nodejs/node
### [`v12.15.0`](https://togithub.com/nodejs/node/releases/v12.15.0)
[Compare Source](https://togithub.com/nodejs/node/compare/v12.14.1...v12.15.0)
##### Notable changes
This is a security release.
Vulnerabilities fixed:
- **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed.
- **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header.
- **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
##### Commits
- \[[`209767c7a2`](https://togithub.com/nodejs/node/commit/209767c7a2)] - **benchmark**: support optional headers with wrk (Sam Roberts) [nodejs-private/node-private#189](https://togithub.com/nodejs-private/node-private/pull/189)
- \[[`02c8905051`](https://togithub.com/nodejs/node/commit/02c8905051)] - **crypto**: fix assertion caused by unsupported ext (Fedor Indutny) [nodejs-private/node-private#175](https://togithub.com/nodejs-private/node-private/pull/175)
- \[[`25d6011912`](https://togithub.com/nodejs/node/commit/25d6011912)] - **deps**: update llhttp to 2.0.4 (Beth Griggs) [nodejs-private/llhttp-private#1](https://togithub.com/nodejs-private/llhttp-private/pull/1)
- \[[`8162f0e194`](https://togithub.com/nodejs/node/commit/8162f0e194)] - **deps**: upgrade http-parser to v2.9.3 (Sam Roberts) [nodejs-private/http-parser-private#4](https://togithub.com/nodejs-private/http-parser-private/pull/4)
- \[[`d41314ef99`](https://togithub.com/nodejs/node/commit/d41314ef99)] - **(SEMVER-MINOR)** **deps**: upgrade http-parser to v2.9.1 (Sam Roberts) [#30473](https://togithub.com/nodejs/node/pull/30473)
- \[[`7fc565666c`](https://togithub.com/nodejs/node/commit/7fc565666c)] - **(SEMVER-MINOR)** **http**: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) [#31448](https://togithub.com/nodejs/node/pull/31448)
- \[[`496736ff78`](https://togithub.com/nodejs/node/commit/496736ff78)] - **(SEMVER-MINOR)** **http**: opt-in insecure HTTP header parsing (Sam Roberts) [#30567](https://togithub.com/nodejs/node/pull/30567)
- \[[`76fd8910e9`](https://togithub.com/nodejs/node/commit/76fd8910e9)] - **http**: strip trailing OWS from header values (Sam Roberts) [nodejs-private/node-private#189](https://togithub.com/nodejs-private/node-private/pull/189)
- \[[`9cd155eb4a`](https://togithub.com/nodejs/node/commit/9cd155eb4a)] - **test**: using TE to smuggle reqs is not possible (Sam Roberts) [nodejs-private/node-private#192](https://togithub.com/nodejs-private/node-private/pull/192)
- \[[`ab1fcb89cb`](https://togithub.com/nodejs/node/commit/ab1fcb89cb)] - **test**: check that --insecure-http-parser works (Sam Roberts) [#31253](https://togithub.com/nodejs/node/pull/31253)
Renovate configuration
:date: Schedule: "every weekday after 22:00,every weekday before 6:00" in timezone Europe/Berlin.
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or if you tick the rebase/retry checkbox below.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
12.14.1-alpine->12.15.0-alpineRelease Notes
nodejs/node
### [`v12.15.0`](https://togithub.com/nodejs/node/releases/v12.15.0) [Compare Source](https://togithub.com/nodejs/node/compare/v12.14.1...v12.15.0) ##### Notable changes This is a security release. Vulnerabilities fixed: - **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed. - **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header. - **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string. Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the `--insecure-http-parser` command line flag, or the `insecureHTTPParser` http option. Using the insecure HTTP parser should be avoided. ##### Commits - \[[`209767c7a2`](https://togithub.com/nodejs/node/commit/209767c7a2)] - **benchmark**: support optional headers with wrk (Sam Roberts) [nodejs-private/node-private#189](https://togithub.com/nodejs-private/node-private/pull/189) - \[[`02c8905051`](https://togithub.com/nodejs/node/commit/02c8905051)] - **crypto**: fix assertion caused by unsupported ext (Fedor Indutny) [nodejs-private/node-private#175](https://togithub.com/nodejs-private/node-private/pull/175) - \[[`25d6011912`](https://togithub.com/nodejs/node/commit/25d6011912)] - **deps**: update llhttp to 2.0.4 (Beth Griggs) [nodejs-private/llhttp-private#1](https://togithub.com/nodejs-private/llhttp-private/pull/1) - \[[`8162f0e194`](https://togithub.com/nodejs/node/commit/8162f0e194)] - **deps**: upgrade http-parser to v2.9.3 (Sam Roberts) [nodejs-private/http-parser-private#4](https://togithub.com/nodejs-private/http-parser-private/pull/4) - \[[`d41314ef99`](https://togithub.com/nodejs/node/commit/d41314ef99)] - **(SEMVER-MINOR)** **deps**: upgrade http-parser to v2.9.1 (Sam Roberts) [#30473](https://togithub.com/nodejs/node/pull/30473) - \[[`7fc565666c`](https://togithub.com/nodejs/node/commit/7fc565666c)] - **(SEMVER-MINOR)** **http**: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) [#31448](https://togithub.com/nodejs/node/pull/31448) - \[[`496736ff78`](https://togithub.com/nodejs/node/commit/496736ff78)] - **(SEMVER-MINOR)** **http**: opt-in insecure HTTP header parsing (Sam Roberts) [#30567](https://togithub.com/nodejs/node/pull/30567) - \[[`76fd8910e9`](https://togithub.com/nodejs/node/commit/76fd8910e9)] - **http**: strip trailing OWS from header values (Sam Roberts) [nodejs-private/node-private#189](https://togithub.com/nodejs-private/node-private/pull/189) - \[[`9cd155eb4a`](https://togithub.com/nodejs/node/commit/9cd155eb4a)] - **test**: using TE to smuggle reqs is not possible (Sam Roberts) [nodejs-private/node-private#192](https://togithub.com/nodejs-private/node-private/pull/192) - \[[`ab1fcb89cb`](https://togithub.com/nodejs/node/commit/ab1fcb89cb)] - **test**: check that --insecure-http-parser works (Sam Roberts) [#31253](https://togithub.com/nodejs/node/pull/31253)Renovate configuration
:date: Schedule: "every weekday after 22:00,every weekday before 6:00" in timezone Europe/Berlin.
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or if you tick the rebase/retry checkbox below.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.