776c] - (SEMVER-MINOR) readline: establish y in cursorTo as optional (Gerhard Stoebich) #29128
• [2528dee674] - report: list envvars using uv_os_environ() (cjihrig) #28963
• [a6b9299039] - src: rename --security-reverts to ...-revert (Sam Roberts) #29153
• [62a0e91d8c] - src: simplify UnionBytes (Ben Noordhuis) #29116
• [b2936cff5d] - src: organize imports in inspector_profiler.cc (pi1024e) #29073
• [a9f8b62b47] - (SEMVER-MINOR) stream: add readableEnded (Robert Nagy) #28814
• [1e3e6da9b9] - stream: simplify howMuchToRead() (Robert Nagy) #29155
• [e2a2a3f4dd] - stream: use lazy registration for drain for fast destinations (Robert Nagy) #29095
• [2a844599db] - stream: improve read() performance further (Brian White) #29077
• [e543d35f35] - stream: inline and simplify onwritedrain (Robert Nagy) #29037
• [6bc4620d8b] - stream: improve read() performance more (Brian White) #28989
• [647f3a8d01] - stream: encapsulate buffer-list (Robert Nagy) #28974
• [000999c06c] - stream: improve read() performance (Brian White) #28961
• [6bafd35369] - test: deflake test-tls-passphrase (Luigi Pinca) #29134
• [aff1ef9d27] - test: add required settings to test-benchmark-buffer (Rich Trott) #29163
• [18b711366a] - test: make exported method static (Rainer Poisel) #29102
• [0aa339e5e1] - test: skip test-fs-access if root (Daniel Bevenius) #29092
• [e3b1243ea2] - test: unskip tests that now pass on AIX (Sam Roberts) #29054
• [f9ed5f351b] - test: assert: add failing deepEqual test for faked boxed primitives (Jordan Harband) #29029
• [43e444b07a] - test: refactor test-sync-io-option (Anna Henningsen) #29020
• [82edebfebf] - (SEMVER-MINOR) test: add test for OAEP hash mismatch (Tobias Nießen) #28335
• [f08f154fd6] - (SEMVER-MINOR) test: update postmortem metadata test for V8 7.6 (cjihrig) #28016
• [5b892c44d6] - tls: allow client-side sockets to be half-opened (Luigi Pinca) #27836
• [c4f6077994] - tools: make code cache and snapshot deterministic (Ben Noordhuis) #29142
• [acdc21b832] - tools: make pty_helper.py python3-compatible (Ben Noordhuis) #29167
• [31c50e5c17] - tools: make nodedownload.py Python 3 compatible (cclauss) #29104
• [1011a1792c] - tools: allow single JS file for --link-module (Daniel Bevenius) #28443
• [4d7a7957fc] - (SEMVER-MINOR) tools: sync gypfiles with V8 7.6 (Michaël Zasso) #28016
• [a4e2549b87] - util: improve debuglog performance (Brian White) #28956
• [112ec73c95] - util: isEqualBoxedPrimitive: ensure both values are actual boxed Symbols (Jordan Harband) #29029
• [8426077898] - util: assert: fix deepEqual comparing fake-boxed to real boxed primitive (Jordan Harband) #29029
• [d4e397a900] - worker: fix crash when SharedArrayBuffer outlives creating thread (Anna Henningsen) #29190

Notable changes

This is a security release.

Node.js, as well as many other implementations of HTTP/2, have been found
vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

• CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
• CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
• CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
• CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
• CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)

Commits

• [bfeb5fc07f] - deps: update nghttp2 to 1.39.2 (Anna Henningsen) #29122
• [08021fac59] - http2: allow security revert for Ping/Settings Flood (Anna Henningsen) #29122
• [bbb4769cc1] - http2: pause input processing if sending output (Anna Henningsen) #29122
• [f64515b05e] - http2: stop reading from socket if writes are in progress (Anna Henningsen) #29122
• [ba332df5d2] - http2: consider 0-length non-end DATA frames an error (Anna Henningsen) #29122
• [23b0db58ca] - http2: shrink default vector::reserve() allocations (Anna Henningsen) #29122
• [4f10ac3623] - http2: handle 0-length headers better (Anna Henningsen) #29122
• [a21a1c007b] - http2: limit number of invalid incoming frames (Anna Henningsen) #29122
• [4570ed10d7] - http2: limit number of rejected stream openings (Anna Henningsen) #29122
• [88726f2384] - http2: do not create ArrayBuffers when no DATA received (Anna Henningsen) #29122
• [530004ef32] - http2: only call into JS when necessary for session events (Anna Henningsen) #29122
• [58d8c9ef48] - http2: improve JS-side debug logging (Anna Henningsen) #29122

Notable changes

This is a security release.

Node.js, as well as many other implementations of HTTP/2, have been found
vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

• CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
• CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
• CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
• CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
• CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)

Commits

• [74507fae34] - deps: update nghttp2 to 1.39.2 (Anna Henningsen) #29122
• [a397c881ec] - deps: update nghttp2 to 1.39.1 (gengjiawen) #28448
• [fedfa12a33] - deps: update nghttp2 to 1.38.0 (gengjiawen) #27295
• [ab0f2ace36] - deps: update nghttp2 to 1.37.0 (gengjiawen) #26990
• [0acbe05ee2] - http2: allow security revert for Ping/Settings Flood (Anna Henningsen) #29122
• [c152449012] - http2: pause input processing if sending output (Anna Henningsen) #29122
• [0ce699c7b1] - http2: stop reading from socket if writes are in progress (Anna Henningsen) #29122
• [17357d37a9] - http2: consider 0-length non-end DATA frames an error (Anna Henningsen) #29122
• [460f896c63] - http2: shrink default vector::reserve() allocations (Anna Henningsen) #29122
• [f4242e24f9] - http2: handle 0-length headers better (Anna Henningsen) #29122
• [477461a51f] - http2: limit number of invalid incoming frames (Anna Henningsen) #29122
• [05dada46ee] - http2: limit number of rejected stream openings (Anna Henningsen) #29122
• [7f11465572] - http2: do not create ArrayBuffers when no DATA received (Anna Henningsen) #29122
• [2eb914ff5f] - http2: only call into JS when necessary for session events (Anna Henningsen) #29122
• [76a7ada15d] - http2: improve JS-side debug logging (Anna Henningsen) #29122
• [00f153da13] - http2: improve http2 code a bit (James M Snell) #23984
• [a0a14c809f] - src: pass along errors from http2 object creation (Anna Henningsen) #25822
• [d85e4006ab] - test: apply test-http2-max-session-memory-leak from v12.x (Anna Henningsen) #29122