nodejs/node (node)
### [`v10.24.1`](https://togithub.com/nodejs/node/releases/tag/v10.24.1): 2021-04-06, Version 10.24.1 'Dubnium' (LTS), @mylesborins
[Compare Source](https://togithub.com/nodejs/node/compare/v10.24.0...v10.24.1)
This is a security release.
##### Notable Changes
Vulerabilties fixed:
- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509\_V_FLAG_X509\_STRICT (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)
- This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
- Impacts:
- All versions of the 14.x, 12.x and 10.x releases lines
##### Commits
- \[[`5e526b96ce`](https://togithub.com/nodejs/node/commit/5e526b96ce)] - **deps**: upgrade npm to 6.14.12 (Ruy Adorno) [#37918](https://togithub.com/nodejs/node/pull/37918)
- \[[`781cb6df5c`](https://togithub.com/nodejs/node/commit/781cb6df5c)] - **deps**: update archs files for OpenSSL-1.1.1k (Tobias Nießen) [#37940](https://togithub.com/nodejs/node/pull/37940)
- \[[`5db0a05a90`](https://togithub.com/nodejs/node/commit/5db0a05a90)] - **deps**: upgrade openssl sources to 1.1.1k (Tobias Nießen) [#37940](https://togithub.com/nodejs/node/pull/37940)
### [`v10.24.0`](https://togithub.com/nodejs/node/releases/tag/v10.24.0): 2021-02-23, Version 10.24.0 'Dubnium' (LTS), @richardlau
[Compare Source](https://togithub.com/nodejs/node/compare/v10.23.3...v10.24.0)
This is a security release.
##### Notable changes
Vulnerabilities fixed:
- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
- Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
- **CVE-2021-22884**: DNS rebinding in --inspect
- Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
##### Commits
- \[[`0afcb4f6bb`](https://togithub.com/nodejs/node/commit/0afcb4f6bb)] - **deps**: update archs files for OpenSSL-1.1.1j (Daniel Bevenius) [#37415](https://togithub.com/nodejs/node/pull/37415)
- \[[`447be941cd`](https://togithub.com/nodejs/node/commit/447be941cd)] - **deps**: upgrade openssl sources to 1.1.1j (Daniel Bevenius) [#37415](https://togithub.com/nodejs/node/pull/37415)
- \[[`3f2e9dc40c`](https://togithub.com/nodejs/node/commit/3f2e9dc40c)] - **(SEMVER-MINOR)** **http2**: add unknownProtocol timeout (Daniel Bevenius) [nodejs-private/node-private#246](https://togithub.com/nodejs-private/node-private/pull/246)
- \[[`d1cf6a9b0f`](https://togithub.com/nodejs/node/commit/d1cf6a9b0f)] - **src**: drop localhost6 as allowed host for inspector (Matteo Collina) [nodejs-private/node-private#244](https://togithub.com/nodejs-private/node-private/pull/244)
### [`v10.23.3`](https://togithub.com/nodejs/node/releases/tag/v10.23.3): 2021-02-09, Version 10.23.3 'Dubnium' (LTS), @richardlau
[Compare Source](https://togithub.com/nodejs/node/compare/v10.23.2...v10.23.3)
##### Notable changes
The update to npm 6.14.11 has been relanded so that npm correctly reports its version.
##### Commits
- \[[`953a85035d`](https://togithub.com/nodejs/node/commit/953a85035d)] - **crypto**: fix crash when calling digest after piping (Tobias Nießen) [#28251](https://togithub.com/nodejs/node/pull/28251)
- \[[`fe2c98003e`](https://togithub.com/nodejs/node/commit/fe2c98003e)] - **deps**: upgrade npm to 6.14.11 (Ruy Adorno) [#37173](https://togithub.com/nodejs/node/pull/37173)
- \[[`7b7fb43b8a`](https://togithub.com/nodejs/node/commit/7b7fb43b8a)] - ***Revert*** "**deps**: upgrade npm to 6.14.11" (Richard Lau) [#37278](https://togithub.com/nodejs/node/pull/37278)
- \[[`1c6fbd6ffe`](https://togithub.com/nodejs/node/commit/1c6fbd6ffe)] - **test**: add test that verifies crypto stream pipeline (Evan Lucas) [#37009](https://togithub.com/nodejs/node/pull/37009)
### [`v10.23.2`](https://togithub.com/nodejs/node/releases/tag/v10.23.2): 2021-01-26, Version 10.23.2 'Dubnium' (LTS), @richardlau
[Compare Source](https://togithub.com/nodejs/node/compare/v10.23.1...v10.23.2)
##### Notable changes
Release keys have been synchronized with the main branch.
- **deps**:
- upgrade npm to 6.14.11 (Darcy Clarke) [#36838](https://togithub.com/nodejs/node/pull/36838)
##### Commits
- \[[`cc6b69557a`](https://togithub.com/nodejs/node/commit/cc6b69557a)] - **deps**: upgrade npm to 6.14.11 (Darcy Clarke) [#36838](https://togithub.com/nodejs/node/pull/36838)
- \[[`aefb66528a`](https://togithub.com/nodejs/node/commit/aefb66528a)] - **doc**: update contact information for [@BethGriggs](https://togithub.com/BethGriggs) (Beth Griggs) [#35451](https://togithub.com/nodejs/node/pull/35451)
- \[[`08931481d8`](https://togithub.com/nodejs/node/commit/08931481d8)] - **doc**: update contact information for richardlau (Richard Lau) [#35450](https://togithub.com/nodejs/node/pull/35450)
- \[[`bc0617f4ea`](https://togithub.com/nodejs/node/commit/bc0617f4ea)] - **doc**: update release key for Danielle Adams (Danielle Adams) [#36793](https://togithub.com/nodejs/node/pull/36793)
- \[[`d7c09fcfd3`](https://togithub.com/nodejs/node/commit/d7c09fcfd3)] - **doc**: add release key for Danielle Adams (Danielle Adams) [#35545](https://togithub.com/nodejs/node/pull/35545)
- \[[`ac49d415b0`](https://togithub.com/nodejs/node/commit/ac49d415b0)] - **doc**: add release key for Ruy Adorno (Ruy Adorno) [#34628](https://togithub.com/nodejs/node/pull/34628)
- \[[`b8426ae3ce`](https://togithub.com/nodejs/node/commit/b8426ae3ce)] - **doc**: add release key for Richard Lau (Richard Lau) [#34397](https://togithub.com/nodejs/node/pull/34397)
### [`v10.23.1`](https://togithub.com/nodejs/node/releases/tag/v10.23.1): 2021-01-04, Version 10.23.1 'Dubnium' (LTS), @richardlau
[Compare Source](https://togithub.com/nodejs/node/compare/v10.23.0...v10.23.1)
##### Notable changes
This is a security release.
Vulnerabilities fixed:
- **CVE-2020-8265**: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in its
TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method does
not return an error, this object is passed back to the caller as part of
a StreamWriteResult structure. This may be exploited to corrupt memory
leading to a Denial of Service or potentially other exploits
- **CVE-2020-8287**: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in a
http request. For example, two Transfer-Encoding header fields. In this
case Node.js identifies the first header field and ignores the second.
This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- **CVE-2020-1971**: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
##### Commits
- \[[`bd44b0ee7f`](https://togithub.com/nodejs/node/commit/bd44b0ee7f)] - **build,win**: accept Python 3 if 2 is not available (João Reis) [#29236](https://togithub.com/nodejs/node/pull/29236)
- \[[`d5c9b09bdc`](https://togithub.com/nodejs/node/commit/d5c9b09bdc)] - **build,win**: find Python in paths with spaces (João Reis) [#29236](https://togithub.com/nodejs/node/pull/29236)
- \[[`323a6f114a`](https://togithub.com/nodejs/node/commit/323a6f114a)] - **deps**: update http-parser to [http-parser@`ec8b5ee`](https://togithub.com/http-parser/node/commit/ec8b5ee63f) (Richard Lau) [nodejs-private/node-private#235](https://togithub.com/nodejs-private/node-private/pull/235)
- \[[`f08d0fef64`](https://togithub.com/nodejs/node/commit/f08d0fef64)] - **deps**: upgrade npm to 6.14.10 (Ruy Adorno) [#36571](https://togithub.com/nodejs/node/pull/36571)
- \[[`b0608b574a`](https://togithub.com/nodejs/node/commit/b0608b574a)] - **deps**: update archs files for OpenSSL-1.1.1i (Richard Lau) [#36541](https://togithub.com/nodejs/node/pull/36541)
- \[[`d936e1833f`](https://togithub.com/nodejs/node/commit/d936e1833f)] - **deps**: upgrade openssl sources to 1.1.1i (Myles Borins) [#36541](https://togithub.com/nodejs/node/pull/36541)
- \[[`9c4970715c`](https://togithub.com/nodejs/node/commit/9c4970715c)] - **deps**: upgrade npm to 6.14.9 (Myles Borins) [#36450](https://togithub.com/nodejs/node/pull/36450)
- \[[`aa6b97fb99`](https://togithub.com/nodejs/node/commit/aa6b97fb99)] - **http**: add test for http transfer encoding smuggling (Richard Lau) [nodejs-private/node-private#235](https://togithub.com/nodejs-private/node-private/pull/235)
- \[[`fc70ce08f5`](https://togithub.com/nodejs/node/commit/fc70ce08f5)] - **http**: unset `F_CHUNKED` on new `Transfer-Encoding` (Fedor Indutny) [nodejs-private/node-private#235](https://togithub.com/nodejs-private/node-private/pull/235)
- \[[`7f178663eb`](https://togithub.com/nodejs/node/commit/7f178663eb)] - **src**: use unique_ptr for WriteWrap (Daniel Bevenius) [nodejs-private/node-private#238](https://togithub.com/nodejs-private/node-private/pull/238)
- \[[`357e2857c8`](https://togithub.com/nodejs/node/commit/357e2857c8)] - **test**: add test-tls-use-after-free-regression (Daniel Bevenius) [nodejs-private/node-private#238](https://togithub.com/nodejs-private/node-private/pull/238)
### [`v10.23.0`](https://togithub.com/nodejs/node/releases/tag/v10.23.0): 2020-10-27, Version 10.23.0 'Dubnium' (LTS), @richardlau
[Compare Source](https://togithub.com/nodejs/node/compare/v10.22.1...v10.23.0)
##### Notable changes
- **deps**:
- upgrade npm to 6.14.8 (Ruy Adorno) [#34834](https://togithub.com/nodejs/node/pull/34834)
- **n-api**:
- create N-API version 7 (Gabriel Schulhof) [#35199](https://togithub.com/nodejs/node/pull/35199)
- expose napi_build_version variable (NickNaso) [#27835](https://togithub.com/nodejs/node/pull/27835)
- **tools**:
- add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](https://togithub.com/nodejs/node/pull/34378)
##### Commits
- \[[`b83f9a56fc`](https://togithub.com/nodejs/node/commit/b83f9a56fc)] - **build**: expose napi_build_version variable (NickNaso) [#27835](https://togithub.com/nodejs/node/pull/27835)
- \[[`020ba1a2b8`](https://togithub.com/nodejs/node/commit/020ba1a2b8)] - **build**: enable backtrace when V8 is built for PPC and S390x (Michaël Zasso) [#32113](https://togithub.com/nodejs/node/pull/32113)
- \[[`eee9412a8c`](https://togithub.com/nodejs/node/commit/eee9412a8c)] - **deps**: upgrade npm to 6.14.8 (Ruy Adorno) [#34834](https://togithub.com/nodejs/node/pull/34834)
- \[[`038593d5ff`](https://togithub.com/nodejs/node/commit/038593d5ff)] - **deps**: upgrade npm to 6.14.7 (claudiahdz) [#34468](https://togithub.com/nodejs/node/pull/34468)
- \[[`3564424625`](https://togithub.com/nodejs/node/commit/3564424625)] - **deps**: V8: cherry-pick [`eec10a2`](https://togithub.com/nodejs/node/commit/eec10a2fd8fa) (Stephen Belanger) [#33778](https://togithub.com/nodejs/node/pull/33778)
- \[[`e9e86e1b60`](https://togithub.com/nodejs/node/commit/e9e86e1b60)] - **http2**: support non-empty DATA frame with END_STREAM flag (Carlos Lopez) [#33875](https://togithub.com/nodejs/node/pull/33875)
- \[[`751820b6c2`](https://togithub.com/nodejs/node/commit/751820b6c2)] - **http2,doc**: minor fixes (Alba Mendez) [#28044](https://togithub.com/nodejs/node/pull/28044)
- \[[`54c2bc2e62`](https://togithub.com/nodejs/node/commit/54c2bc2e62)] - **(SEMVER-MINOR)** **n-api**: create N-API version 7 (Gabriel Schulhof) [#35199](https://togithub.com/nodejs/node/pull/35199)
- \[[`2eb627301c`](https://togithub.com/nodejs/node/commit/2eb627301c)] - **src**: allows escaping NODE_OPTIONS with backslashes (Maël Nison) [#24065](https://togithub.com/nodejs/node/pull/24065)
- \[[`5170d14b36`](https://togithub.com/nodejs/node/commit/5170d14b36)] - **test**: fix test-linux-perf flakiness (Matheus Marchini) [#27615](https://togithub.com/nodejs/node/pull/27615)
- \[[`21b86d7f19`](https://togithub.com/nodejs/node/commit/21b86d7f19)] - **test,v8**: skip less and stabilize test-linux-perf.js (Refael Ackermann) [#27364](https://togithub.com/nodejs/node/pull/27364)
- \[[`ee11ab50a7`](https://togithub.com/nodejs/node/commit/ee11ab50a7)] - **tools**: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](https://togithub.com/nodejs/node/pull/34378)
### [`v10.22.1`](https://togithub.com/nodejs/node/releases/tag/v10.22.1): 2020-09-15, Version 10.22.1 'Dubnium' (LTS), @BethGriggs
[Compare Source](https://togithub.com/nodejs/node/compare/v10.22.0...v10.22.1)
##### Notable changes
This is a security release.
Vulnerabilities fixed:
- **CVE-2020-8252**: fs.realpath.native on may cause buffer overflow (Medium).
##### Commits
- \[[`57badcf93e`](https://togithub.com/nodejs/node/commit/57badcf93e)] - **deps**: libuv: cherry-pick [`0e6e862`](https://togithub.com/nodejs/node/commit/0e6e8620) (Colin Ihrig) [libuv/libuv#2966](https://togithub.com/libuv/libuv/pull/2966)
### [`v10.22.0`](https://togithub.com/nodejs/node/releases/tag/v10.22.0): 2020-07-21, Version 10.22.0 'Dubnium' (LTS), @BethGriggs prepared by @richardlau
[Compare Source](https://togithub.com/nodejs/node/compare/v10.21.0...v10.22.0)
##### Notable changes
- **deps**:
- upgrade npm to 6.14.6 (claudiahdz) [#34246](https://togithub.com/nodejs/node/pull/34246)
- upgrade openssl sources to 1.1.1g (Hassaan Pasha) [#32982](https://togithub.com/nodejs/node/pull/32982)
- **n-api**:
- add `napi_detach_arraybuffer` (legendecas) [#29768](https://togithub.com/nodejs/node/pull/29768)
##### Commits
- \[[`9915774d18`](https://togithub.com/nodejs/node/commit/9915774d18)] - **build**: log detected compilers in --verbose mode (Richard Lau) [#32715](https://togithub.com/nodejs/node/pull/32715)
- \[[`145dcc2c1c`](https://togithub.com/nodejs/node/commit/145dcc2c1c)] - **build**: move doc versions JSON file out of out/doc (Richard Lau) [#32728](https://togithub.com/nodejs/node/pull/32728)
- \[[`24b927ab66`](https://togithub.com/nodejs/node/commit/24b927ab66)] - **build**: allow clang 10+ in configure.py (Kamil Rytarowski) [#29541](https://togithub.com/nodejs/node/pull/29541)
- \[[`97b59527c7`](https://togithub.com/nodejs/node/commit/97b59527c7)] - **deps**: upgrade npm to 6.14.6 (claudiahdz) [#34246](https://togithub.com/nodejs/node/pull/34246)
- \[[`84fca3c691`](https://togithub.com/nodejs/node/commit/84fca3c691)] - **deps**: upgrade npm to 6.14.5 (Ruy Adorno) [#33239](https://togithub.com/nodejs/node/pull/33239)
- \[[`745b329260`](https://togithub.com/nodejs/node/commit/745b329260)] - **deps**: update archs files for OpenSSL-1.1.1g (Hassaan Pasha) [#32982](https://togithub.com/nodejs/node/pull/32982)
- \[[`94702c1560`](https://togithub.com/nodejs/node/commit/94702c1560)] - **deps**: upgrade openssl sources to 1.1.1g (Hassaan Pasha) [#32982](https://togithub.com/nodejs/node/pull/32982)
- \[[`ef9413be1a`](https://togithub.com/nodejs/node/commit/ef9413be1a)] - **deps**: upgrade openssl sources to 1.1.1f (Hassaan Pasha) [#32583](https://togithub.com/nodejs/node/pull/32583)
- \[[`3acc89f8f2`](https://togithub.com/nodejs/node/commit/3acc89f8f2)] - **deps**: V8: backport [`cd21f71`](https://togithub.com/nodejs/node/commit/cd21f71f9cb5) (Michaël Zasso) [#33862](https://togithub.com/nodejs/node/pull/33862)
- \[[`89a306bca9`](https://togithub.com/nodejs/node/commit/89a306bca9)] - **deps**: fix V8 compiler error with clang++-11 (Sam Roberts) [#33094](https://togithub.com/nodejs/node/pull/33094)
- \[[`00f04e3b79`](https://togithub.com/nodejs/node/commit/00f04e3b79)] - **doc**: fix quotes in tls.md (Sparsh Garg) [#33641](https://togithub.com/nodejs/node/pull/33641)
- \[[`193d1d0e84`](https://togithub.com/nodejs/node/commit/193d1d0e84)] - **doc**: document fs.watchFile() bigint option (cjihrig) [#32128](https://togithub.com/nodejs/node/pull/32128)
- \[[`5dab101b03`](https://togithub.com/nodejs/node/commit/5dab101b03)] - **doc,n-api**: mark napi_detach_arraybuffer as experimental (legendecas) [#30703](https://togithub.com/nodejs/node/pull/30703)
- \[[`069b6e14a4`](https://togithub.com/nodejs/node/commit/069b6e14a4)] - **http**: disable headersTimeout check when set to zero (Paolo Insogna) [#33307](https://togithub.com/nodejs/node/pull/33307)
- \[[`aaf2f827c6`](https://togithub.com/nodejs/node/commit/aaf2f827c6)] - **inspector**: more conservative minimum stack size (Ben Noordhuis) [#27855](https://togithub.com/nodejs/node/pull/27855)
- \[[`b744ffd586`](https://togithub.com/nodejs/node/commit/b744ffd586)] - **(SEMVER-MINOR)** **n-api**: implement napi_is_detached_arraybuffer (Denys Otrishko) [#30613](https://togithub.com/nodejs/node/pull/30613)
- \[[`961598b9be`](https://togithub.com/nodejs/node/commit/961598b9be)] - **(SEMVER-MINOR)** **n-api**: add `napi_detach_arraybuffer` (legendecas) [#29768](https://togithub.com/nodejs/node/pull/29768)
- \[[`7a109febc4`](https://togithub.com/nodejs/node/commit/7a109febc4)] - **test**: remove timers-blocking-callback (Jeremiah Senkpiel) [#32870](https://togithub.com/nodejs/node/pull/32870)
- \[[`3dbd8cd3a9`](https://togithub.com/nodejs/node/commit/3dbd8cd3a9)] - ***Revert*** "**test**: mark empty udp tests flaky on OS X" (Luigi Pinca) [#32489](https://togithub.com/nodejs/node/pull/32489)
- \[[`543656928c`](https://togithub.com/nodejs/node/commit/543656928c)] - **test**: flaky test-stdout-close-catch on freebsd (Sam Roberts) [#32849](https://togithub.com/nodejs/node/pull/32849)
- \[[`74b00cca64`](https://togithub.com/nodejs/node/commit/74b00cca64)] - **tls**: allow empty subject even with altNames defined (Jason Macgowan) [#22906](https://togithub.com/nodejs/node/pull/22906)
### [`v10.21.0`](https://togithub.com/nodejs/node/releases/tag/v10.21.0): 2020-06-02, Version 10.21.0 'Dubnium' (LTS), @BethGriggs
[Compare Source](https://togithub.com/nodejs/node/compare/v10.20.1...v10.21.0)
##### Notable changes
This is a security release.
Vulnerabilities fixed:
- **CVE-2020-8174**: napi_get_value_string_\*() allows various kinds of memory corruption (High).
- **CVE-2020-10531**: ICU-20958 Prevent SEGV_MAPERR in append (High).
- **CVE-2020-11080**: HTTP/2 Large Settings Frame DoS (Low).
##### Commits
- \[[`0ad7970256`](https://togithub.com/nodejs/node/commit/0ad7970256)] - **deps**: fix OPENSSLDIR on Windows (Shigeki Ohtsu) [#29456](https://togithub.com/nodejs/node/pull/29456)
- \[[`bd78c6ea46`](https://togithub.com/nodejs/node/commit/bd78c6ea46)] - **deps**: backport ICU-20958 to fix CVE-2020-10531 (Richard Lau) [#33572](https://togithub.com/nodejs/node/pull/33572)
- \[[`33e9a12241`](https://togithub.com/nodejs/node/commit/33e9a12241)] - **(SEMVER-MINOR)** **deps**: update nghttp2 to 1.41.0 (James M Snell) [nodejs-private/node-private#204](https://togithub.com/nodejs-private/node-private/pull/204)
- \[[`881c244a4e`](https://togithub.com/nodejs/node/commit/881c244a4e)] - **(SEMVER-MINOR)** **http2**: implement support for max settings entries (James M Snell) [nodejs-private/node-private#204](https://togithub.com/nodejs-private/node-private/pull/204)
- \[[`cd9827f105`](https://togithub.com/nodejs/node/commit/cd9827f105)] - **napi**: fix memory corruption vulnerability (Tobias Nießen) [nodejs-private/node-private#203](https://togithub.com/nodejs-private/node-private/pull/203)
### [`v10.20.1`](https://togithub.com/nodejs/node/releases/tag/v10.20.1): 2020-04-12, Version 10.20.1 'Dubnium' (LTS), @BethGriggs
[Compare Source](https://togithub.com/nodejs/node/compare/v10.20.0...v10.20.1)
##### Notable changes
Due to release process failures, Node.js v10.20.0 shipped with source
and header tarballs that did not properly match the final release
commit that was used to build the binaries. We recommend that Node.js
v10.20.0 not be used, particularly in any applications using native
add-ons or where compiling Node.js from source is involved.
Node.js v10.20.1 is a clean release with the correct sources and is
strongly recommended in place of v10.20.0.
### [`v10.20.0`](https://togithub.com/nodejs/node/releases/tag/v10.20.0): 2020-04-08, Version 10.20.0 'Dubnium' (LTS), @BethGriggs
[Compare Source](https://togithub.com/nodejs/node/compare/v10.19.0...v10.20.0)
##### macOS package notarization and a change in builder configuration
The macOS binaries for this release, and future 10.x releases, are now
being compiled on macOS 10.15 (Catalina) with Xcode 11 to support
package notarization, a requirement for installing .pkg files on macOS
10.15 and later. Previous builds of Node.js 10.x were compiled on macOS
10.10 (Yosemite) with a minimum deployment target of macOS 10.7 (Lion).
As binaries are still being compiled to support a minimum of macOS 10.7
(Lion) we do not anticipate this having a negative impact on Node.js
10.x users with older versions of macOS.
##### Notable changes
- **buffer**: add {read|write}Big\[U]Int64{BE|LE} methods (garygsc) [#19691](https://togithub.com/nodejs/node/pull/19691)
- **build**: macOS package notarization (Rod Vagg) [#31459](https://togithub.com/nodejs/node/pull/31459)
- **deps**:
- update npm to 6.14.3 (Myles Borins) [#32368](https://togithub.com/nodejs/node/pull/32368)
- upgrade openssl sources to 1.1.1e (Hassaan Pasha) [#32328](https://togithub.com/nodejs/node/pull/32328)
- upgrade to libuv 1.34.2 (cjihrig) [#31477](https://togithub.com/nodejs/node/pull/31477)
- **n-api**:
- add napi_get_all_property_names (himself65) [#30006](https://togithub.com/nodejs/node/pull/30006)
- add APIs for per-instance state management (Gabriel Schulhof) [#28682](https://togithub.com/nodejs/node/pull/28682)
- define release 6 [#32058](https://togithub.com/nodejs/node/pull/32058)
- turn NAPI_CALL_INTO_MODULE into a function (Anna Henningsen) [#26128](https://togithub.com/nodejs/node/pull/26128)
- **tls**:
- expose keylog event on TLSSocket (Alba Mendez) [#27654](https://togithub.com/nodejs/node/pull/27654)
- support TLS min/max protocol defaults in CLI (Sam Roberts) [#27946](https://togithub.com/nodejs/node/pull/27946)
- **url**: handle quasi-WHATWG URLs in urlToOptions() (cjihrig) [#26226](https://togithub.com/nodejs/node/pull/26226)
##### Commits
- \[[`64744a282e`](https://togithub.com/nodejs/node/commit/64744a282e)] - **(SEMVER-MINOR)** **buffer**: add {read|write}Big\[U]Int64{BE|LE} methods (garygsc) [#19691](https://togithub.com/nodejs/node/pull/19691)
- \[[`8a0ed8f1ff`](https://togithub.com/nodejs/node/commit/8a0ed8f1ff)] - **build**: macOS package notarization (Rod Vagg) [#31459](https://togithub.com/nodejs/node/pull/31459)
- \[[`42af3b861a`](https://togithub.com/nodejs/node/commit/42af3b861a)] - **build,win**: fix goto exit in vcbuild (João Reis) [#30931](https://togithub.com/nodejs/node/pull/30931)
- \[[`b164a2e3bf`](https://togithub.com/nodejs/node/commit/b164a2e3bf)] - **console**: add trace-events for time and count (James M Snell) [#23703](https://togithub.com/nodejs/node/pull/23703)
- \[[`04cd67f85e`](https://togithub.com/nodejs/node/commit/04cd67f85e)] - **deps**: upgrade npm to 6.14.4 (Ruy Adorno) [#32495](https://togithub.com/nodejs/node/pull/32495)
- \[[`8d85a43d99`](https://togithub.com/nodejs/node/commit/8d85a43d99)] - **deps**: update term-size with signed version (Rod Vagg) [#31459](https://togithub.com/nodejs/node/pull/31459)
- \[[`76033c5495`](https://togithub.com/nodejs/node/commit/76033c5495)] - **deps**: update archs files for OpenSSL-1.1.1e (Hassaan Pasha) [#32328](https://togithub.com/nodejs/node/pull/32328)
- \[[`64c184836b`](https://togithub.com/nodejs/node/commit/64c184836b)] - **deps**: adjust openssl configuration for 1.1.1e (Hassaan Pasha) [#32328](https://togithub.com/nodejs/node/pull/32328)
- \[[`c8f5ab2089`](https://togithub.com/nodejs/node/commit/c8f5ab2089)] - **deps**: upgrade openssl sources to 1.1.1e (Hassaan Pasha) [#32328](https://togithub.com/nodejs/node/pull/32328)
- \[[`bf26c44c92`](https://togithub.com/nodejs/node/commit/bf26c44c92)] - **deps**: remove \*.pyc files from deps/npm (Ben Noordhuis) [#32387](https://togithub.com/nodejs/node/pull/32387)
- \[[`c2b3cf61ce`](https://togithub.com/nodejs/node/commit/c2b3cf61ce)] - **deps**: update npm to 6.14.3 (Myles Borins) [#32368](https://togithub.com/nodejs/node/pull/32368)
- \[[`8cae4dde91`](https://togithub.com/nodejs/node/commit/8cae4dde91)] - **deps**: upgrade npm to 6.14.1 (Isaac Z. Schlueter) [#31977](https://togithub.com/nodejs/node/pull/31977)
- \[[`47046aa5a9`](https://togithub.com/nodejs/node/commit/47046aa5a9)] - **deps**: openssl: cherry-pick [`4dcb150`](https://togithub.com/nodejs/node/commit/4dcb150ea30f) (Adam Majer) [#32002](https://togithub.com/nodejs/node/pull/32002)
- \[[`098704c85d`](https://togithub.com/nodejs/node/commit/098704c85d)] - **deps**: upgrade to libuv 1.34.2 (Colin Ihrig) [#31477](https://togithub.com/nodejs/node/pull/31477)
- \[[`4b1cccc4ce`](https://togithub.com/nodejs/node/commit/4b1cccc4ce)] - **deps**: upgrade to libuv 1.34.1 (Colin Ihrig) [#31332](https://togithub.com/nodejs/node/pull/31332)
- \[[`fff6162693`](https://togithub.com/nodejs/node/commit/fff6162693)] - **(SEMVER-MINOR)** **deps**: upgrade to libuv 1.34.0 (Colin Ihrig) [#30783](https://togithub.com/nodejs/node/pull/30783)
- \[[`6826ef0568`](https://togithub.com/nodejs/node/commit/6826ef0568)] - **deps**: upgrade to libuv 1.33.1 (Colin Ihrig) [#29996](https://togithub.com/nodejs/node/pull/29996)
- \[[`aed7ca4fb0`](https://togithub.com/nodejs/node/commit/aed7ca4fb0)] - **deps**: upgrade to libuv 1.32.0 (Colin Ihrig) [#29508](https://togithub.com/nodejs/node/pull/29508)
- \[[`794abbc758`](https://togithub.com/nodejs/node/commit/794abbc758)] - **deps**: upgrade to libuv 1.31.0 (Colin Ihrig) [#29070](https://togithub.com/nodejs/node/pull/29070)
- \[[`ed71f55a54`](https://togithub.com/nodejs/node/commit/ed71f55a54)] - **deps**: upgrade to libuv 1.30.1 (Colin Ihrig) [#28511](https://togithub.com/nodejs/node/pull/28511)
- \[[`7cde563235`](https://togithub.com/nodejs/node/commit/7cde563235)] - **deps**: upgrade to libuv 1.30.0 (Colin Ihrig) [#28449](https://togithub.com/nodejs/node/pull/28449)
- \[[`b53ce6e6c5`](https://togithub.com/nodejs/node/commit/b53ce6e6c5)] - **deps**: upgrade to libuv 1.29.1 (Colin Ihrig) [#27718](https://togithub.com/nodejs/node/pull/27718)
- \[[`9b2b66b7d8`](https://togithub.com/nodejs/node/commit/9b2b66b7d8)] - **deps**: V8: cherry-pick [`d89f4ef`](https://togithub.com/nodejs/node/commit/d89f4ef1cd62) (Milad Farazmand) [#31753](https://togithub.com/nodejs/node/pull/31753)
- \[[`7eac95981e`](https://togithub.com/nodejs/node/commit/7eac95981e)] - **deps**: upgrade npm to 6.13.7 (Michael Perrotte) [#31558](https://togithub.com/nodejs/node/pull/31558)
- \[[`db24641fbe`](https://togithub.com/nodejs/node/commit/db24641fbe)] - **deps**: upgrade npm to 6.13.6 (Ruy Adorno) [#31304](https://togithub.com/nodejs/node/pull/31304)
- \[[`2e3d511cff`](https://togithub.com/nodejs/node/commit/2e3d511cff)] - **doc**: correct version metadata for Readable.from (Dave Vandyke) [#32639](https://togithub.com/nodejs/node/pull/32639)
- \[[`34c1c2a82b`](https://togithub.com/nodejs/node/commit/34c1c2a82b)] - **doc**: add missing version metadata for Readable.from (Anna Henningsen) [#28695](https://togithub.com/nodejs/node/pull/28695)
- \[[`aa7d369c72`](https://togithub.com/nodejs/node/commit/aa7d369c72)] - **doc**: update releaser list in README.md (Myles Borins) [#32577](https://togithub.com/nodejs/node/pull/32577)
- \[[`05f5b3ecc4`](https://togithub.com/nodejs/node/commit/05f5b3ecc4)] - **doc**: remove em dashes (Rich Trott) [#32080](https://togithub.com/nodejs/node/pull/32080)
- \[[`ffa9f9bd1b`](https://togithub.com/nodejs/node/commit/ffa9f9bd1b)] - **doc**: fix changelog for v10.18.1 (Andrew Hughes) [#31358](https://togithub.com/nodejs/node/pull/31358)
- \[[`0177464b0e`](https://togithub.com/nodejs/node/commit/0177464b0e)] - **doc,tools**: get altDocs versions from CHANGELOG.md (Richard Lau) [#27661](https://togithub.com/nodejs/node/pull/27661)
- \[[`e9c590ea00`](https://togithub.com/nodejs/node/commit/e9c590ea00)] - **(SEMVER-MINOR)** **n-api**: define release 6 (Gabriel Schulhof) [#32058](https://togithub.com/nodejs/node/pull/32058)
- \[[`239377b654`](https://togithub.com/nodejs/node/commit/239377b654)] - **(SEMVER-MINOR)** **n-api**: correct instance data tests (Gabriel Schulhof) [#32488](https://togithub.com/nodejs/node/pull/32488)
- \[[`ecbb331be0`](https://togithub.com/nodejs/node/commit/ecbb331be0)] - **(SEMVER-MINOR)** **n-api**: add napi_get_all_property_names (himself65) [#30006](https://togithub.com/nodejs/node/pull/30006)
- \[[`f29fb14cf6`](https://togithub.com/nodejs/node/commit/f29fb14cf6)] - **(SEMVER-MINOR)** **n-api**: add APIs for per-instance state management (Gabriel Schulhof) [#28682](https://togithub.com/nodejs/node/pull/28682)
- \[[`20177b9946`](https://togithub.com/nodejs/node/commit/20177b9946)] - **n-api**: turn NAPI_CALL_INTO_MODULE into a function (Anna Henningsen) [#26128](https://togithub.com/nodejs/node/pull/26128)
- \[[`017909b847`](https://togithub.com/nodejs/node/commit/017909b847)] - **test**: fix tool path in test-doctool-versions.js (Richard Lau) [#32645](https://togithub.com/nodejs/node/pull/32645)
- \[[`1ea70d641d`](https://togithub.com/nodejs/node/commit/1ea70d641d)] - **test**: fix flaky doctool and test (Rich Trott) [#29979](https://togithub.com/nodejs/node/pull/29979)
- \[[`89692ff19b`](https://togithub.com/nodejs/node/commit/89692ff19b)] - **test**: end tls connection with some data (Sam Roberts) [#32328](https://togithub.com/nodejs/node/pull/32328)
- \[[`9bd1317764`](https://togithub.com/nodejs/node/commit/9bd1317764)] - **test**: mark empty udp tests flaky on OS X (Sam Roberts) [#31936](https://togithub.com/nodejs/node/pull/31936)
- \[[`5484e061b5`](https://togithub.com/nodejs/node/commit/5484e061b5)] - **test**: scale keepalive timeouts for slow machines (Ben Noordhuis) [#30834](https://togithub.com/nodejs/node/pull/30834)
- \[[`3f9cec3f51`](https://togithub.com/nodejs/node/commit/3f9cec3f51)] - **test**: add debugging output to test-net-listen-after-destroy-stdin (Rich Trott) [#31698](https://togithub.com/nodejs/node/pull/31698)
- \[[`f1a8791316`](https://togithub.com/nodejs/node/commit/f1a8791316)] - **test**: allow EAI_FAIL in test-http-dns-error.js (Colin Ihrig) [#27500](https://togithub.com/nodejs/node/pull/27500)
- \[[`4b9a77909b`](https://togithub.com/nodejs/node/commit/4b9a77909b)] - **test**: mark tests as flaky (João Reis) [#30848](https://togithub.com/nodejs/node/pull/30848)
- \[[`a8fd8a1a61`](https://togithub.com/nodejs/node/commit/a8fd8a1a61)] - **test**: mark http2 tests as flaky on 10.x (AshCripps) [#31887](https://togithub.com/nodejs/node/pull/31887)
- \[[`2315270cb6`](https://togithub.com/nodejs/node/commit/2315270cb6)] - **test**: try to stabalize test-child-process-fork-exec-path.js (Refael Ackermann) [#27277](https://togithub.com/nodejs/node/pull/27277)
- \[[`a2b0e9ef6a`](https://togithub.com/nodejs/node/commit/a2b0e9ef6a)] - **(SEMVER-MINOR)** **tls**: expose keylog event on TLSSocket (Alba Mendez) [#27654](https://togithub.com/nodejs/node/pull/27654)
- \[[`1cfb45732a`](https://togithub.com/nodejs/node/commit/1cfb45732a)] - **(SEMVER-MINOR)** **tls**: support TLS min/max protocol defaults in CLI (Sam Roberts) [#27946](https://togithub.com/nodejs/node/pull/27946)
- \[[`a175b8d3a7`](https://togithub.com/nodejs/node/commit/a175b8d3a7)] - **tools**: only fetch previous versions when necessary (Richard Lau) [#32518](https://togithub.com/nodejs/node/pull/32518)
- \[[`3756be8511`](https://togithub.com/nodejs/node/commit/3756be8511)] - **tools**: add NODE_TEST_NO_INTERNET to the doc builder (Joyee Cheung) [#31849](https://togithub.com/nodejs/node/pull/31849)
- \[[`ac1ea7312a`](https://togithub.com/nodejs/node/commit/ac1ea7312a)] - **tools**: make doctool work if no internet available (Richard Lau) [#30214](https://togithub.com/nodejs/node/pull/30214)
- \[[`f235eea8b3`](https://togithub.com/nodejs/node/commit/f235eea8b3)] - **tools**: unify make-v8.sh for ppc64le and s390x (Richard Lau) [#31628](https://togithub.com/nodejs/node/pull/31628)
- \[[`61e2d4856d`](https://togithub.com/nodejs/node/commit/61e2d4856d)] - **tools**: use CC instead of CXX when pointing to gcc (Milad Farazmand) [#30817](https://togithub.com/nodejs/node/pull/30817)
- \[[`4390674624`](https://togithub.com/nodejs/node/commit/4390674624)] - **url**: handle quasi-WHATWG URLs in urlToOptions() (Colin Ihrig) [#26226](https://togithub.com/nodejs/node/pull/26226)
- \[[`dc61e09feb`](https://togithub.com/nodejs/node/commit/dc61e09feb)] - **v8**: fix load elimination liveness checks (Ben Noordhuis) [#31613](https://togithub.com/nodejs/node/pull/31613)
### [`v10.19.0`](https://togithub.com/nodejs/node/releases/tag/v10.19.0): 2020-02-06, Version 10.19.0 'Dubnium' (LTS), @BethGriggs
[Compare Source](https://togithub.com/nodejs/node/compare/v10.18.1...v10.19.0)
##### Notable changes
This is a security release.
Vulnerabilities fixed:
- **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed.
- **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header.
- **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
##### Commits
- \[[`f940bee3b7`](https://togithub.com/nodejs/node/commit/f940bee3b7)] - **crypto**: fix assertion caused by unsupported ext (Fedor Indutny) [nodejs-private/node-private#175](https://togithub.com/nodejs-private/node-private/pull/175)
- \[[`49f4220ce5`](https://togithub.com/nodejs/node/commit/49f4220ce5)] - **deps**: upgrade http-parser to v2.9.3 (Sam Roberts) [nodejs-private/http-parser-private#4](https://togithub.com/nodejs-private/http-parser-private/pull/4)
- \[[`a28e5cc1ed`](https://togithub.com/nodejs/node/commit/a28e5cc1ed)] - **(SEMVER-MINOR)** **deps**: upgrade http-parser to v2.9.1 (Sam Roberts) [#30471](https://togithub.com/nodejs/node/pull/30471)
- \[[`0082f62d9c`](https://togithub.com/nodejs/node/commit/0082f62d9c)] - **(SEMVER-MINOR)** **http**: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) [#31448](https://togithub.com/nodejs/node/pull/31448)
- \[[`a9849c0ff6`](https://togithub.com/nodejs/node/commit/a9849c0ff6)] - **(SEMVER-MINOR)** **http**: opt-in insecure HTTP header parsing (Sam Roberts) [#30567](https://togithub.com/nodejs/node/pull/30567)
- \[[`2eee90e959`](https://togithub.com/nodejs/node/commit/2eee90e959)] - **http**: strip trailing OWS from header values (Sam Roberts) [nodejs-private/node-private#191](https://togithub.com/nodejs-private/node-private/pull/191)
- \[[`e2c8f89b75`](https://togithub.com/nodejs/node/commit/e2c8f89b75)] - **test**: using TE to smuggle reqs is not possible (Sam Roberts) [nodejs-private/node-private#192](https://togithub.com/nodejs-private/node-private/pull/192)
- \[[`d616722f65`](https://togithub.com/nodejs/node/commit/d616722f65)] - **test**: check that --insecure-http-parser works (Sam Roberts) [#31253](https://togithub.com/nodejs/node/pull/31253)
### [`v10.18.1`](https://togithub.com/nodejs/node/releases/tag/v10.18.1): 2020-01-09, Version 10.18.1 'Dubnium' (LTS), @BethGriggs
[Compare Source](https://togithub.com/nodejs/node/compare/v10.18.0...v10.18.1)
##### Notable changes
- **http2**: fix session memory accounting after pausing (Michael Lehenbauer) [#30684](https://togithub.com/nodejs/node/pull/30684)
- **n-api**: correct bug in napi_get_last_error (Octavian Soldea) [#28702](https://togithub.com/nodejs/node/pull/28702)
- **tools**: update tzdata to 2019c (Myles Borins) [#30479](https://togithub.com/nodejs/node/pull/30479)
##### Commits
- \[[`a80c59130e`](https://togithub.com/nodejs/node/commit/a80c59130e)] - **build**: fix configure script to work with Apple Clang 11 (Saagar Jha) [#28071](https://togithub.com/nodejs/node/pull/28071)
- \[[`68b2b5cc51`](https://togithub.com/nodejs/node/commit/68b2b5cc51)] - **build,win**: propagate error codes in vcbuild (João Reis) [#30724](https://togithub.com/nodejs/node/pull/30724)
- \[[`3e0709cf5e`](https://togithub.com/nodejs/node/commit/3e0709cf5e)] - **deps**: V8: backport [`fb63e5c`](https://togithub.com/nodejs/node/commit/fb63e5cf55e9) (Michaël Zasso)
- \[[`25b8fbda35`](https://togithub.com/nodejs/node/commit/25b8fbda35)] - **doc**: allow \ in header elements (Rich Trott) [#31086](https://togithub.com/nodejs/node/pull/31086)
- \[[`a1b095dd46`](https://togithub.com/nodejs/node/commit/a1b095dd46)] - **doc,dns**: use code markup/markdown in headers (Rich Trott) [#31086](https://togithub.com/nodejs/node/pull/31086)
- \[[`8f3b8ca515`](https://togithub.com/nodejs/node/commit/8f3b8ca515)] - **http2**: fix session memory accounting after pausing (Michael Lehenbauer) [#30684](https://togithub.com/nodejs/node/pull/30684)
- \[[`20f64a96de`](https://togithub.com/nodejs/node/commit/20f64a96de)] - **http2**: use the latest settings (ZYSzys) [#29780](https://togithub.com/nodejs/node/pull/29780)
- \[[`81c31005fd`](https://togithub.com/nodejs/node/commit/81c31005fd)] - **lib**: fix comment nits in bootstrap\loaders.js (Vse Mozhet Byt) [#24641](https://togithub.com/nodejs/node/pull/24641)
- \[[`88e8b7cf83`](https://togithub.com/nodejs/node/commit/88e8b7cf83)] - **n-api**: correct bug in napi_get_last_error (Octavian Soldea) [#28702](https://togithub.com/nodejs/node/pull/28702)
- \[[`77e0318849`](https://togithub.com/nodejs/node/commit/77e0318849)] - **stream**: increase MAX_HWM (Robert Nagy) [#29938](https://togithub.com/nodejs/node/pull/29938)
- \[[`894aaa2040`](https://togithub.com/nodejs/node/commit/894aaa2040)] - **stream**: extract Readable.from in its own file (Matteo Collina) [#30140](https://togithub.com/nodejs/node/pull/30140)
- \[[`7e941eb17d`](https://togithub.com/nodejs/node/commit/7e941eb17d)] - **test**: do not fail SLOW tests if they are not slow (Yang Guo) [#25868](https://togithub.com/nodejs/node/pull/25868)
- \[[`0f3ae77aaf`](https://togithub.com/nodejs/node/commit/0f3ae77aaf)] - **tools**: update tzdata to 2019c (Myles Borins) [#30479](https://togithub.com/nodejs/node/pull/30479)
- \[[`4ae8d204cb`](https://togithub.com/nodejs/node/commit/4ae8d204cb)] - **tools**: move python code out of jenkins shell (Sam Roberts) [#28458](https://togithub.com/nodejs/node/pull/28458)
- \[[`4879b80d87`](https://togithub.com/nodejs/node/commit/4879b80d87)] - **tools**: fix v8 testing with devtoolset on ppcle (Sam Roberts) [#28458](https://togithub.com/nodejs/node/pull/28458)
### [`v10.18.0`](https://togithub.com/nodejs/node/releases/tag/v10.18.0): 2019-12-17, Version 10.18.0 'Dubnium' (LTS), @MylesBorins
[Compare Source](https://togithub.com/nodejs/node/compare/v10.17.0...v10.18.0)
This is a security release.
For more details about the vulnerability please consult the npm blog:
https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
##### Notable changes
- **deps**: update npm to 6.13.4 [#30904](https://togithub.com/nodejs/node/pull/30904)
##### Commits
- \[[`54a466a865`](https://togithub.com/nodejs/node/commit/54a466a865)] - **build,win**: add test-ci-native and test-ci-js (João Reis) [#30724](https://togithub.com/nodejs/node/pull/30724)
- \[[`f9b31edb25`](https://togithub.com/nodejs/node/commit/f9b31edb25)] - **deps**: update npm to 6.13.4 (Isaac Z. Schlueter) [#30904](https://togithub.com/nodejs/node/pull/30904)
### [`v10.17.0`](https://togithub.com/nodejs/node/releases/tag/v10.17.0): 2019-10-22, Version 10.17.0 'Dubnium' (LTS), @BethGriggs
[Compare Source](https://togithub.com/nodejs/node/compare/v10.16.3...v10.17.0)
##### Notable changes
- **crypto**:
- add support for chacha20-poly1305 for AEAD (chux0519) [#24081](https://togithub.com/nodejs/node/pull/24081)
- increase maxmem range from 32 to 53 bits (Tobias Nießen) [#28799](https://togithub.com/nodejs/node/pull/28799)
- **deps**:
- update npm to 6.11.3 (claudiahdz) [#29430](https://togithub.com/nodejs/node/pull/29430)
- upgrade openssl sources to 1.1.1d (Sam Roberts) [#29921](https://togithub.com/nodejs/node/pull/29921)
- **dns**: remove dns.promises experimental warning (cjihrig) [#26592](https://togithub.com/nodejs/node/pull/26592)
- **fs**: remove experimental warning for fs.promises (Anna Henningsen) [#26581](https://togithub.com/nodejs/node/pull/26581)
- **http**: makes response.writeHead return the response (Mark S. Everitt) [#25974](https://togithub.com/nodejs/node/pull/25974)
- **http2**: makes response.writeHead return the response (Mark S. Everitt) [#25974](https://togithub.com/nodejs/node/pull/25974)
- **n-api**:
- make func argument of napi_create_threadsafe_function optional (legendecas) [#27791](https://togithub.com/nodejs/node/pull/27791)
- mark version 5 N-APIs as stable (Gabriel Schulhof) [#29401](https://togithub.com/nodejs/node/pull/29401)
- implement date object (Jarrod Connolly) [#25917](https://togithub.com/nodejs/node/pull/25917)
- **process**: add --unhandled-rejections flag (Ruben Bridgewater) [#26599](https://togithub.com/nodejs/node/pull/26599)
- **stream**:
- implement Readable.from async iterator utility (Guy Bedford) [#27660](https://togithub.com/nodejs/node/pull/27660)
- make Symbol.asyncIterator support stable (Matteo Collina) [#26989](https://togithub.com/nodejs/node/pull/26989)
##### Commits
- \[[`f1a5a36961`](https://togithub.com/nodejs/node/commit/f1a5a36961)] - **build**: update Windows icon to Feb 2016 rebrand (Mike MacCana) [#28524](https://togithub.com/nodejs/node/pull/28524)
- \[[`63de2ade85`](https://togithub.com/nodejs/node/commit/63de2ade85)] - **(SEMVER-MINOR)** **crypto**: add support for chacha20-poly1305 for AEAD (chux0519) [#24081](https://togithub.com/nodejs/node/pull/24081)
- \[[`4f0f12c3d6`](https://togithub.com/nodejs/node/commit/4f0f12c3d6)] - **crypto**: fix rsa key gen with non-default exponent (Sam Roberts) [#27092](https://togithub.com/nodejs/node/pull/27092)
- \[[`7735824d2c`](https://togithub.com/nodejs/node/commit/7735824d2c)] - **(SEMVER-MINOR)** **crypto**: increase maxmem range from 32 to 53 bits (Tobias Nießen) [#28799](https://togithub.com/nodejs/node/pull/28799)
- \[[`e53dbba6bc`](https://togithub.com/nodejs/node/commit/e53dbba6bc)] - **deps**: update npm to 6.11.3 (claudiahdz) [#29430](https://togithub.com/nodejs/node/pull/29430)
- \[[`55cd01c5c3`](https://togithub.com/nodejs/node/commit/55cd01c5c3)] - **(SEMVER-MINOR)** **deps**: update npm to 6.10.3 (isaacs) [#29023](https://togithub.com/nodejs/node/pull/29023)
- \[[`e2291cf805`](https://togithub.com/nodejs/node/commit/e2291cf805)] - **deps**: upgrade npm to 6.10.2 (isaacs) [#28853](https://togithub.com/nodejs/node/pull/28853)
- \[[`03b69660f9`](https://togithub.com/nodejs/node/commit/03b69660f9)] - **deps**: upgrade npm to 6.10.0 (isaacs) [#28525](https://togithub.com/nodejs/node/pull/28525)
- \[[`333963ef73`](https://togithub.com/nodejs/node/commit/333963ef73)] - **deps**: dlloads node static linked executable (Luca Lindhorst) [#28045](https://togithub.com/nodejs/node/pull/28045)
- \[[`7202792ad3`](https://togithub.com/nodejs/node/commit/7202792ad3)] - **deps**: update archs files for OpenSSL-1.1.1d (Sam Roberts) [#29921](https://togithub.com/nodejs/node/pull/29921)
- \[[`9c393f1d02`](https://togithub.com/nodejs/node/commit/9c393f1d02)] - **deps**: upgrade openssl sources to 1.1.1d (Sam Roberts) [#29921](https://togithub.com/nodejs/node/pull/29921)
- \[[`7f48519413`](https://togithub.com/nodejs/node/commit/7f48519413)] - **deps**: do not link against librt (Sam Roberts) [#29729](https://togithub.com/nodejs/node/pull/29729)
- \[[`fcc22d31a0`](https://togithub.com/nodejs/node/commit/fcc22d31a0)] - **(SEMVER-MINOR)** **dns**: make dns.promises enumerable (cjihrig) [#26592](https://togithub.com/nodejs/node/pull/26592)
- \[[`fa27aac5fb`](https://togithub.com/nodejs/node/commit/fa27aac5fb)] - **(SEMVER-MINOR)** **dns**: remove dns.promises experimental warning (cjihrig) [#26592](https://togithub.com/nodejs/node/pull/26592)
- \[[`90fb146933`](https://togithub.com/nodejs/node/commit/90fb146933)] - **(SEMVER-MINOR)** **doc**: move dns.promises to stable status (cjihrig) [#26592](https://togithub.com/nodejs/node/pull/26592)
- \[[`65e68d1f4f`](https://togithub.com/nodejs/node/commit/65e68d1f4f)] - **doc**: add documentation for stream readableFlowing (Chetan Karande) [#29506](https://togithub.com/nodejs/node/pull/29506)
- \[[`c285e694e2`](https://togithub.com/nodejs/node/commit/c285e694e2)] - **doc**: fix the links tls default version sections (Chetan Karande) [#28827](https://togithub.com/nodejs/node/pull/28827)
- \[[`cef5010135`](https://togithub.com/nodejs/node/commit/cef5010135)] - **doc**: describe tls.DEFAULT_MIN_VERSION/\_MAX_VERSION (Chetan Karande) [#28827](https://togithub.com/nodejs/node/pull/28827)
- \[[`15c2eb0e58`](https://togithub.com/nodejs/node/commit/15c2eb0e58)] - **doc**: update N-API version matrix (Gabriel Schulhof) [#29461](https://togithub.com/nodejs/node/pull/29461)
- \[[`a3eda2896d`](https://togithub.com/nodejs/node/commit/a3eda2896d)] - **doc**: fixup changelog for v10.16.3 (Andrew Hughes) [#29159](https://togithub.com/nodejs/node/pull/29159)
- \[[`56a834a53f`](https://togithub.com/nodejs/node/commit/56a834a53f)] - **doc,test**: clarify that Http2Stream is destroyed after data is read (Alba Mendez) [#27891](https://togithub.com/nodejs/node/pull/27891)
- \[[`85ce8ef19a`](https://togithub.com/nodejs/node/commit/85ce8ef19a)] - **(SEMVER-MINOR)** **fs**: remove experimental warning for fs.promises (Anna Henningsen) [#26581](https://togithub.com/nodejs/node/pull/26581)
- \[[`ccf2823f83`](https://togithub.com/nodejs/node/commit/ccf2823f83)] - **(SEMVER-MINOR)** **http**: makes response.writeHead return the response (Mark S. Everitt) [#25974](https://togithub.com/nodejs/node/pull/25974)
- \[[`66387cd45e`](https://togithub.com/nodejs/node/commit/66387cd45e)] - **http2**: send out pending data earlier (Anna Henningsen) [#29398](https://togithub.com/nodejs/node/pull/29398)
- \[[`925849650b`](https://togithub.com/nodejs/node/commit/925849650b)] - **(SEMVER-MINOR)** **http2**: makes response.writeHead return the response (Mark S. Everitt) [#25974](https://togithub.com/nodejs/node/pull/25974)
- \[[`69b0212df3`](https://togithub.com/nodejs/node/commit/69b0212df3)] - **http2**: do not start reading after write if new write is on wire (Anna Henningsen) [#29399](https://togithub.com/nodejs/node/pull/29399)
- \[[`36a0e9a063`](https://togithub.com/nodejs/node/commit/36a0e9a063)] - **http2**: do not crash on stream listener removal w/ destroyed session (Anna Henningsen) [#29459](https://togithub.com/nodejs/node/pull/29459)
- \[[`c74c6a5ccf`](https://togithub.com/nodejs/node/commit/c74c6a5ccf)] - **n-api**: mark version 5 N-APIs as stable (Gabriel Schulhof) [#29401](https://togithub.com/nodejs/node/pull/29401)
- \[[`f8622762e3`](https://togithub.com/nodejs/node/commit/f8622762e3)] - **(SEMVER-MINOR)** **n-api**: make func argument of napi_create_threadsafe_function optional (legendecas) [#27791](https://togithub.com/nodejs/node/pull/27791)
- \[[`4f41e4f471`](https://togithub.com/nodejs/node/commit/4f41e4f471)] - **(SEMVER-MINOR)** **n-api**: implement date object (Jarrod Connolly) [#25917](https://togithub.com/nodejs/node/pull/25917)
- \[[`69bf5b7944`](https://togithub.com/nodejs/node/commit/69bf5b7944)] - **net**: treat ENOTCONN at shutdown as success (Anna Henningsen) [#29912](https://togithub.com/nodejs/node/pull/29912)
- \[[`d6c998a478`](https://togithub.com/nodejs/node/commit/d6c998a478)] - **process**: use public readableFlowing property (Chetan Karande) [#29502](https://togithub.com/nodejs/node/pull/29502)
- \[[`b43d7e8f42`](https://togithub.com/nodejs/node/commit/b43d7e8f42)] - **(SEMVER-MINOR)** **process**: add --unhandled-rejections flag (Ruben Bridgewater) [#26599](https://togithub.com/nodejs/node/pull/26599)
- \[[`79f3844fb0`](https://togithub.com/nodejs/node/commit/79f3844fb0)] - **(SEMVER-MINOR)** **readline**: make Symbol.asyncIterator support stable (Matteo Collina) [#26989](https://togithub.com/nodejs/node/pull/26989)
- \[[`18b140ae75`](https://togithub.com/nodejs/node/commit/18b140ae75)] - **src**: use maybe version v8::Function::Call (Ouyang Yadong) [#23826](https://togithub.com/nodejs/node/pull/23826)
- \[[`1bb5102999`](https://togithub.com/nodejs/node/commit/1bb5102999)] - **src**: use more explicit return type in Sign::SignFinal() (Anna Henningsen) [#23779](https://togithub.com/nodejs/node/pull/23779)
- \[[`859d47593e`](https://togithub.com/nodejs/node/commit/859d47593e)] - **src**: reduce platform worker barrier lifetime (Ali Ijaz Sheikh) [#23419](https://togithub.com/nodejs/node/pull/23419)
- \[[`00831f0293`](https://togithub.com/nodejs/node/commit/00831f0293)] - **(SEMVER-MINOR)** **stream**: make Symbol.asyncIterator support stable (Matteo Collina) [#26989](https://togithub.com/nodejs/node/pull/26989)
- \[[`ddb5152e9b`](https://togithub.com/nodejs/node/commit/ddb5152e9b)] - **(SEMVER-MINOR)** **stream**: implement Readable.from async iterator utility (Guy Bedford) [#27660](https://togithub.com/nodejs/node/pull/27660)
- \[[`13d8549abd`](https://togithub.com/nodejs/node/commit/13d8549abd)] - **test**: well-defined DH groups now verify clean (Sam Roberts) [#29550](https://togithub.com/nodejs/node/pull/29550)
- \[[`f78ecc3f93`](https://togithub.com/nodejs/node/commit/f78ecc3f93)] - **test**: fix race in test-http2-origin (Alba Mendez) [#28903](https://togithub.com/nodejs/node/pull/28903)
- \[[`2afbb3efab`](https://togithub.com/nodejs/node/commit/2afbb3efab)] - **test,win**: cleanup exec-timeout processes (João Reis) [#28723](https://togithub.com/nodejs/node/pull/28723)
- \[[`fe58bca878`](https://togithub.com/nodejs/node/commit/fe58bca878)] - **tls**: group chunks into TLS segments (Alba Mendez) [#27861](https://togithub.com/nodejs/node/pull/27861)
- \[[`2eae030a4b`](https://togithub.com/nodejs/node/commit/2eae030a4b)] - **(SEMVER-MINOR)** **worker**: add missing return value in case of fatal exceptions (Ruben Bridgewater) [#29036](https://togithub.com/nodejs/node/pull/29036)
- \[[`e8c90bf4d1`](https://togithub.com/nodejs/node/commit/e8c90bf4d1)] - **zlib**: do not coalesce multiple `.flush()` calls (Anna Henningsen) [#28520](https://togithub.com/nodejs/node/pull/28520)
### [`v10.16.3`](https://togithub.com/nodejs/node/releases/tag/v10.16.3): 2019-08-15, Version 10.16.3 'Dubnium' (LTS), @BethGriggs
[Compare Source](https://togithub.com/nodejs/node/compare/v10.16.2...v10.16.3)
##### Notable changes
This is a security release.
Node.js, as well as many other implementations of HTTP/2, have been found
vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
- **CVE-2019-9511 “Data Dribble”**: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
- **CVE-2019-9512 “Ping Flood”**: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
- **CVE-2019-9513 “Resource Loop”**: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
- **CVE-2019-9514 “Reset Flood”**: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
- **CVE-2019-9515 “Settings Flood”**: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
- **CVE-2019-9516 “0-Length Headers Leak”**: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
- **CVE-2019-9517 “Internal Data Buffering”**: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
- **CVE-2019-9518 “Empty Frames Flood”**: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)
##### Commits
- \[[`74507fae34`](https://togithub.com/nodejs/node/commit/74507fae34)] - **deps**: update nghttp2 to 1.39.2 (Anna Henningsen) [#29122](https://togithub.com/nodejs/node/pull/29122)
- \[[`a397c881ec`](https://togithub.com/nodejs/node/commit/a397c881ec)] - **deps**: update nghttp2 to 1.39.1 (gengjiawen) [#28448](https://togithub.com/nodejs/node/pull/28448)
- \[[`fedfa12a33`](https://togithub.com/nodejs/node/commit/fedfa12a33)] - **deps**: update nghttp2 to 1.38.0 (gengjiawen) [#27295](https://togithub.com/nodejs/node/pull/27295)
- \[[`ab0f2ace36`](https://togithub.com/nodejs/node/commit/ab0f2ace36)] - **deps**: update nghttp2 to 1.37.0 (gengjiawen) [#26990](https://togithub.com/nodejs/node/pull/26990)
- \[[`0acbe05ee2`](https://togithub.com/nodejs/node/commit/0acbe05ee2)] - **http2**: allow
Configuration
📅 Schedule: Branch creation - "before 3am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
10
->10.24.1
Release Notes
nodejs/node (node)
### [`v10.24.1`](https://togithub.com/nodejs/node/releases/tag/v10.24.1): 2021-04-06, Version 10.24.1 'Dubnium' (LTS), @mylesborins [Compare Source](https://togithub.com/nodejs/node/compare/v10.24.0...v10.24.1) This is a security release. ##### Notable Changes Vulerabilties fixed: - **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509\_V_FLAG_X509\_STRICT (High) - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt - Impacts: - All versions of the 15.x, 14.x, 12.x and 10.x releases lines - **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High) - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt - Impacts: - All versions of the 15.x, 14.x, 12.x and 10.x releases lines - **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High) - This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh - Impacts: - All versions of the 14.x, 12.x and 10.x releases lines ##### Commits - \[[`5e526b96ce`](https://togithub.com/nodejs/node/commit/5e526b96ce)] - **deps**: upgrade npm to 6.14.12 (Ruy Adorno) [#37918](https://togithub.com/nodejs/node/pull/37918) - \[[`781cb6df5c`](https://togithub.com/nodejs/node/commit/781cb6df5c)] - **deps**: update archs files for OpenSSL-1.1.1k (Tobias Nießen) [#37940](https://togithub.com/nodejs/node/pull/37940) - \[[`5db0a05a90`](https://togithub.com/nodejs/node/commit/5db0a05a90)] - **deps**: upgrade openssl sources to 1.1.1k (Tobias Nießen) [#37940](https://togithub.com/nodejs/node/pull/37940) ### [`v10.24.0`](https://togithub.com/nodejs/node/releases/tag/v10.24.0): 2021-02-23, Version 10.24.0 'Dubnium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.23.3...v10.24.0) This is a security release. ##### Notable changes Vulnerabilities fixed: - **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion - Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. - **CVE-2021-22884**: DNS rebinding in --inspect - Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160. - **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt ##### Commits - \[[`0afcb4f6bb`](https://togithub.com/nodejs/node/commit/0afcb4f6bb)] - **deps**: update archs files for OpenSSL-1.1.1j (Daniel Bevenius) [#37415](https://togithub.com/nodejs/node/pull/37415) - \[[`447be941cd`](https://togithub.com/nodejs/node/commit/447be941cd)] - **deps**: upgrade openssl sources to 1.1.1j (Daniel Bevenius) [#37415](https://togithub.com/nodejs/node/pull/37415) - \[[`3f2e9dc40c`](https://togithub.com/nodejs/node/commit/3f2e9dc40c)] - **(SEMVER-MINOR)** **http2**: add unknownProtocol timeout (Daniel Bevenius) [nodejs-private/node-private#246](https://togithub.com/nodejs-private/node-private/pull/246) - \[[`d1cf6a9b0f`](https://togithub.com/nodejs/node/commit/d1cf6a9b0f)] - **src**: drop localhost6 as allowed host for inspector (Matteo Collina) [nodejs-private/node-private#244](https://togithub.com/nodejs-private/node-private/pull/244) ### [`v10.23.3`](https://togithub.com/nodejs/node/releases/tag/v10.23.3): 2021-02-09, Version 10.23.3 'Dubnium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.23.2...v10.23.3) ##### Notable changes The update to npm 6.14.11 has been relanded so that npm correctly reports its version. ##### Commits - \[[`953a85035d`](https://togithub.com/nodejs/node/commit/953a85035d)] - **crypto**: fix crash when calling digest after piping (Tobias Nießen) [#28251](https://togithub.com/nodejs/node/pull/28251) - \[[`fe2c98003e`](https://togithub.com/nodejs/node/commit/fe2c98003e)] - **deps**: upgrade npm to 6.14.11 (Ruy Adorno) [#37173](https://togithub.com/nodejs/node/pull/37173) - \[[`7b7fb43b8a`](https://togithub.com/nodejs/node/commit/7b7fb43b8a)] - ***Revert*** "**deps**: upgrade npm to 6.14.11" (Richard Lau) [#37278](https://togithub.com/nodejs/node/pull/37278) - \[[`1c6fbd6ffe`](https://togithub.com/nodejs/node/commit/1c6fbd6ffe)] - **test**: add test that verifies crypto stream pipeline (Evan Lucas) [#37009](https://togithub.com/nodejs/node/pull/37009) ### [`v10.23.2`](https://togithub.com/nodejs/node/releases/tag/v10.23.2): 2021-01-26, Version 10.23.2 'Dubnium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.23.1...v10.23.2) ##### Notable changes Release keys have been synchronized with the main branch. - **deps**: - upgrade npm to 6.14.11 (Darcy Clarke) [#36838](https://togithub.com/nodejs/node/pull/36838) ##### Commits - \[[`cc6b69557a`](https://togithub.com/nodejs/node/commit/cc6b69557a)] - **deps**: upgrade npm to 6.14.11 (Darcy Clarke) [#36838](https://togithub.com/nodejs/node/pull/36838) - \[[`aefb66528a`](https://togithub.com/nodejs/node/commit/aefb66528a)] - **doc**: update contact information for [@BethGriggs](https://togithub.com/BethGriggs) (Beth Griggs) [#35451](https://togithub.com/nodejs/node/pull/35451) - \[[`08931481d8`](https://togithub.com/nodejs/node/commit/08931481d8)] - **doc**: update contact information for richardlau (Richard Lau) [#35450](https://togithub.com/nodejs/node/pull/35450) - \[[`bc0617f4ea`](https://togithub.com/nodejs/node/commit/bc0617f4ea)] - **doc**: update release key for Danielle Adams (Danielle Adams) [#36793](https://togithub.com/nodejs/node/pull/36793) - \[[`d7c09fcfd3`](https://togithub.com/nodejs/node/commit/d7c09fcfd3)] - **doc**: add release key for Danielle Adams (Danielle Adams) [#35545](https://togithub.com/nodejs/node/pull/35545) - \[[`ac49d415b0`](https://togithub.com/nodejs/node/commit/ac49d415b0)] - **doc**: add release key for Ruy Adorno (Ruy Adorno) [#34628](https://togithub.com/nodejs/node/pull/34628) - \[[`b8426ae3ce`](https://togithub.com/nodejs/node/commit/b8426ae3ce)] - **doc**: add release key for Richard Lau (Richard Lau) [#34397](https://togithub.com/nodejs/node/pull/34397) ### [`v10.23.1`](https://togithub.com/nodejs/node/releases/tag/v10.23.1): 2021-01-04, Version 10.23.1 'Dubnium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.23.0...v10.23.1) ##### Notable changes This is a security release. Vulnerabilities fixed: - **CVE-2020-8265**: use-after-free in TLSWrap (High) Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits - **CVE-2020-8287**: HTTP Request Smuggling in nodejs Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html). - **CVE-2020-1971**: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt ##### Commits - \[[`bd44b0ee7f`](https://togithub.com/nodejs/node/commit/bd44b0ee7f)] - **build,win**: accept Python 3 if 2 is not available (João Reis) [#29236](https://togithub.com/nodejs/node/pull/29236) - \[[`d5c9b09bdc`](https://togithub.com/nodejs/node/commit/d5c9b09bdc)] - **build,win**: find Python in paths with spaces (João Reis) [#29236](https://togithub.com/nodejs/node/pull/29236) - \[[`323a6f114a`](https://togithub.com/nodejs/node/commit/323a6f114a)] - **deps**: update http-parser to [http-parser@`ec8b5ee`](https://togithub.com/http-parser/node/commit/ec8b5ee63f) (Richard Lau) [nodejs-private/node-private#235](https://togithub.com/nodejs-private/node-private/pull/235) - \[[`f08d0fef64`](https://togithub.com/nodejs/node/commit/f08d0fef64)] - **deps**: upgrade npm to 6.14.10 (Ruy Adorno) [#36571](https://togithub.com/nodejs/node/pull/36571) - \[[`b0608b574a`](https://togithub.com/nodejs/node/commit/b0608b574a)] - **deps**: update archs files for OpenSSL-1.1.1i (Richard Lau) [#36541](https://togithub.com/nodejs/node/pull/36541) - \[[`d936e1833f`](https://togithub.com/nodejs/node/commit/d936e1833f)] - **deps**: upgrade openssl sources to 1.1.1i (Myles Borins) [#36541](https://togithub.com/nodejs/node/pull/36541) - \[[`9c4970715c`](https://togithub.com/nodejs/node/commit/9c4970715c)] - **deps**: upgrade npm to 6.14.9 (Myles Borins) [#36450](https://togithub.com/nodejs/node/pull/36450) - \[[`aa6b97fb99`](https://togithub.com/nodejs/node/commit/aa6b97fb99)] - **http**: add test for http transfer encoding smuggling (Richard Lau) [nodejs-private/node-private#235](https://togithub.com/nodejs-private/node-private/pull/235) - \[[`fc70ce08f5`](https://togithub.com/nodejs/node/commit/fc70ce08f5)] - **http**: unset `F_CHUNKED` on new `Transfer-Encoding` (Fedor Indutny) [nodejs-private/node-private#235](https://togithub.com/nodejs-private/node-private/pull/235) - \[[`7f178663eb`](https://togithub.com/nodejs/node/commit/7f178663eb)] - **src**: use unique_ptr for WriteWrap (Daniel Bevenius) [nodejs-private/node-private#238](https://togithub.com/nodejs-private/node-private/pull/238) - \[[`357e2857c8`](https://togithub.com/nodejs/node/commit/357e2857c8)] - **test**: add test-tls-use-after-free-regression (Daniel Bevenius) [nodejs-private/node-private#238](https://togithub.com/nodejs-private/node-private/pull/238) ### [`v10.23.0`](https://togithub.com/nodejs/node/releases/tag/v10.23.0): 2020-10-27, Version 10.23.0 'Dubnium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.22.1...v10.23.0) ##### Notable changes - **deps**: - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](https://togithub.com/nodejs/node/pull/34834) - **n-api**: - create N-API version 7 (Gabriel Schulhof) [#35199](https://togithub.com/nodejs/node/pull/35199) - expose napi_build_version variable (NickNaso) [#27835](https://togithub.com/nodejs/node/pull/27835) - **tools**: - add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](https://togithub.com/nodejs/node/pull/34378) ##### Commits - \[[`b83f9a56fc`](https://togithub.com/nodejs/node/commit/b83f9a56fc)] - **build**: expose napi_build_version variable (NickNaso) [#27835](https://togithub.com/nodejs/node/pull/27835) - \[[`020ba1a2b8`](https://togithub.com/nodejs/node/commit/020ba1a2b8)] - **build**: enable backtrace when V8 is built for PPC and S390x (Michaël Zasso) [#32113](https://togithub.com/nodejs/node/pull/32113) - \[[`eee9412a8c`](https://togithub.com/nodejs/node/commit/eee9412a8c)] - **deps**: upgrade npm to 6.14.8 (Ruy Adorno) [#34834](https://togithub.com/nodejs/node/pull/34834) - \[[`038593d5ff`](https://togithub.com/nodejs/node/commit/038593d5ff)] - **deps**: upgrade npm to 6.14.7 (claudiahdz) [#34468](https://togithub.com/nodejs/node/pull/34468) - \[[`3564424625`](https://togithub.com/nodejs/node/commit/3564424625)] - **deps**: V8: cherry-pick [`eec10a2`](https://togithub.com/nodejs/node/commit/eec10a2fd8fa) (Stephen Belanger) [#33778](https://togithub.com/nodejs/node/pull/33778) - \[[`e9e86e1b60`](https://togithub.com/nodejs/node/commit/e9e86e1b60)] - **http2**: support non-empty DATA frame with END_STREAM flag (Carlos Lopez) [#33875](https://togithub.com/nodejs/node/pull/33875) - \[[`751820b6c2`](https://togithub.com/nodejs/node/commit/751820b6c2)] - **http2,doc**: minor fixes (Alba Mendez) [#28044](https://togithub.com/nodejs/node/pull/28044) - \[[`54c2bc2e62`](https://togithub.com/nodejs/node/commit/54c2bc2e62)] - **(SEMVER-MINOR)** **n-api**: create N-API version 7 (Gabriel Schulhof) [#35199](https://togithub.com/nodejs/node/pull/35199) - \[[`2eb627301c`](https://togithub.com/nodejs/node/commit/2eb627301c)] - **src**: allows escaping NODE_OPTIONS with backslashes (Maël Nison) [#24065](https://togithub.com/nodejs/node/pull/24065) - \[[`5170d14b36`](https://togithub.com/nodejs/node/commit/5170d14b36)] - **test**: fix test-linux-perf flakiness (Matheus Marchini) [#27615](https://togithub.com/nodejs/node/pull/27615) - \[[`21b86d7f19`](https://togithub.com/nodejs/node/commit/21b86d7f19)] - **test,v8**: skip less and stabilize test-linux-perf.js (Refael Ackermann) [#27364](https://togithub.com/nodejs/node/pull/27364) - \[[`ee11ab50a7`](https://togithub.com/nodejs/node/commit/ee11ab50a7)] - **tools**: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](https://togithub.com/nodejs/node/pull/34378) ### [`v10.22.1`](https://togithub.com/nodejs/node/releases/tag/v10.22.1): 2020-09-15, Version 10.22.1 'Dubnium' (LTS), @BethGriggs [Compare Source](https://togithub.com/nodejs/node/compare/v10.22.0...v10.22.1) ##### Notable changes This is a security release. Vulnerabilities fixed: - **CVE-2020-8252**: fs.realpath.native on may cause buffer overflow (Medium). ##### Commits - \[[`57badcf93e`](https://togithub.com/nodejs/node/commit/57badcf93e)] - **deps**: libuv: cherry-pick [`0e6e862`](https://togithub.com/nodejs/node/commit/0e6e8620) (Colin Ihrig) [libuv/libuv#2966](https://togithub.com/libuv/libuv/pull/2966) ### [`v10.22.0`](https://togithub.com/nodejs/node/releases/tag/v10.22.0): 2020-07-21, Version 10.22.0 'Dubnium' (LTS), @BethGriggs prepared by @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.21.0...v10.22.0) ##### Notable changes - **deps**: - upgrade npm to 6.14.6 (claudiahdz) [#34246](https://togithub.com/nodejs/node/pull/34246) - upgrade openssl sources to 1.1.1g (Hassaan Pasha) [#32982](https://togithub.com/nodejs/node/pull/32982) - **n-api**: - add `napi_detach_arraybuffer` (legendecas) [#29768](https://togithub.com/nodejs/node/pull/29768) ##### Commits - \[[`9915774d18`](https://togithub.com/nodejs/node/commit/9915774d18)] - **build**: log detected compilers in --verbose mode (Richard Lau) [#32715](https://togithub.com/nodejs/node/pull/32715) - \[[`145dcc2c1c`](https://togithub.com/nodejs/node/commit/145dcc2c1c)] - **build**: move doc versions JSON file out of out/doc (Richard Lau) [#32728](https://togithub.com/nodejs/node/pull/32728) - \[[`24b927ab66`](https://togithub.com/nodejs/node/commit/24b927ab66)] - **build**: allow clang 10+ in configure.py (Kamil Rytarowski) [#29541](https://togithub.com/nodejs/node/pull/29541) - \[[`97b59527c7`](https://togithub.com/nodejs/node/commit/97b59527c7)] - **deps**: upgrade npm to 6.14.6 (claudiahdz) [#34246](https://togithub.com/nodejs/node/pull/34246) - \[[`84fca3c691`](https://togithub.com/nodejs/node/commit/84fca3c691)] - **deps**: upgrade npm to 6.14.5 (Ruy Adorno) [#33239](https://togithub.com/nodejs/node/pull/33239) - \[[`745b329260`](https://togithub.com/nodejs/node/commit/745b329260)] - **deps**: update archs files for OpenSSL-1.1.1g (Hassaan Pasha) [#32982](https://togithub.com/nodejs/node/pull/32982) - \[[`94702c1560`](https://togithub.com/nodejs/node/commit/94702c1560)] - **deps**: upgrade openssl sources to 1.1.1g (Hassaan Pasha) [#32982](https://togithub.com/nodejs/node/pull/32982) - \[[`ef9413be1a`](https://togithub.com/nodejs/node/commit/ef9413be1a)] - **deps**: upgrade openssl sources to 1.1.1f (Hassaan Pasha) [#32583](https://togithub.com/nodejs/node/pull/32583) - \[[`3acc89f8f2`](https://togithub.com/nodejs/node/commit/3acc89f8f2)] - **deps**: V8: backport [`cd21f71`](https://togithub.com/nodejs/node/commit/cd21f71f9cb5) (Michaël Zasso) [#33862](https://togithub.com/nodejs/node/pull/33862) - \[[`89a306bca9`](https://togithub.com/nodejs/node/commit/89a306bca9)] - **deps**: fix V8 compiler error with clang++-11 (Sam Roberts) [#33094](https://togithub.com/nodejs/node/pull/33094) - \[[`00f04e3b79`](https://togithub.com/nodejs/node/commit/00f04e3b79)] - **doc**: fix quotes in tls.md (Sparsh Garg) [#33641](https://togithub.com/nodejs/node/pull/33641) - \[[`193d1d0e84`](https://togithub.com/nodejs/node/commit/193d1d0e84)] - **doc**: document fs.watchFile() bigint option (cjihrig) [#32128](https://togithub.com/nodejs/node/pull/32128) - \[[`5dab101b03`](https://togithub.com/nodejs/node/commit/5dab101b03)] - **doc,n-api**: mark napi_detach_arraybuffer as experimental (legendecas) [#30703](https://togithub.com/nodejs/node/pull/30703) - \[[`069b6e14a4`](https://togithub.com/nodejs/node/commit/069b6e14a4)] - **http**: disable headersTimeout check when set to zero (Paolo Insogna) [#33307](https://togithub.com/nodejs/node/pull/33307) - \[[`aaf2f827c6`](https://togithub.com/nodejs/node/commit/aaf2f827c6)] - **inspector**: more conservative minimum stack size (Ben Noordhuis) [#27855](https://togithub.com/nodejs/node/pull/27855) - \[[`b744ffd586`](https://togithub.com/nodejs/node/commit/b744ffd586)] - **(SEMVER-MINOR)** **n-api**: implement napi_is_detached_arraybuffer (Denys Otrishko) [#30613](https://togithub.com/nodejs/node/pull/30613) - \[[`961598b9be`](https://togithub.com/nodejs/node/commit/961598b9be)] - **(SEMVER-MINOR)** **n-api**: add `napi_detach_arraybuffer` (legendecas) [#29768](https://togithub.com/nodejs/node/pull/29768) - \[[`7a109febc4`](https://togithub.com/nodejs/node/commit/7a109febc4)] - **test**: remove timers-blocking-callback (Jeremiah Senkpiel) [#32870](https://togithub.com/nodejs/node/pull/32870) - \[[`3dbd8cd3a9`](https://togithub.com/nodejs/node/commit/3dbd8cd3a9)] - ***Revert*** "**test**: mark empty udp tests flaky on OS X" (Luigi Pinca) [#32489](https://togithub.com/nodejs/node/pull/32489) - \[[`543656928c`](https://togithub.com/nodejs/node/commit/543656928c)] - **test**: flaky test-stdout-close-catch on freebsd (Sam Roberts) [#32849](https://togithub.com/nodejs/node/pull/32849) - \[[`74b00cca64`](https://togithub.com/nodejs/node/commit/74b00cca64)] - **tls**: allow empty subject even with altNames defined (Jason Macgowan) [#22906](https://togithub.com/nodejs/node/pull/22906) ### [`v10.21.0`](https://togithub.com/nodejs/node/releases/tag/v10.21.0): 2020-06-02, Version 10.21.0 'Dubnium' (LTS), @BethGriggs [Compare Source](https://togithub.com/nodejs/node/compare/v10.20.1...v10.21.0) ##### Notable changes This is a security release. Vulnerabilities fixed: - **CVE-2020-8174**: napi_get_value_string_\*() allows various kinds of memory corruption (High). - **CVE-2020-10531**: ICU-20958 Prevent SEGV_MAPERR in append (High). - **CVE-2020-11080**: HTTP/2 Large Settings Frame DoS (Low). ##### Commits - \[[`0ad7970256`](https://togithub.com/nodejs/node/commit/0ad7970256)] - **deps**: fix OPENSSLDIR on Windows (Shigeki Ohtsu) [#29456](https://togithub.com/nodejs/node/pull/29456) - \[[`bd78c6ea46`](https://togithub.com/nodejs/node/commit/bd78c6ea46)] - **deps**: backport ICU-20958 to fix CVE-2020-10531 (Richard Lau) [#33572](https://togithub.com/nodejs/node/pull/33572) - \[[`33e9a12241`](https://togithub.com/nodejs/node/commit/33e9a12241)] - **(SEMVER-MINOR)** **deps**: update nghttp2 to 1.41.0 (James M Snell) [nodejs-private/node-private#204](https://togithub.com/nodejs-private/node-private/pull/204) - \[[`881c244a4e`](https://togithub.com/nodejs/node/commit/881c244a4e)] - **(SEMVER-MINOR)** **http2**: implement support for max settings entries (James M Snell) [nodejs-private/node-private#204](https://togithub.com/nodejs-private/node-private/pull/204) - \[[`cd9827f105`](https://togithub.com/nodejs/node/commit/cd9827f105)] - **napi**: fix memory corruption vulnerability (Tobias Nießen) [nodejs-private/node-private#203](https://togithub.com/nodejs-private/node-private/pull/203) ### [`v10.20.1`](https://togithub.com/nodejs/node/releases/tag/v10.20.1): 2020-04-12, Version 10.20.1 'Dubnium' (LTS), @BethGriggs [Compare Source](https://togithub.com/nodejs/node/compare/v10.20.0...v10.20.1) ##### Notable changes Due to release process failures, Node.js v10.20.0 shipped with source and header tarballs that did not properly match the final release commit that was used to build the binaries. We recommend that Node.js v10.20.0 not be used, particularly in any applications using native add-ons or where compiling Node.js from source is involved. Node.js v10.20.1 is a clean release with the correct sources and is strongly recommended in place of v10.20.0. ### [`v10.20.0`](https://togithub.com/nodejs/node/releases/tag/v10.20.0): 2020-04-08, Version 10.20.0 'Dubnium' (LTS), @BethGriggs [Compare Source](https://togithub.com/nodejs/node/compare/v10.19.0...v10.20.0) ##### macOS package notarization and a change in builder configuration The macOS binaries for this release, and future 10.x releases, are now being compiled on macOS 10.15 (Catalina) with Xcode 11 to support package notarization, a requirement for installing .pkg files on macOS 10.15 and later. Previous builds of Node.js 10.x were compiled on macOS 10.10 (Yosemite) with a minimum deployment target of macOS 10.7 (Lion). As binaries are still being compiled to support a minimum of macOS 10.7 (Lion) we do not anticipate this having a negative impact on Node.js 10.x users with older versions of macOS. ##### Notable changes - **buffer**: add {read|write}Big\[U]Int64{BE|LE} methods (garygsc) [#19691](https://togithub.com/nodejs/node/pull/19691) - **build**: macOS package notarization (Rod Vagg) [#31459](https://togithub.com/nodejs/node/pull/31459) - **deps**: - update npm to 6.14.3 (Myles Borins) [#32368](https://togithub.com/nodejs/node/pull/32368) - upgrade openssl sources to 1.1.1e (Hassaan Pasha) [#32328](https://togithub.com/nodejs/node/pull/32328) - upgrade to libuv 1.34.2 (cjihrig) [#31477](https://togithub.com/nodejs/node/pull/31477) - **n-api**: - add napi_get_all_property_names (himself65) [#30006](https://togithub.com/nodejs/node/pull/30006) - add APIs for per-instance state management (Gabriel Schulhof) [#28682](https://togithub.com/nodejs/node/pull/28682) - define release 6 [#32058](https://togithub.com/nodejs/node/pull/32058) - turn NAPI_CALL_INTO_MODULE into a function (Anna Henningsen) [#26128](https://togithub.com/nodejs/node/pull/26128) - **tls**: - expose keylog event on TLSSocket (Alba Mendez) [#27654](https://togithub.com/nodejs/node/pull/27654) - support TLS min/max protocol defaults in CLI (Sam Roberts) [#27946](https://togithub.com/nodejs/node/pull/27946) - **url**: handle quasi-WHATWG URLs in urlToOptions() (cjihrig) [#26226](https://togithub.com/nodejs/node/pull/26226) ##### Commits - \[[`64744a282e`](https://togithub.com/nodejs/node/commit/64744a282e)] - **(SEMVER-MINOR)** **buffer**: add {read|write}Big\[U]Int64{BE|LE} methods (garygsc) [#19691](https://togithub.com/nodejs/node/pull/19691) - \[[`8a0ed8f1ff`](https://togithub.com/nodejs/node/commit/8a0ed8f1ff)] - **build**: macOS package notarization (Rod Vagg) [#31459](https://togithub.com/nodejs/node/pull/31459) - \[[`42af3b861a`](https://togithub.com/nodejs/node/commit/42af3b861a)] - **build,win**: fix goto exit in vcbuild (João Reis) [#30931](https://togithub.com/nodejs/node/pull/30931) - \[[`b164a2e3bf`](https://togithub.com/nodejs/node/commit/b164a2e3bf)] - **console**: add trace-events for time and count (James M Snell) [#23703](https://togithub.com/nodejs/node/pull/23703) - \[[`04cd67f85e`](https://togithub.com/nodejs/node/commit/04cd67f85e)] - **deps**: upgrade npm to 6.14.4 (Ruy Adorno) [#32495](https://togithub.com/nodejs/node/pull/32495) - \[[`8d85a43d99`](https://togithub.com/nodejs/node/commit/8d85a43d99)] - **deps**: update term-size with signed version (Rod Vagg) [#31459](https://togithub.com/nodejs/node/pull/31459) - \[[`76033c5495`](https://togithub.com/nodejs/node/commit/76033c5495)] - **deps**: update archs files for OpenSSL-1.1.1e (Hassaan Pasha) [#32328](https://togithub.com/nodejs/node/pull/32328) - \[[`64c184836b`](https://togithub.com/nodejs/node/commit/64c184836b)] - **deps**: adjust openssl configuration for 1.1.1e (Hassaan Pasha) [#32328](https://togithub.com/nodejs/node/pull/32328) - \[[`c8f5ab2089`](https://togithub.com/nodejs/node/commit/c8f5ab2089)] - **deps**: upgrade openssl sources to 1.1.1e (Hassaan Pasha) [#32328](https://togithub.com/nodejs/node/pull/32328) - \[[`bf26c44c92`](https://togithub.com/nodejs/node/commit/bf26c44c92)] - **deps**: remove \*.pyc files from deps/npm (Ben Noordhuis) [#32387](https://togithub.com/nodejs/node/pull/32387) - \[[`c2b3cf61ce`](https://togithub.com/nodejs/node/commit/c2b3cf61ce)] - **deps**: update npm to 6.14.3 (Myles Borins) [#32368](https://togithub.com/nodejs/node/pull/32368) - \[[`8cae4dde91`](https://togithub.com/nodejs/node/commit/8cae4dde91)] - **deps**: upgrade npm to 6.14.1 (Isaac Z. Schlueter) [#31977](https://togithub.com/nodejs/node/pull/31977) - \[[`47046aa5a9`](https://togithub.com/nodejs/node/commit/47046aa5a9)] - **deps**: openssl: cherry-pick [`4dcb150`](https://togithub.com/nodejs/node/commit/4dcb150ea30f) (Adam Majer) [#32002](https://togithub.com/nodejs/node/pull/32002) - \[[`098704c85d`](https://togithub.com/nodejs/node/commit/098704c85d)] - **deps**: upgrade to libuv 1.34.2 (Colin Ihrig) [#31477](https://togithub.com/nodejs/node/pull/31477) - \[[`4b1cccc4ce`](https://togithub.com/nodejs/node/commit/4b1cccc4ce)] - **deps**: upgrade to libuv 1.34.1 (Colin Ihrig) [#31332](https://togithub.com/nodejs/node/pull/31332) - \[[`fff6162693`](https://togithub.com/nodejs/node/commit/fff6162693)] - **(SEMVER-MINOR)** **deps**: upgrade to libuv 1.34.0 (Colin Ihrig) [#30783](https://togithub.com/nodejs/node/pull/30783) - \[[`6826ef0568`](https://togithub.com/nodejs/node/commit/6826ef0568)] - **deps**: upgrade to libuv 1.33.1 (Colin Ihrig) [#29996](https://togithub.com/nodejs/node/pull/29996) - \[[`aed7ca4fb0`](https://togithub.com/nodejs/node/commit/aed7ca4fb0)] - **deps**: upgrade to libuv 1.32.0 (Colin Ihrig) [#29508](https://togithub.com/nodejs/node/pull/29508) - \[[`794abbc758`](https://togithub.com/nodejs/node/commit/794abbc758)] - **deps**: upgrade to libuv 1.31.0 (Colin Ihrig) [#29070](https://togithub.com/nodejs/node/pull/29070) - \[[`ed71f55a54`](https://togithub.com/nodejs/node/commit/ed71f55a54)] - **deps**: upgrade to libuv 1.30.1 (Colin Ihrig) [#28511](https://togithub.com/nodejs/node/pull/28511) - \[[`7cde563235`](https://togithub.com/nodejs/node/commit/7cde563235)] - **deps**: upgrade to libuv 1.30.0 (Colin Ihrig) [#28449](https://togithub.com/nodejs/node/pull/28449) - \[[`b53ce6e6c5`](https://togithub.com/nodejs/node/commit/b53ce6e6c5)] - **deps**: upgrade to libuv 1.29.1 (Colin Ihrig) [#27718](https://togithub.com/nodejs/node/pull/27718) - \[[`9b2b66b7d8`](https://togithub.com/nodejs/node/commit/9b2b66b7d8)] - **deps**: V8: cherry-pick [`d89f4ef`](https://togithub.com/nodejs/node/commit/d89f4ef1cd62) (Milad Farazmand) [#31753](https://togithub.com/nodejs/node/pull/31753) - \[[`7eac95981e`](https://togithub.com/nodejs/node/commit/7eac95981e)] - **deps**: upgrade npm to 6.13.7 (Michael Perrotte) [#31558](https://togithub.com/nodejs/node/pull/31558) - \[[`db24641fbe`](https://togithub.com/nodejs/node/commit/db24641fbe)] - **deps**: upgrade npm to 6.13.6 (Ruy Adorno) [#31304](https://togithub.com/nodejs/node/pull/31304) - \[[`2e3d511cff`](https://togithub.com/nodejs/node/commit/2e3d511cff)] - **doc**: correct version metadata for Readable.from (Dave Vandyke) [#32639](https://togithub.com/nodejs/node/pull/32639) - \[[`34c1c2a82b`](https://togithub.com/nodejs/node/commit/34c1c2a82b)] - **doc**: add missing version metadata for Readable.from (Anna Henningsen) [#28695](https://togithub.com/nodejs/node/pull/28695) - \[[`aa7d369c72`](https://togithub.com/nodejs/node/commit/aa7d369c72)] - **doc**: update releaser list in README.md (Myles Borins) [#32577](https://togithub.com/nodejs/node/pull/32577) - \[[`05f5b3ecc4`](https://togithub.com/nodejs/node/commit/05f5b3ecc4)] - **doc**: remove em dashes (Rich Trott) [#32080](https://togithub.com/nodejs/node/pull/32080) - \[[`ffa9f9bd1b`](https://togithub.com/nodejs/node/commit/ffa9f9bd1b)] - **doc**: fix changelog for v10.18.1 (Andrew Hughes) [#31358](https://togithub.com/nodejs/node/pull/31358) - \[[`0177464b0e`](https://togithub.com/nodejs/node/commit/0177464b0e)] - **doc,tools**: get altDocs versions from CHANGELOG.md (Richard Lau) [#27661](https://togithub.com/nodejs/node/pull/27661) - \[[`e9c590ea00`](https://togithub.com/nodejs/node/commit/e9c590ea00)] - **(SEMVER-MINOR)** **n-api**: define release 6 (Gabriel Schulhof) [#32058](https://togithub.com/nodejs/node/pull/32058) - \[[`239377b654`](https://togithub.com/nodejs/node/commit/239377b654)] - **(SEMVER-MINOR)** **n-api**: correct instance data tests (Gabriel Schulhof) [#32488](https://togithub.com/nodejs/node/pull/32488) - \[[`ecbb331be0`](https://togithub.com/nodejs/node/commit/ecbb331be0)] - **(SEMVER-MINOR)** **n-api**: add napi_get_all_property_names (himself65) [#30006](https://togithub.com/nodejs/node/pull/30006) - \[[`f29fb14cf6`](https://togithub.com/nodejs/node/commit/f29fb14cf6)] - **(SEMVER-MINOR)** **n-api**: add APIs for per-instance state management (Gabriel Schulhof) [#28682](https://togithub.com/nodejs/node/pull/28682) - \[[`20177b9946`](https://togithub.com/nodejs/node/commit/20177b9946)] - **n-api**: turn NAPI_CALL_INTO_MODULE into a function (Anna Henningsen) [#26128](https://togithub.com/nodejs/node/pull/26128) - \[[`017909b847`](https://togithub.com/nodejs/node/commit/017909b847)] - **test**: fix tool path in test-doctool-versions.js (Richard Lau) [#32645](https://togithub.com/nodejs/node/pull/32645) - \[[`1ea70d641d`](https://togithub.com/nodejs/node/commit/1ea70d641d)] - **test**: fix flaky doctool and test (Rich Trott) [#29979](https://togithub.com/nodejs/node/pull/29979) - \[[`89692ff19b`](https://togithub.com/nodejs/node/commit/89692ff19b)] - **test**: end tls connection with some data (Sam Roberts) [#32328](https://togithub.com/nodejs/node/pull/32328) - \[[`9bd1317764`](https://togithub.com/nodejs/node/commit/9bd1317764)] - **test**: mark empty udp tests flaky on OS X (Sam Roberts) [#31936](https://togithub.com/nodejs/node/pull/31936) - \[[`5484e061b5`](https://togithub.com/nodejs/node/commit/5484e061b5)] - **test**: scale keepalive timeouts for slow machines (Ben Noordhuis) [#30834](https://togithub.com/nodejs/node/pull/30834) - \[[`3f9cec3f51`](https://togithub.com/nodejs/node/commit/3f9cec3f51)] - **test**: add debugging output to test-net-listen-after-destroy-stdin (Rich Trott) [#31698](https://togithub.com/nodejs/node/pull/31698) - \[[`f1a8791316`](https://togithub.com/nodejs/node/commit/f1a8791316)] - **test**: allow EAI_FAIL in test-http-dns-error.js (Colin Ihrig) [#27500](https://togithub.com/nodejs/node/pull/27500) - \[[`4b9a77909b`](https://togithub.com/nodejs/node/commit/4b9a77909b)] - **test**: mark tests as flaky (João Reis) [#30848](https://togithub.com/nodejs/node/pull/30848) - \[[`a8fd8a1a61`](https://togithub.com/nodejs/node/commit/a8fd8a1a61)] - **test**: mark http2 tests as flaky on 10.x (AshCripps) [#31887](https://togithub.com/nodejs/node/pull/31887) - \[[`2315270cb6`](https://togithub.com/nodejs/node/commit/2315270cb6)] - **test**: try to stabalize test-child-process-fork-exec-path.js (Refael Ackermann) [#27277](https://togithub.com/nodejs/node/pull/27277) - \[[`a2b0e9ef6a`](https://togithub.com/nodejs/node/commit/a2b0e9ef6a)] - **(SEMVER-MINOR)** **tls**: expose keylog event on TLSSocket (Alba Mendez) [#27654](https://togithub.com/nodejs/node/pull/27654) - \[[`1cfb45732a`](https://togithub.com/nodejs/node/commit/1cfb45732a)] - **(SEMVER-MINOR)** **tls**: support TLS min/max protocol defaults in CLI (Sam Roberts) [#27946](https://togithub.com/nodejs/node/pull/27946) - \[[`a175b8d3a7`](https://togithub.com/nodejs/node/commit/a175b8d3a7)] - **tools**: only fetch previous versions when necessary (Richard Lau) [#32518](https://togithub.com/nodejs/node/pull/32518) - \[[`3756be8511`](https://togithub.com/nodejs/node/commit/3756be8511)] - **tools**: add NODE_TEST_NO_INTERNET to the doc builder (Joyee Cheung) [#31849](https://togithub.com/nodejs/node/pull/31849) - \[[`ac1ea7312a`](https://togithub.com/nodejs/node/commit/ac1ea7312a)] - **tools**: make doctool work if no internet available (Richard Lau) [#30214](https://togithub.com/nodejs/node/pull/30214) - \[[`f235eea8b3`](https://togithub.com/nodejs/node/commit/f235eea8b3)] - **tools**: unify make-v8.sh for ppc64le and s390x (Richard Lau) [#31628](https://togithub.com/nodejs/node/pull/31628) - \[[`61e2d4856d`](https://togithub.com/nodejs/node/commit/61e2d4856d)] - **tools**: use CC instead of CXX when pointing to gcc (Milad Farazmand) [#30817](https://togithub.com/nodejs/node/pull/30817) - \[[`4390674624`](https://togithub.com/nodejs/node/commit/4390674624)] - **url**: handle quasi-WHATWG URLs in urlToOptions() (Colin Ihrig) [#26226](https://togithub.com/nodejs/node/pull/26226) - \[[`dc61e09feb`](https://togithub.com/nodejs/node/commit/dc61e09feb)] - **v8**: fix load elimination liveness checks (Ben Noordhuis) [#31613](https://togithub.com/nodejs/node/pull/31613) ### [`v10.19.0`](https://togithub.com/nodejs/node/releases/tag/v10.19.0): 2020-02-06, Version 10.19.0 'Dubnium' (LTS), @BethGriggs [Compare Source](https://togithub.com/nodejs/node/compare/v10.18.1...v10.19.0) ##### Notable changes This is a security release. Vulnerabilities fixed: - **CVE-2019-15606**: HTTP header values do not have trailing OWS trimmed. - **CVE-2019-15605**: HTTP request smuggling using malformed Transfer-Encoding header. - **CVE-2019-15604**: Remotely trigger an assertion on a TLS server with a malformed certificate string. Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the `--insecure-http-parser` command line flag, or the `insecureHTTPParser` http option. Using the insecure HTTP parser should be avoided. ##### Commits - \[[`f940bee3b7`](https://togithub.com/nodejs/node/commit/f940bee3b7)] - **crypto**: fix assertion caused by unsupported ext (Fedor Indutny) [nodejs-private/node-private#175](https://togithub.com/nodejs-private/node-private/pull/175) - \[[`49f4220ce5`](https://togithub.com/nodejs/node/commit/49f4220ce5)] - **deps**: upgrade http-parser to v2.9.3 (Sam Roberts) [nodejs-private/http-parser-private#4](https://togithub.com/nodejs-private/http-parser-private/pull/4) - \[[`a28e5cc1ed`](https://togithub.com/nodejs/node/commit/a28e5cc1ed)] - **(SEMVER-MINOR)** **deps**: upgrade http-parser to v2.9.1 (Sam Roberts) [#30471](https://togithub.com/nodejs/node/pull/30471) - \[[`0082f62d9c`](https://togithub.com/nodejs/node/commit/0082f62d9c)] - **(SEMVER-MINOR)** **http**: make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) [#31448](https://togithub.com/nodejs/node/pull/31448) - \[[`a9849c0ff6`](https://togithub.com/nodejs/node/commit/a9849c0ff6)] - **(SEMVER-MINOR)** **http**: opt-in insecure HTTP header parsing (Sam Roberts) [#30567](https://togithub.com/nodejs/node/pull/30567) - \[[`2eee90e959`](https://togithub.com/nodejs/node/commit/2eee90e959)] - **http**: strip trailing OWS from header values (Sam Roberts) [nodejs-private/node-private#191](https://togithub.com/nodejs-private/node-private/pull/191) - \[[`e2c8f89b75`](https://togithub.com/nodejs/node/commit/e2c8f89b75)] - **test**: using TE to smuggle reqs is not possible (Sam Roberts) [nodejs-private/node-private#192](https://togithub.com/nodejs-private/node-private/pull/192) - \[[`d616722f65`](https://togithub.com/nodejs/node/commit/d616722f65)] - **test**: check that --insecure-http-parser works (Sam Roberts) [#31253](https://togithub.com/nodejs/node/pull/31253) ### [`v10.18.1`](https://togithub.com/nodejs/node/releases/tag/v10.18.1): 2020-01-09, Version 10.18.1 'Dubnium' (LTS), @BethGriggs [Compare Source](https://togithub.com/nodejs/node/compare/v10.18.0...v10.18.1) ##### Notable changes - **http2**: fix session memory accounting after pausing (Michael Lehenbauer) [#30684](https://togithub.com/nodejs/node/pull/30684) - **n-api**: correct bug in napi_get_last_error (Octavian Soldea) [#28702](https://togithub.com/nodejs/node/pull/28702) - **tools**: update tzdata to 2019c (Myles Borins) [#30479](https://togithub.com/nodejs/node/pull/30479) ##### Commits - \[[`a80c59130e`](https://togithub.com/nodejs/node/commit/a80c59130e)] - **build**: fix configure script to work with Apple Clang 11 (Saagar Jha) [#28071](https://togithub.com/nodejs/node/pull/28071) - \[[`68b2b5cc51`](https://togithub.com/nodejs/node/commit/68b2b5cc51)] - **build,win**: propagate error codes in vcbuild (João Reis) [#30724](https://togithub.com/nodejs/node/pull/30724) - \[[`3e0709cf5e`](https://togithub.com/nodejs/node/commit/3e0709cf5e)] - **deps**: V8: backport [`fb63e5c`](https://togithub.com/nodejs/node/commit/fb63e5cf55e9) (Michaël Zasso) - \[[`25b8fbda35`](https://togithub.com/nodejs/node/commit/25b8fbda35)] - **doc**: allow \in header elements (Rich Trott) [#31086](https://togithub.com/nodejs/node/pull/31086) - \[[`a1b095dd46`](https://togithub.com/nodejs/node/commit/a1b095dd46)] - **doc,dns**: use code markup/markdown in headers (Rich Trott) [#31086](https://togithub.com/nodejs/node/pull/31086) - \[[`8f3b8ca515`](https://togithub.com/nodejs/node/commit/8f3b8ca515)] - **http2**: fix session memory accounting after pausing (Michael Lehenbauer) [#30684](https://togithub.com/nodejs/node/pull/30684) - \[[`20f64a96de`](https://togithub.com/nodejs/node/commit/20f64a96de)] - **http2**: use the latest settings (ZYSzys) [#29780](https://togithub.com/nodejs/node/pull/29780) - \[[`81c31005fd`](https://togithub.com/nodejs/node/commit/81c31005fd)] - **lib**: fix comment nits in bootstrap\loaders.js (Vse Mozhet Byt) [#24641](https://togithub.com/nodejs/node/pull/24641) - \[[`88e8b7cf83`](https://togithub.com/nodejs/node/commit/88e8b7cf83)] - **n-api**: correct bug in napi_get_last_error (Octavian Soldea) [#28702](https://togithub.com/nodejs/node/pull/28702) - \[[`77e0318849`](https://togithub.com/nodejs/node/commit/77e0318849)] - **stream**: increase MAX_HWM (Robert Nagy) [#29938](https://togithub.com/nodejs/node/pull/29938) - \[[`894aaa2040`](https://togithub.com/nodejs/node/commit/894aaa2040)] - **stream**: extract Readable.from in its own file (Matteo Collina) [#30140](https://togithub.com/nodejs/node/pull/30140) - \[[`7e941eb17d`](https://togithub.com/nodejs/node/commit/7e941eb17d)] - **test**: do not fail SLOW tests if they are not slow (Yang Guo) [#25868](https://togithub.com/nodejs/node/pull/25868) - \[[`0f3ae77aaf`](https://togithub.com/nodejs/node/commit/0f3ae77aaf)] - **tools**: update tzdata to 2019c (Myles Borins) [#30479](https://togithub.com/nodejs/node/pull/30479) - \[[`4ae8d204cb`](https://togithub.com/nodejs/node/commit/4ae8d204cb)] - **tools**: move python code out of jenkins shell (Sam Roberts) [#28458](https://togithub.com/nodejs/node/pull/28458) - \[[`4879b80d87`](https://togithub.com/nodejs/node/commit/4879b80d87)] - **tools**: fix v8 testing with devtoolset on ppcle (Sam Roberts) [#28458](https://togithub.com/nodejs/node/pull/28458) ### [`v10.18.0`](https://togithub.com/nodejs/node/releases/tag/v10.18.0): 2019-12-17, Version 10.18.0 'Dubnium' (LTS), @MylesBorins [Compare Source](https://togithub.com/nodejs/node/compare/v10.17.0...v10.18.0) This is a security release. For more details about the vulnerability please consult the npm blog: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli ##### Notable changes - **deps**: update npm to 6.13.4 [#30904](https://togithub.com/nodejs/node/pull/30904) ##### Commits - \[[`54a466a865`](https://togithub.com/nodejs/node/commit/54a466a865)] - **build,win**: add test-ci-native and test-ci-js (João Reis) [#30724](https://togithub.com/nodejs/node/pull/30724) - \[[`f9b31edb25`](https://togithub.com/nodejs/node/commit/f9b31edb25)] - **deps**: update npm to 6.13.4 (Isaac Z. Schlueter) [#30904](https://togithub.com/nodejs/node/pull/30904) ### [`v10.17.0`](https://togithub.com/nodejs/node/releases/tag/v10.17.0): 2019-10-22, Version 10.17.0 'Dubnium' (LTS), @BethGriggs [Compare Source](https://togithub.com/nodejs/node/compare/v10.16.3...v10.17.0) ##### Notable changes - **crypto**: - add support for chacha20-poly1305 for AEAD (chux0519) [#24081](https://togithub.com/nodejs/node/pull/24081) - increase maxmem range from 32 to 53 bits (Tobias Nießen) [#28799](https://togithub.com/nodejs/node/pull/28799) - **deps**: - update npm to 6.11.3 (claudiahdz) [#29430](https://togithub.com/nodejs/node/pull/29430) - upgrade openssl sources to 1.1.1d (Sam Roberts) [#29921](https://togithub.com/nodejs/node/pull/29921) - **dns**: remove dns.promises experimental warning (cjihrig) [#26592](https://togithub.com/nodejs/node/pull/26592) - **fs**: remove experimental warning for fs.promises (Anna Henningsen) [#26581](https://togithub.com/nodejs/node/pull/26581) - **http**: makes response.writeHead return the response (Mark S. Everitt) [#25974](https://togithub.com/nodejs/node/pull/25974) - **http2**: makes response.writeHead return the response (Mark S. Everitt) [#25974](https://togithub.com/nodejs/node/pull/25974) - **n-api**: - make func argument of napi_create_threadsafe_function optional (legendecas) [#27791](https://togithub.com/nodejs/node/pull/27791) - mark version 5 N-APIs as stable (Gabriel Schulhof) [#29401](https://togithub.com/nodejs/node/pull/29401) - implement date object (Jarrod Connolly) [#25917](https://togithub.com/nodejs/node/pull/25917) - **process**: add --unhandled-rejections flag (Ruben Bridgewater) [#26599](https://togithub.com/nodejs/node/pull/26599) - **stream**: - implement Readable.from async iterator utility (Guy Bedford) [#27660](https://togithub.com/nodejs/node/pull/27660) - make Symbol.asyncIterator support stable (Matteo Collina) [#26989](https://togithub.com/nodejs/node/pull/26989) ##### Commits - \[[`f1a5a36961`](https://togithub.com/nodejs/node/commit/f1a5a36961)] - **build**: update Windows icon to Feb 2016 rebrand (Mike MacCana) [#28524](https://togithub.com/nodejs/node/pull/28524) - \[[`63de2ade85`](https://togithub.com/nodejs/node/commit/63de2ade85)] - **(SEMVER-MINOR)** **crypto**: add support for chacha20-poly1305 for AEAD (chux0519) [#24081](https://togithub.com/nodejs/node/pull/24081) - \[[`4f0f12c3d6`](https://togithub.com/nodejs/node/commit/4f0f12c3d6)] - **crypto**: fix rsa key gen with non-default exponent (Sam Roberts) [#27092](https://togithub.com/nodejs/node/pull/27092) - \[[`7735824d2c`](https://togithub.com/nodejs/node/commit/7735824d2c)] - **(SEMVER-MINOR)** **crypto**: increase maxmem range from 32 to 53 bits (Tobias Nießen) [#28799](https://togithub.com/nodejs/node/pull/28799) - \[[`e53dbba6bc`](https://togithub.com/nodejs/node/commit/e53dbba6bc)] - **deps**: update npm to 6.11.3 (claudiahdz) [#29430](https://togithub.com/nodejs/node/pull/29430) - \[[`55cd01c5c3`](https://togithub.com/nodejs/node/commit/55cd01c5c3)] - **(SEMVER-MINOR)** **deps**: update npm to 6.10.3 (isaacs) [#29023](https://togithub.com/nodejs/node/pull/29023) - \[[`e2291cf805`](https://togithub.com/nodejs/node/commit/e2291cf805)] - **deps**: upgrade npm to 6.10.2 (isaacs) [#28853](https://togithub.com/nodejs/node/pull/28853) - \[[`03b69660f9`](https://togithub.com/nodejs/node/commit/03b69660f9)] - **deps**: upgrade npm to 6.10.0 (isaacs) [#28525](https://togithub.com/nodejs/node/pull/28525) - \[[`333963ef73`](https://togithub.com/nodejs/node/commit/333963ef73)] - **deps**: dlloads node static linked executable (Luca Lindhorst) [#28045](https://togithub.com/nodejs/node/pull/28045) - \[[`7202792ad3`](https://togithub.com/nodejs/node/commit/7202792ad3)] - **deps**: update archs files for OpenSSL-1.1.1d (Sam Roberts) [#29921](https://togithub.com/nodejs/node/pull/29921) - \[[`9c393f1d02`](https://togithub.com/nodejs/node/commit/9c393f1d02)] - **deps**: upgrade openssl sources to 1.1.1d (Sam Roberts) [#29921](https://togithub.com/nodejs/node/pull/29921) - \[[`7f48519413`](https://togithub.com/nodejs/node/commit/7f48519413)] - **deps**: do not link against librt (Sam Roberts) [#29729](https://togithub.com/nodejs/node/pull/29729) - \[[`fcc22d31a0`](https://togithub.com/nodejs/node/commit/fcc22d31a0)] - **(SEMVER-MINOR)** **dns**: make dns.promises enumerable (cjihrig) [#26592](https://togithub.com/nodejs/node/pull/26592) - \[[`fa27aac5fb`](https://togithub.com/nodejs/node/commit/fa27aac5fb)] - **(SEMVER-MINOR)** **dns**: remove dns.promises experimental warning (cjihrig) [#26592](https://togithub.com/nodejs/node/pull/26592) - \[[`90fb146933`](https://togithub.com/nodejs/node/commit/90fb146933)] - **(SEMVER-MINOR)** **doc**: move dns.promises to stable status (cjihrig) [#26592](https://togithub.com/nodejs/node/pull/26592) - \[[`65e68d1f4f`](https://togithub.com/nodejs/node/commit/65e68d1f4f)] - **doc**: add documentation for stream readableFlowing (Chetan Karande) [#29506](https://togithub.com/nodejs/node/pull/29506) - \[[`c285e694e2`](https://togithub.com/nodejs/node/commit/c285e694e2)] - **doc**: fix the links tls default version sections (Chetan Karande) [#28827](https://togithub.com/nodejs/node/pull/28827) - \[[`cef5010135`](https://togithub.com/nodejs/node/commit/cef5010135)] - **doc**: describe tls.DEFAULT_MIN_VERSION/\_MAX_VERSION (Chetan Karande) [#28827](https://togithub.com/nodejs/node/pull/28827) - \[[`15c2eb0e58`](https://togithub.com/nodejs/node/commit/15c2eb0e58)] - **doc**: update N-API version matrix (Gabriel Schulhof) [#29461](https://togithub.com/nodejs/node/pull/29461) - \[[`a3eda2896d`](https://togithub.com/nodejs/node/commit/a3eda2896d)] - **doc**: fixup changelog for v10.16.3 (Andrew Hughes) [#29159](https://togithub.com/nodejs/node/pull/29159) - \[[`56a834a53f`](https://togithub.com/nodejs/node/commit/56a834a53f)] - **doc,test**: clarify that Http2Stream is destroyed after data is read (Alba Mendez) [#27891](https://togithub.com/nodejs/node/pull/27891) - \[[`85ce8ef19a`](https://togithub.com/nodejs/node/commit/85ce8ef19a)] - **(SEMVER-MINOR)** **fs**: remove experimental warning for fs.promises (Anna Henningsen) [#26581](https://togithub.com/nodejs/node/pull/26581) - \[[`ccf2823f83`](https://togithub.com/nodejs/node/commit/ccf2823f83)] - **(SEMVER-MINOR)** **http**: makes response.writeHead return the response (Mark S. Everitt) [#25974](https://togithub.com/nodejs/node/pull/25974) - \[[`66387cd45e`](https://togithub.com/nodejs/node/commit/66387cd45e)] - **http2**: send out pending data earlier (Anna Henningsen) [#29398](https://togithub.com/nodejs/node/pull/29398) - \[[`925849650b`](https://togithub.com/nodejs/node/commit/925849650b)] - **(SEMVER-MINOR)** **http2**: makes response.writeHead return the response (Mark S. Everitt) [#25974](https://togithub.com/nodejs/node/pull/25974) - \[[`69b0212df3`](https://togithub.com/nodejs/node/commit/69b0212df3)] - **http2**: do not start reading after write if new write is on wire (Anna Henningsen) [#29399](https://togithub.com/nodejs/node/pull/29399) - \[[`36a0e9a063`](https://togithub.com/nodejs/node/commit/36a0e9a063)] - **http2**: do not crash on stream listener removal w/ destroyed session (Anna Henningsen) [#29459](https://togithub.com/nodejs/node/pull/29459) - \[[`c74c6a5ccf`](https://togithub.com/nodejs/node/commit/c74c6a5ccf)] - **n-api**: mark version 5 N-APIs as stable (Gabriel Schulhof) [#29401](https://togithub.com/nodejs/node/pull/29401) - \[[`f8622762e3`](https://togithub.com/nodejs/node/commit/f8622762e3)] - **(SEMVER-MINOR)** **n-api**: make func argument of napi_create_threadsafe_function optional (legendecas) [#27791](https://togithub.com/nodejs/node/pull/27791) - \[[`4f41e4f471`](https://togithub.com/nodejs/node/commit/4f41e4f471)] - **(SEMVER-MINOR)** **n-api**: implement date object (Jarrod Connolly) [#25917](https://togithub.com/nodejs/node/pull/25917) - \[[`69bf5b7944`](https://togithub.com/nodejs/node/commit/69bf5b7944)] - **net**: treat ENOTCONN at shutdown as success (Anna Henningsen) [#29912](https://togithub.com/nodejs/node/pull/29912) - \[[`d6c998a478`](https://togithub.com/nodejs/node/commit/d6c998a478)] - **process**: use public readableFlowing property (Chetan Karande) [#29502](https://togithub.com/nodejs/node/pull/29502) - \[[`b43d7e8f42`](https://togithub.com/nodejs/node/commit/b43d7e8f42)] - **(SEMVER-MINOR)** **process**: add --unhandled-rejections flag (Ruben Bridgewater) [#26599](https://togithub.com/nodejs/node/pull/26599) - \[[`79f3844fb0`](https://togithub.com/nodejs/node/commit/79f3844fb0)] - **(SEMVER-MINOR)** **readline**: make Symbol.asyncIterator support stable (Matteo Collina) [#26989](https://togithub.com/nodejs/node/pull/26989) - \[[`18b140ae75`](https://togithub.com/nodejs/node/commit/18b140ae75)] - **src**: use maybe version v8::Function::Call (Ouyang Yadong) [#23826](https://togithub.com/nodejs/node/pull/23826) - \[[`1bb5102999`](https://togithub.com/nodejs/node/commit/1bb5102999)] - **src**: use more explicit return type in Sign::SignFinal() (Anna Henningsen) [#23779](https://togithub.com/nodejs/node/pull/23779) - \[[`859d47593e`](https://togithub.com/nodejs/node/commit/859d47593e)] - **src**: reduce platform worker barrier lifetime (Ali Ijaz Sheikh) [#23419](https://togithub.com/nodejs/node/pull/23419) - \[[`00831f0293`](https://togithub.com/nodejs/node/commit/00831f0293)] - **(SEMVER-MINOR)** **stream**: make Symbol.asyncIterator support stable (Matteo Collina) [#26989](https://togithub.com/nodejs/node/pull/26989) - \[[`ddb5152e9b`](https://togithub.com/nodejs/node/commit/ddb5152e9b)] - **(SEMVER-MINOR)** **stream**: implement Readable.from async iterator utility (Guy Bedford) [#27660](https://togithub.com/nodejs/node/pull/27660) - \[[`13d8549abd`](https://togithub.com/nodejs/node/commit/13d8549abd)] - **test**: well-defined DH groups now verify clean (Sam Roberts) [#29550](https://togithub.com/nodejs/node/pull/29550) - \[[`f78ecc3f93`](https://togithub.com/nodejs/node/commit/f78ecc3f93)] - **test**: fix race in test-http2-origin (Alba Mendez) [#28903](https://togithub.com/nodejs/node/pull/28903) - \[[`2afbb3efab`](https://togithub.com/nodejs/node/commit/2afbb3efab)] - **test,win**: cleanup exec-timeout processes (João Reis) [#28723](https://togithub.com/nodejs/node/pull/28723) - \[[`fe58bca878`](https://togithub.com/nodejs/node/commit/fe58bca878)] - **tls**: group chunks into TLS segments (Alba Mendez) [#27861](https://togithub.com/nodejs/node/pull/27861) - \[[`2eae030a4b`](https://togithub.com/nodejs/node/commit/2eae030a4b)] - **(SEMVER-MINOR)** **worker**: add missing return value in case of fatal exceptions (Ruben Bridgewater) [#29036](https://togithub.com/nodejs/node/pull/29036) - \[[`e8c90bf4d1`](https://togithub.com/nodejs/node/commit/e8c90bf4d1)] - **zlib**: do not coalesce multiple `.flush()` calls (Anna Henningsen) [#28520](https://togithub.com/nodejs/node/pull/28520) ### [`v10.16.3`](https://togithub.com/nodejs/node/releases/tag/v10.16.3): 2019-08-15, Version 10.16.3 'Dubnium' (LTS), @BethGriggs [Compare Source](https://togithub.com/nodejs/node/compare/v10.16.2...v10.16.3) ##### Notable changes This is a security release. Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Vulnerabilities fixed: - **CVE-2019-9511 “Data Dribble”**: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service. - **CVE-2019-9512 “Ping Flood”**: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service. - **CVE-2019-9513 “Resource Loop”**: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service. - **CVE-2019-9514 “Reset Flood”**: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service. - **CVE-2019-9515 “Settings Flood”**: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service. - **CVE-2019-9516 “0-Length Headers Leak”**: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service. - **CVE-2019-9517 “Internal Data Buffering”**: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service. - **CVE-2019-9518 “Empty Frames Flood”**: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google) ##### Commits - \[[`74507fae34`](https://togithub.com/nodejs/node/commit/74507fae34)] - **deps**: update nghttp2 to 1.39.2 (Anna Henningsen) [#29122](https://togithub.com/nodejs/node/pull/29122) - \[[`a397c881ec`](https://togithub.com/nodejs/node/commit/a397c881ec)] - **deps**: update nghttp2 to 1.39.1 (gengjiawen) [#28448](https://togithub.com/nodejs/node/pull/28448) - \[[`fedfa12a33`](https://togithub.com/nodejs/node/commit/fedfa12a33)] - **deps**: update nghttp2 to 1.38.0 (gengjiawen) [#27295](https://togithub.com/nodejs/node/pull/27295) - \[[`ab0f2ace36`](https://togithub.com/nodejs/node/commit/ab0f2ace36)] - **deps**: update nghttp2 to 1.37.0 (gengjiawen) [#26990](https://togithub.com/nodejs/node/pull/26990) - \[[`0acbe05ee2`](https://togithub.com/nodejs/node/commit/0acbe05ee2)] - **http2**: allow
Configuration
📅 Schedule: Branch creation - "before 3am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.