1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: use consistent indenting for unordered list items

Browse Source 
Address Markdownlint MD007 rule.
Default suggestion is 2 space indenting for unordered list items.

PR-URL: https://github.com/nodejs/node/pull/29390
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit is contained in:
Nick Schonning 2019-09-01 02:18:32 -04:00 committed by Rich Trott
parent 27a57d3a34
commit a3307eac0e
14 changed files with 278 additions and 278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
BUILDING.md
View File

@ -243,8 +243,8 @@ transition before the year-end deadline.
* `gcc` and `g++` >= 6.3 or newer, or
* GNU Make 3.81 or newer
* Python (see note above)
* Python 2.7
* Python 3.5, 3.6, and 3.7 are experimental.
* Python 2.7
* Python 3.5, 3.6, and 3.7 are experimental.
Installation via Linux package manager can be achieved with:
@ -259,8 +259,8 @@ FreeBSD and OpenBSD users may also need to install `libexecinfo`.
* Xcode Command Line Tools >= 8 for macOS
* Python (see note above)
* Python 2.7
* Python 3.5, 3.6, and 3.7 are experimental.
* Python 2.7
* Python 3.5, 3.6, and 3.7 are experimental.
macOS users can install the `Xcode Command Line Tools` by running
`xcode-select --install`. Alternatively, if you already have the full Xcode

84
doc/api/http2.md
View File

@ -1977,20 +1977,20 @@ changes:
exceed this limit will result in a `'frameError'` event being emitted
and the stream being closed and destroyed.
* `paddingStrategy` {number} Identifies the strategy used for determining the
amount of padding to use for `HEADERS` and `DATA` frames. **Default:**
`http2.constants.PADDING_STRATEGY_NONE`. Value may be one of:
* `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is
to be applied.
* `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum
amount of padding, as determined by the internal implementation, is to
be applied.
* `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply
enough padding to ensure that the total frame length, including the
9-byte header, is a multiple of 8. For each frame, however, there is a
maximum allowed number of padding bytes that is determined by current
flow control state and settings. If this maximum is less than the
calculated amount needed to ensure alignment, the maximum will be used
and the total frame length will *not* necessarily be aligned at 8 bytes.
amount of padding to use for `HEADERS` and `DATA` frames. **Default:**
`http2.constants.PADDING_STRATEGY_NONE`. Value may be one of:
* `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is
to be applied.
* `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum
amount of padding, as determined by the internal implementation, is to
be applied.
* `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply
enough padding to ensure that the total frame length, including the
9-byte header, is a multiple of 8. For each frame, however, there is a
maximum allowed number of padding bytes that is determined by current
flow control state and settings. If this maximum is less than the
calculated amount needed to ensure alignment, the maximum will be used
and the total frame length will *not* necessarily be aligned at 8 bytes.
* `peerMaxConcurrentStreams` {number} Sets the maximum number of concurrent
streams for the remote peer as if a `SETTINGS` frame had been received. Will
be overridden if the remote peer sets its own value for
@ -2091,20 +2091,20 @@ changes:
exceed this limit will result in a `'frameError'` event being emitted
and the stream being closed and destroyed.
* `paddingStrategy` {number} Identifies the strategy used for determining the
amount of padding to use for `HEADERS` and `DATA` frames. **Default:**
`http2.constants.PADDING_STRATEGY_NONE`. Value may be one of:
* `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is
to be applied.
* `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum
amount of padding, as determined by the internal implementation, is to
be applied.
* `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply
enough padding to ensure that the total frame length, including the
9-byte header, is a multiple of 8. For each frame, however, there is a
maximum allowed number of padding bytes that is determined by current
flow control state and settings. If this maximum is less than the
calculated amount needed to ensure alignment, the maximum will be used
and the total frame length will *not* necessarily be aligned at 8 bytes.
amount of padding to use for `HEADERS` and `DATA` frames. **Default:**
`http2.constants.PADDING_STRATEGY_NONE`. Value may be one of:
* `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is
to be applied.
* `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum
amount of padding, as determined by the internal implementation, is to
be applied.
* `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply
enough padding to ensure that the total frame length, including the
9-byte header, is a multiple of 8. For each frame, however, there is a
maximum allowed number of padding bytes that is determined by current
flow control state and settings. If this maximum is less than the
calculated amount needed to ensure alignment, the maximum will be used
and the total frame length will *not* necessarily be aligned at 8 bytes.
* `peerMaxConcurrentStreams` {number} Sets the maximum number of concurrent
streams for the remote peer as if a `SETTINGS` frame had been received. Will
be overridden if the remote peer sets its own value for
@ -2191,20 +2191,20 @@ changes:
exceed this limit will result in a `'frameError'` event being emitted
and the stream being closed and destroyed.
* `paddingStrategy` {number} Identifies the strategy used for determining the
amount of padding to use for `HEADERS` and `DATA` frames. **Default:**
`http2.constants.PADDING_STRATEGY_NONE`. Value may be one of:
* `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is
to be applied.
* `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum
amount of padding, as determined by the internal implementation, is to
be applied.
* `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply
enough padding to ensure that the total frame length, including the
9-byte header, is a multiple of 8. For each frame, however, there is a
maximum allowed number of padding bytes that is determined by current
flow control state and settings. If this maximum is less than the
calculated amount needed to ensure alignment, the maximum will be used
and the total frame length will *not* necessarily be aligned at 8 bytes.
amount of padding to use for `HEADERS` and `DATA` frames. **Default:**
`http2.constants.PADDING_STRATEGY_NONE`. Value may be one of:
* `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is
to be applied.
* `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum
amount of padding, as determined by the internal implementation, is to
be applied.
* `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply
enough padding to ensure that the total frame length, including the
9-byte header, is a multiple of 8. For each frame, however, there is a
maximum allowed number of padding bytes that is determined by current
flow control state and settings. If this maximum is less than the
calculated amount needed to ensure alignment, the maximum will be used
and the total frame length will *not* necessarily be aligned at 8 bytes.
* `peerMaxConcurrentStreams` {number} Sets the maximum number of concurrent
streams for the remote peer as if a `SETTINGS` frame had been received. Will
be overridden if the remote peer sets its own value for

90
doc/api/process.md
View File

@ -723,8 +723,8 @@ added: v6.1.0
* `previousValue` {Object} A previous return value from calling
`process.cpuUsage()`
* Returns: {Object}
* `user` {integer}
* `system` {integer}
* `user` {integer}
* `system` {integer}
The `process.cpuUsage()` method returns the user and system CPU time usage of
the current process, in an object with properties `user` and `system`, whose
@ -1450,10 +1450,10 @@ changes:
-->
* Returns: {Object}
* `rss` {integer}
* `heapTotal` {integer}
* `heapUsed` {integer}
* `external` {integer}
* `rss` {integer}
* `heapTotal` {integer}
* `heapUsed` {integer}
* `external` {integer}
The `process.memoryUsage()` method returns an object describing the memory usage
of the Node.js process measured in bytes.
@ -1866,45 +1866,45 @@ added: v12.6.0
* Returns: {Object} the resource usage for the current process. All of these
values come from the `uv_getrusage` call which returns
a [`uv_rusage_t` struct][uv_rusage_t].
* `userCPUTime` {integer} maps to `ru_utime` computed in microseconds.
It is the same value as [`process.cpuUsage().user`][process.cpuUsage].
* `systemCPUTime` {integer} maps to `ru_stime` computed in microseconds.
It is the same value as [`process.cpuUsage().system`][process.cpuUsage].
* `maxRSS` {integer} maps to `ru_maxrss` which is the maximum resident set
size used in kilobytes.
* `sharedMemorySize` {integer} maps to `ru_ixrss` but is not supported by
any platform.
* `unsharedDataSize` {integer} maps to `ru_idrss` but is not supported by
any platform.
* `unsharedStackSize` {integer} maps to `ru_isrss` but is not supported by
any platform.
* `minorPageFault` {integer} maps to `ru_minflt` which is the number of
minor page faults for the process, see
[this article for more details][wikipedia_minor_fault].
* `majorPageFault` {integer} maps to `ru_majflt` which is the number of
major page faults for the process, see
[this article for more details][wikipedia_major_fault]. This field is not
supported on Windows.
* `swappedOut` {integer} maps to `ru_nswap` but is not supported by any
platform.
* `fsRead` {integer} maps to `ru_inblock` which is the number of times the
file system had to perform input.
* `fsWrite` {integer} maps to `ru_oublock` which is the number of times the
file system had to perform output.
* `ipcSent` {integer} maps to `ru_msgsnd` but is not supported by any
platform.
* `ipcReceived` {integer} maps to `ru_msgrcv` but is not supported by any
platform.
* `signalsCount` {integer} maps to `ru_nsignals` but is not supported by any
platform.
* `voluntaryContextSwitches` {integer} maps to `ru_nvcsw` which is the
number of times a CPU context switch resulted due to a process voluntarily
giving up the processor before its time slice was completed (usually to
await availability of a resource). This field is not supported on Windows.
* `involuntaryContextSwitches` {integer} maps to `ru_nivcsw` which is the
number of times a CPU context switch resulted due to a higher priority
process becoming runnable or because the current process exceeded its
time slice. This field is not supported on Windows.
* `userCPUTime` {integer} maps to `ru_utime` computed in microseconds.
It is the same value as [`process.cpuUsage().user`][process.cpuUsage].
* `systemCPUTime` {integer} maps to `ru_stime` computed in microseconds.
It is the same value as [`process.cpuUsage().system`][process.cpuUsage].
* `maxRSS` {integer} maps to `ru_maxrss` which is the maximum resident set
size used in kilobytes.
* `sharedMemorySize` {integer} maps to `ru_ixrss` but is not supported by
any platform.
* `unsharedDataSize` {integer} maps to `ru_idrss` but is not supported by
any platform.
* `unsharedStackSize` {integer} maps to `ru_isrss` but is not supported by
any platform.
* `minorPageFault` {integer} maps to `ru_minflt` which is the number of
minor page faults for the process, see
[this article for more details][wikipedia_minor_fault].
* `majorPageFault` {integer} maps to `ru_majflt` which is the number of
major page faults for the process, see
[this article for more details][wikipedia_major_fault]. This field is not
supported on Windows.
* `swappedOut` {integer} maps to `ru_nswap` but is not supported by any
platform.
* `fsRead` {integer} maps to `ru_inblock` which is the number of times the
file system had to perform input.
* `fsWrite` {integer} maps to `ru_oublock` which is the number of times the
file system had to perform output.
* `ipcSent` {integer} maps to `ru_msgsnd` but is not supported by any
platform.
* `ipcReceived` {integer} maps to `ru_msgrcv` but is not supported by any
platform.
* `signalsCount` {integer} maps to `ru_nsignals` but is not supported by any
platform.
* `voluntaryContextSwitches` {integer} maps to `ru_nvcsw` which is the
number of times a CPU context switch resulted due to a process voluntarily
giving up the processor before its time slice was completed (usually to
await availability of a resource). This field is not supported on Windows.
* `involuntaryContextSwitches` {integer} maps to `ru_nivcsw` which is the
number of times a CPU context switch resulted due to a higher priority
process becoming runnable or because the current process exceeded its
time slice. This field is not supported on Windows.
```js
console.log(process.resourceUsage());

6
doc/api/url.md
View File

@ -1143,9 +1143,9 @@ The formatting process operates as follows:
colon (`:`) character, the literal string `:` will be appended to `result`.
* If either of the following conditions is true, then the literal string `//`
will be appended to `result`:
* `urlObject.slashes` property is true;
* `urlObject.protocol` begins with `http`, `https`, `ftp`, `gopher`, or
`file`;
* `urlObject.slashes` property is true;
* `urlObject.protocol` begins with `http`, `https`, `ftp`, `gopher`, or
`file`;
* If the value of the `urlObject.auth` property is truthy, and either
`urlObject.host` or `urlObject.hostname` are not `undefined`, the value of
`urlObject.auth` will be coerced into a string and appended to `result`

60
doc/api/vm.md
View File

@ -90,12 +90,12 @@ changes:
`import()` will reject with [`ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING`][].
This option is part of the experimental API for the `--experimental-modules`
flag, and should not be considered stable.
* `specifier` {string} specifier passed to `import()`
* `module` {vm.SourceTextModule}
* Returns: {Module Namespace Object|vm.SourceTextModule} Returning a
`vm.SourceTextModule` is recommended in order to take advantage of error
tracking, and to avoid issues with namespaces that contain `then`
function exports.
* `specifier` {string} specifier passed to `import()`
* `module` {vm.SourceTextModule}
* Returns: {Module Namespace Object|vm.SourceTextModule} Returning a
`vm.SourceTextModule` is recommended in order to take advantage of error
tracking, and to avoid issues with namespaces that contain `then`
function exports.
If `options` is a string, then it specifies the filename.
@ -432,12 +432,12 @@ const contextifiedSandbox = vm.createContext({ secret: 42 });
* `importModuleDynamically` {Function} Called during evaluation of this module
when `import()` is called. If this option is not specified, calls to
`import()` will reject with [`ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING`][].
* `specifier` {string} specifier passed to `import()`
* `module` {vm.SourceTextModule}
* Returns: {Module Namespace Object|vm.SourceTextModule} Returning a
`vm.SourceTextModule` is recommended in order to take advantage of error
tracking, and to avoid issues with namespaces that contain `then`
function exports.
* `specifier` {string} specifier passed to `import()`
* `module` {vm.SourceTextModule}
* Returns: {Module Namespace Object|vm.SourceTextModule} Returning a
`vm.SourceTextModule` is recommended in order to take advantage of error
tracking, and to avoid issues with namespaces that contain `then`
function exports.
Creates a new ES `Module` object.
@ -817,12 +817,12 @@ changes:
`import()` will reject with [`ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING`][].
This option is part of the experimental API for the `--experimental-modules`
flag, and should not be considered stable.
* `specifier` {string} specifier passed to `import()`
* `module` {vm.SourceTextModule}
* Returns: {Module Namespace Object|vm.SourceTextModule} Returning a
`vm.SourceTextModule` is recommended in order to take advantage of error
tracking, and to avoid issues with namespaces that contain `then`
function exports.
* `specifier` {string} specifier passed to `import()`
* `module` {vm.SourceTextModule}
* Returns: {Module Namespace Object|vm.SourceTextModule} Returning a
`vm.SourceTextModule` is recommended in order to take advantage of error
tracking, and to avoid issues with namespaces that contain `then`
function exports.
* Returns: {any} the result of the very last statement executed in the script.
The `vm.runInContext()` method compiles `code`, runs it within the context of
@ -915,12 +915,12 @@ changes:
`import()` will reject with [`ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING`][].
This option is part of the experimental API for the `--experimental-modules`
flag, and should not be considered stable.
* `specifier` {string} specifier passed to `import()`
* `module` {vm.SourceTextModule}
* Returns: {Module Namespace Object|vm.SourceTextModule} Returning a
`vm.SourceTextModule` is recommended in order to take advantage of error
tracking, and to avoid issues with namespaces that contain `then`
function exports.
* `specifier` {string} specifier passed to `import()`
* `module` {vm.SourceTextModule}
* Returns: {Module Namespace Object|vm.SourceTextModule} Returning a
`vm.SourceTextModule` is recommended in order to take advantage of error
tracking, and to avoid issues with namespaces that contain `then`
function exports.
* Returns: {any} the result of the very last statement executed in the script.
The `vm.runInNewContext()` first contextifies the given `sandbox` object (or
@ -993,12 +993,12 @@ changes:
`import()` will reject with [`ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING`][].
This option is part of the experimental API for the `--experimental-modules`
flag, and should not be considered stable.
* `specifier` {string} specifier passed to `import()`
* `module` {vm.SourceTextModule}
* Returns: {Module Namespace Object|vm.SourceTextModule} Returning a
`vm.SourceTextModule` is recommended in order to take advantage of error
tracking, and to avoid issues with namespaces that contain `then`
function exports.
* `specifier` {string} specifier passed to `import()`
* `module` {vm.SourceTextModule}
* Returns: {Module Namespace Object|vm.SourceTextModule} Returning a
`vm.SourceTextModule` is recommended in order to take advantage of error
tracking, and to avoid issues with namespaces that contain `then`
function exports.
* Returns: {any} the result of the very last statement executed in the script.
`vm.runInThisContext()` compiles `code`, runs it within the context of the

4
doc/changelogs/CHANGELOG_V10.md
View File

@ -1459,8 +1459,8 @@ Fixes for the following CVEs are included in this release:
* **deps**: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* **http**:
* Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina)
* Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina)
* **url**: Fix a bug that would allow a hostname being spoofed when parsing URLs with `url.parse()` with the `'javascript:'` protocol. Reported by [Martin Bajanik](https://twitter.com/_bayotop) ([Kentico](https://kenticocloud.com/)). (CVE-2018-12123 / Matteo Collina)
### Commits

4
doc/changelogs/CHANGELOG_V11.md
View File

@ -2098,8 +2098,8 @@ Fixes for the following CVEs are included in this release:
* **deps**: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* **http**:
* Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina)
* Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina)
* **url**: Fix a bug that would allow a hostname being spoofed when parsing URLs with `url.parse()` with the `'javascript:'` protocol. Reported by [Martin Bajanik](https://twitter.com/_bayotop) ([Kentico](https://kenticocloud.com/)). (CVE-2018-12123 / Matteo Collina)
### Commits

162
doc/changelogs/CHANGELOG_V12.md
View File

@ -1450,109 +1450,109 @@ Vulnerabilities fixed:
### Notable Changes
* **assert**:
* validate required arguments (Ruben Bridgewater) [#26641](https://github.com/nodejs/node/pull/26641)
* adjust loose assertions (Ruben Bridgewater) [#25008](https://github.com/nodejs/node/pull/25008)
* validate required arguments (Ruben Bridgewater) [#26641](https://github.com/nodejs/node/pull/26641)
* adjust loose assertions (Ruben Bridgewater) [#25008](https://github.com/nodejs/node/pull/25008)
* **async_hooks**:
* remove deprecated `emitBefore` and `emitAfter` (Matteo Collina) [#26530](https://github.com/nodejs/node/pull/26530)
* remove promise object from resource (Andreas Madsen) [#23443](https://github.com/nodejs/node/pull/23443)
* remove deprecated `emitBefore` and `emitAfter` (Matteo Collina) [#26530](https://github.com/nodejs/node/pull/26530)
* remove promise object from resource (Andreas Madsen) [#23443](https://github.com/nodejs/node/pull/23443)
* **bootstrap**: make Buffer and process non-enumerable (Ruben Bridgewater) [#24874](https://github.com/nodejs/node/pull/24874)
* **buffer**:
* use stricter range checks (Ruben Bridgewater) [#27045](https://github.com/nodejs/node/pull/27045)
* harden `SlowBuffer` creation (ZYSzys) [#26272](https://github.com/nodejs/node/pull/26272)
* harden validation of buffer allocation size (ZYSzys) [#26162](https://github.com/nodejs/node/pull/26162)
* do proper error propagation in addon methods (Anna Henningsen) [#23939](https://github.com/nodejs/node/pull/23939)
* use stricter range checks (Ruben Bridgewater) [#27045](https://github.com/nodejs/node/pull/27045)
* harden `SlowBuffer` creation (ZYSzys) [#26272](https://github.com/nodejs/node/pull/26272)
* harden validation of buffer allocation size (ZYSzys) [#26162](https://github.com/nodejs/node/pull/26162)
* do proper error propagation in addon methods (Anna Henningsen) [#23939](https://github.com/nodejs/node/pull/23939)
* **child_process**:
* remove `options.customFds` (cjihrig) [#25279](https://github.com/nodejs/node/pull/25279)
* harden fork arguments validation (ZYSzys) [#27039](https://github.com/nodejs/node/pull/27039)
* use non-infinite `maxBuffer` defaults (kohta ito) [#23027](https://github.com/nodejs/node/pull/23027)
* remove `options.customFds` (cjihrig) [#25279](https://github.com/nodejs/node/pull/25279)
* harden fork arguments validation (ZYSzys) [#27039](https://github.com/nodejs/node/pull/27039)
* use non-infinite `maxBuffer` defaults (kohta ito) [#23027](https://github.com/nodejs/node/pull/23027)
* **console**: don't use ANSI escape codes when `TERM=dumb` (Vladislav Kaminsky) [#26261](https://github.com/nodejs/node/pull/26261)
* **crypto**:
* remove legacy native handles (Tobias Nießen) [#27011](https://github.com/nodejs/node/pull/27011)
* decode missing passphrase errors (Tobias Nießen) [#25208](https://github.com/nodejs/node/pull/25208)
* remove `Cipher.setAuthTag()` and `Decipher.getAuthTag()` (Tobias Nießen) [#26249](https://github.com/nodejs/node/pull/26249)
* remove deprecated `crypto._toBuf()` (Tobias Nießen) [#25338](https://github.com/nodejs/node/pull/25338)
* set `DEFAULT\_ENCODING` property to non-enumerable (Antoine du Hamel) [#23222](https://github.com/nodejs/node/pull/23222)
* remove legacy native handles (Tobias Nießen) [#27011](https://github.com/nodejs/node/pull/27011)
* decode missing passphrase errors (Tobias Nießen) [#25208](https://github.com/nodejs/node/pull/25208)
* remove `Cipher.setAuthTag()` and `Decipher.getAuthTag()` (Tobias Nießen) [#26249](https://github.com/nodejs/node/pull/26249)
* remove deprecated `crypto._toBuf()` (Tobias Nießen) [#25338](https://github.com/nodejs/node/pull/25338)
* set `DEFAULT\_ENCODING` property to non-enumerable (Antoine du Hamel) [#23222](https://github.com/nodejs/node/pull/23222)
* **deps**:
* update V8 to 7.4.288.13 (Michaël Zasso, cjihrig, Refael Ackermann, Anna Henningsen, Ujjwal Sharma) [#26685](https://github.com/nodejs/node/pull/26685)
* bump minimum icu version to 63 (Ujjwal Sharma) [#25852](https://github.com/nodejs/node/pull/25852)
* update OpenSSL to 1.1.1b (Sam Roberts, Shigeki Ohtsu) [#26327](https://github.com/nodejs/node/pull/26327)
* update V8 to 7.4.288.13 (Michaël Zasso, cjihrig, Refael Ackermann, Anna Henningsen, Ujjwal Sharma) [#26685](https://github.com/nodejs/node/pull/26685)
* bump minimum icu version to 63 (Ujjwal Sharma) [#25852](https://github.com/nodejs/node/pull/25852)
* update OpenSSL to 1.1.1b (Sam Roberts, Shigeki Ohtsu) [#26327](https://github.com/nodejs/node/pull/26327)
* **errors**: update error name (Ruben Bridgewater) [#26738](https://github.com/nodejs/node/pull/26738)
* **fs**:
* use proper .destroy() implementation for SyncWriteStream (Matteo Collina) [#26690](https://github.com/nodejs/node/pull/26690)
* improve mode validation (Ruben Bridgewater) [#26575](https://github.com/nodejs/node/pull/26575)
* harden validation of start option in `createWriteStream()` (ZYSzys) [#25579](https://github.com/nodejs/node/pull/25579)
* make writeFile consistent with readFile wrt fd (Sakthipriyan Vairamani (thefourtheye)) [#23709](https://github.com/nodejs/node/pull/23709)
* use proper .destroy() implementation for SyncWriteStream (Matteo Collina) [#26690](https://github.com/nodejs/node/pull/26690)
* improve mode validation (Ruben Bridgewater) [#26575](https://github.com/nodejs/node/pull/26575)
* harden validation of start option in `createWriteStream()` (ZYSzys) [#25579](https://github.com/nodejs/node/pull/25579)
* make writeFile consistent with readFile wrt fd (Sakthipriyan Vairamani (thefourtheye)) [#23709](https://github.com/nodejs/node/pull/23709)
* **http**:
* validate timeout in `ClientRequest()` (cjihrig) [#26214](https://github.com/nodejs/node/pull/26214)
* return HTTP 431 on `HPE_HEADER_OVERFLOW` error (Albert Still) [#25605](https://github.com/nodejs/node/pull/25605)
* switch default parser to llhttp (Anna Henningsen) [#24870](https://github.com/nodejs/node/pull/24870)
* Runtime-deprecate `outgoingMessage._headers` and `outgoingMessage._headerNames` (Morgan Roderick) [#24167](https://github.com/nodejs/node/pull/24167)
* validate timeout in `ClientRequest()` (cjihrig) [#26214](https://github.com/nodejs/node/pull/26214)
* return HTTP 431 on `HPE_HEADER_OVERFLOW` error (Albert Still) [#25605](https://github.com/nodejs/node/pull/25605)
* switch default parser to llhttp (Anna Henningsen) [#24870](https://github.com/nodejs/node/pull/24870)
* Runtime-deprecate `outgoingMessage._headers` and `outgoingMessage._headerNames` (Morgan Roderick) [#24167](https://github.com/nodejs/node/pull/24167)
* **lib**:
* remove `Atomics.wake()` (Gus Caplan) [#27033](https://github.com/nodejs/node/pull/27033)
* move DTRACE\_\* probes out of global scope (James M Snell) [#26541](https://github.com/nodejs/node/pull/26541)
* deprecate `_stream_wrap` (Sam Roberts) [#26245](https://github.com/nodejs/node/pull/26245)
* use ES6 class inheritance style (Ruben Bridgewater) [#24755](https://github.com/nodejs/node/pull/24755)
* remove `Atomics.wake()` (Gus Caplan) [#27033](https://github.com/nodejs/node/pull/27033)
* move DTRACE\_\* probes out of global scope (James M Snell) [#26541](https://github.com/nodejs/node/pull/26541)
* deprecate `_stream_wrap` (Sam Roberts) [#26245](https://github.com/nodejs/node/pull/26245)
* use ES6 class inheritance style (Ruben Bridgewater) [#24755](https://github.com/nodejs/node/pull/24755)
* **module**:
* remove unintended access to deps/ (Anna Henningsen) [#25138](https://github.com/nodejs/node/pull/25138)
* improve error message for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](https://github.com/nodejs/node/pull/25690)
* requireStack property for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](https://github.com/nodejs/node/pull/25690)
* remove dead code (Ruben Bridgewater) [#26983](https://github.com/nodejs/node/pull/26983)
* make `require('.')` never resolve outside the current directory (Ruben Bridgewater) [#26973](https://github.com/nodejs/node/pull/26973)
* throw an error for invalid package.json main entries (Ruben Bridgewater) [#26823](https://github.com/nodejs/node/pull/26823)
* don't search in `require.resolve.paths` (cjihrig) [#23683](https://github.com/nodejs/node/pull/23683)
* remove unintended access to deps/ (Anna Henningsen) [#25138](https://github.com/nodejs/node/pull/25138)
* improve error message for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](https://github.com/nodejs/node/pull/25690)
* requireStack property for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](https://github.com/nodejs/node/pull/25690)
* remove dead code (Ruben Bridgewater) [#26983](https://github.com/nodejs/node/pull/26983)
* make `require('.')` never resolve outside the current directory (Ruben Bridgewater) [#26973](https://github.com/nodejs/node/pull/26973)
* throw an error for invalid package.json main entries (Ruben Bridgewater) [#26823](https://github.com/nodejs/node/pull/26823)
* don't search in `require.resolve.paths` (cjihrig) [#23683](https://github.com/nodejs/node/pull/23683)
* **net**:
* remove `Server.listenFD()` (cjihrig) [#27127](https://github.com/nodejs/node/pull/27127)
* do not add `.host` and `.port` properties to DNS error (Ruben Bridgewater) [#26751](https://github.com/nodejs/node/pull/26751)
* emit "write after end" errors in the next tick (Ouyang Yadong) [#24457](https://github.com/nodejs/node/pull/24457)
* deprecate `_setSimultaneousAccepts()` undocumented function (James M Snell) [#23760](https://github.com/nodejs/node/pull/23760)
* remove `Server.listenFD()` (cjihrig) [#27127](https://github.com/nodejs/node/pull/27127)
* do not add `.host` and `.port` properties to DNS error (Ruben Bridgewater) [#26751](https://github.com/nodejs/node/pull/26751)
* emit "write after end" errors in the next tick (Ouyang Yadong) [#24457](https://github.com/nodejs/node/pull/24457)
* deprecate `_setSimultaneousAccepts()` undocumented function (James M Snell) [#23760](https://github.com/nodejs/node/pull/23760)
* **os**:
* implement `os.type()` using `uv_os_uname()` (cjihrig) [#25659](https://github.com/nodejs/node/pull/25659)
* remove `os.getNetworkInterfaces()` (cjihrig) [#25280](https://github.com/nodejs/node/pull/25280)
* implement `os.type()` using `uv_os_uname()` (cjihrig) [#25659](https://github.com/nodejs/node/pull/25659)
* remove `os.getNetworkInterfaces()` (cjihrig) [#25280](https://github.com/nodejs/node/pull/25280)
* **process**:
* make global.process, global.Buffer getters (Guy Bedford) [#26882](https://github.com/nodejs/node/pull/26882)
* move DEP0062 (node --debug) to end-of-life (Joyee Cheung) [#25828](https://github.com/nodejs/node/pull/25828)
* exit on --debug and --debug-brk after option parsing (Joyee Cheung) [#25828](https://github.com/nodejs/node/pull/25828)
* improve `--redirect-warnings` handling (Ruben Bridgewater) [#24965](https://github.com/nodejs/node/pull/24965)
* make global.process, global.Buffer getters (Guy Bedford) [#26882](https://github.com/nodejs/node/pull/26882)
* move DEP0062 (node --debug) to end-of-life (Joyee Cheung) [#25828](https://github.com/nodejs/node/pull/25828)
* exit on --debug and --debug-brk after option parsing (Joyee Cheung) [#25828](https://github.com/nodejs/node/pull/25828)
* improve `--redirect-warnings` handling (Ruben Bridgewater) [#24965](https://github.com/nodejs/node/pull/24965)
* **readline**: support TERM=dumb (Vladislav Kaminsky) [#26261](https://github.com/nodejs/node/pull/26261)
* **repl**:
* add welcome message (gengjiawen) [#25947](https://github.com/nodejs/node/pull/25947)
* fix terminal default setting (Ruben Bridgewater) [#26518](https://github.com/nodejs/node/pull/26518)
* check colors with `.getColorDepth()` (Vladislav Kaminsky) [#26261](https://github.com/nodejs/node/pull/26261)
* deprecate REPLServer.rli (Ruben Bridgewater) [#26260](https://github.com/nodejs/node/pull/26260)
* add welcome message (gengjiawen) [#25947](https://github.com/nodejs/node/pull/25947)
* fix terminal default setting (Ruben Bridgewater) [#26518](https://github.com/nodejs/node/pull/26518)
* check colors with `.getColorDepth()` (Vladislav Kaminsky) [#26261](https://github.com/nodejs/node/pull/26261)
* deprecate REPLServer.rli (Ruben Bridgewater) [#26260](https://github.com/nodejs/node/pull/26260)
* **src**:
* remove unused `INT_MAX` constant (Sam Roberts) [#27078](https://github.com/nodejs/node/pull/27078)
* update `NODE_MODULE_VERSION` to 72 (Ujjwal Sharma) [#26685](https://github.com/nodejs/node/pull/26685)
* remove `AddPromiseHook()` (Anna Henningsen) [#26574](https://github.com/nodejs/node/pull/26574)
* clean up `MultiIsolatePlatform` interface (Anna Henningsen) [#26384](https://github.com/nodejs/node/pull/26384)
* properly configure default heap limits (Ali Ijaz Sheikh) [#25576](https://github.com/nodejs/node/pull/25576)
* remove `icuDataDir` from node config (GauthamBanasandra) [#24780](https://github.com/nodejs/node/pull/24780)
* remove unused `INT_MAX` constant (Sam Roberts) [#27078](https://github.com/nodejs/node/pull/27078)
* update `NODE_MODULE_VERSION` to 72 (Ujjwal Sharma) [#26685](https://github.com/nodejs/node/pull/26685)
* remove `AddPromiseHook()` (Anna Henningsen) [#26574](https://github.com/nodejs/node/pull/26574)
* clean up `MultiIsolatePlatform` interface (Anna Henningsen) [#26384](https://github.com/nodejs/node/pull/26384)
* properly configure default heap limits (Ali Ijaz Sheikh) [#25576](https://github.com/nodejs/node/pull/25576)
* remove `icuDataDir` from node config (GauthamBanasandra) [#24780](https://github.com/nodejs/node/pull/24780)
* **tls**:
* support TLSv1.3 (Sam Roberts) [#26209](https://github.com/nodejs/node/pull/26209)
* return correct version from `getCipher()` (Sam Roberts) [#26625](https://github.com/nodejs/node/pull/26625)
* check arg types of renegotiate() (Sam Roberts) [#25876](https://github.com/nodejs/node/pull/25876)
* add code for `ERR_TLS_INVALID_PROTOCOL_METHOD` (Sam Roberts) [#24729](https://github.com/nodejs/node/pull/24729)
* emit a warning when servername is an IP address (Rodger Combs) [#23329](https://github.com/nodejs/node/pull/23329)
* disable TLS v1.0 and v1.1 by default (Ben Noordhuis) [#23814](https://github.com/nodejs/node/pull/23814)
* remove unused arg to createSecureContext() (Sam Roberts) [#24241](https://github.com/nodejs/node/pull/24241)
* deprecate `Server.prototype.setOptions()` (cjihrig) [#23820](https://github.com/nodejs/node/pull/23820)
* load `NODE_EXTRA_CA_CERTS` at startup (Ouyang Yadong) [#23354](https://github.com/nodejs/node/pull/23354)
* support TLSv1.3 (Sam Roberts) [#26209](https://github.com/nodejs/node/pull/26209)
* return correct version from `getCipher()` (Sam Roberts) [#26625](https://github.com/nodejs/node/pull/26625)
* check arg types of renegotiate() (Sam Roberts) [#25876](https://github.com/nodejs/node/pull/25876)
* add code for `ERR_TLS_INVALID_PROTOCOL_METHOD` (Sam Roberts) [#24729](https://github.com/nodejs/node/pull/24729)
* emit a warning when servername is an IP address (Rodger Combs) [#23329](https://github.com/nodejs/node/pull/23329)
* disable TLS v1.0 and v1.1 by default (Ben Noordhuis) [#23814](https://github.com/nodejs/node/pull/23814)
* remove unused arg to createSecureContext() (Sam Roberts) [#24241](https://github.com/nodejs/node/pull/24241)
* deprecate `Server.prototype.setOptions()` (cjihrig) [#23820](https://github.com/nodejs/node/pull/23820)
* load `NODE_EXTRA_CA_CERTS` at startup (Ouyang Yadong) [#23354](https://github.com/nodejs/node/pull/23354)
* **util**:
* remove `util.print()`, `util.puts()`, `util.debug()` and `util.error()` (cjihrig) [#25377](https://github.com/nodejs/node/pull/25377)
* change inspect compact and breakLength default (Ruben Bridgewater) [#27109](https://github.com/nodejs/node/pull/27109)
* improve inspect edge cases (Ruben Bridgewater) [#27109](https://github.com/nodejs/node/pull/27109)
* only the first line of the error message (Simon Zünd) [#26685](https://github.com/nodejs/node/pull/26685)
* don't set the prototype of callbackified functions (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893)
* rename callbackified function (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893)
* increase function length when using `callbackify()` (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893)
* prevent tampering with internals in `inspect()` (Ruben Bridgewater) [#26577](https://github.com/nodejs/node/pull/26577)
* prevent Proxy traps being triggered by `.inspect()` (Ruben Bridgewater) [#26241](https://github.com/nodejs/node/pull/26241)
* prevent leaking internal properties (Ruben Bridgewater) [#24971](https://github.com/nodejs/node/pull/24971)
* protect against monkeypatched Object prototype for inspect() (Rich Trott) [#25953](https://github.com/nodejs/node/pull/25953)
* treat format arguments equally (Roman Reiss) [#23162](https://github.com/nodejs/node/pull/23162)
* remove `util.print()`, `util.puts()`, `util.debug()` and `util.error()` (cjihrig) [#25377](https://github.com/nodejs/node/pull/25377)
* change inspect compact and breakLength default (Ruben Bridgewater) [#27109](https://github.com/nodejs/node/pull/27109)
* improve inspect edge cases (Ruben Bridgewater) [#27109](https://github.com/nodejs/node/pull/27109)
* only the first line of the error message (Simon Zünd) [#26685](https://github.com/nodejs/node/pull/26685)
* don't set the prototype of callbackified functions (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893)
* rename callbackified function (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893)
* increase function length when using `callbackify()` (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893)
* prevent tampering with internals in `inspect()` (Ruben Bridgewater) [#26577](https://github.com/nodejs/node/pull/26577)
* prevent Proxy traps being triggered by `.inspect()` (Ruben Bridgewater) [#26241](https://github.com/nodejs/node/pull/26241)
* prevent leaking internal properties (Ruben Bridgewater) [#24971](https://github.com/nodejs/node/pull/24971)
* protect against monkeypatched Object prototype for inspect() (Rich Trott) [#25953](https://github.com/nodejs/node/pull/25953)
* treat format arguments equally (Roman Reiss) [#23162](https://github.com/nodejs/node/pull/23162)
* **win, fs**: detect if symlink target is a directory (Bartosz Sosnowski) [#23724](https://github.com/nodejs/node/pull/23724)
* **zlib**:
* throw TypeError if callback is missing (Anna Henningsen) [#24929](https://github.com/nodejs/node/pull/24929)
* make “bare” constants un-enumerable (Anna Henningsen) [#24824](https://github.com/nodejs/node/pull/24824)
* throw TypeError if callback is missing (Anna Henningsen) [#24929](https://github.com/nodejs/node/pull/24929)
* make “bare” constants un-enumerable (Anna Henningsen) [#24824](https://github.com/nodejs/node/pull/24824)
### Semver-Major Commits

22
doc/changelogs/CHANGELOG_V6.md
View File

@ -191,9 +191,9 @@ Fixes for the following CVEs are included in this release:
* **debugger**: Backport of [nodejs/node#8106](https://github.com/nodejs/node/pull/8106) to prevent the debugger from listening on `0.0.0.0`. It now defaults to `127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
* **deps**: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* **http**:
* Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina)
* Two-byte characters are now strictly disallowed for the `path` option in HTTP client requests. Paths containing characters outside of the range `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior can be reverted if necessary by supplying the `--security-revert=CVE-2018-12116` command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by [Arkadiy Tetelman](https://twitter.com/arkadiyt) ([Lob](https://lob.com)), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)
* Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina)
* Two-byte characters are now strictly disallowed for the `path` option in HTTP client requests. Paths containing characters outside of the range `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior can be reverted if necessary by supplying the `--security-revert=CVE-2018-12116` command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by [Arkadiy Tetelman](https://twitter.com/arkadiyt) ([Lob](https://lob.com)), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)
* **url**: Fix a bug that would allow a hostname being spoofed when parsing URLs with `url.parse()` with the `'javascript:'` protocol. Reported by [Martin Bajanik](https://twitter.com/_bayotop) ([Kentico](https://kenticocloud.com/)). (CVE-2018-12123 / Matteo Collina)
### Commits
@ -2826,14 +2826,14 @@ are updates to dependencies.
* **build**: shared library support is now working for AIX builds (Stewart Addison) [#9675](https://github.com/nodejs/node/pull/9675)
* **deps**:
- *npm*: upgrade npm to 3.10.10 (Rebecca Turner) [#9847](https://github.com/nodejs/node/pull/9847)
- *V8*: Destructuring of arrow function arguments via computed property no longer throws (Michaël Zasso) [#10386](https://github.com/nodejs/node/pull/10386)
- *npm*: upgrade npm to 3.10.10 (Rebecca Turner) [#9847](https://github.com/nodejs/node/pull/9847)
- *V8*: Destructuring of arrow function arguments via computed property no longer throws (Michaël Zasso) [#10386](https://github.com/nodejs/node/pull/10386)
* **inspector**: /json/version returns object, not an object wrapped in an array (Ben Noordhuis) [#9762](https://github.com/nodejs/node/pull/9762)
* **module**: using --debug-brk and --eval together now works as expected (Kelvin Jin) [#8876](https://github.com/nodejs/node/pull/8876)
* **process**: improve performance of nextTick up to 20% (Evan Lucas) [#8932](https://github.com/nodejs/node/pull/8932)
* **repl**:
- the division operator will no longer be accidentally parsed as regex (Teddy Katz) [#10103](https://github.com/nodejs/node/pull/10103)
- improved support for generator functions (Teddy Katz) [#9852](https://github.com/nodejs/node/pull/9852)
- the division operator will no longer be accidentally parsed as regex (Teddy Katz) [#10103](https://github.com/nodejs/node/pull/10103)
- improved support for generator functions (Teddy Katz) [#9852](https://github.com/nodejs/node/pull/9852)
* **timers**: Re canceling a cancelled timers will no longer throw (Jeremiah Senkpiel) [#9685](https://github.com/nodejs/node/pull/9685)
### Commits
@ -3162,10 +3162,10 @@ commits which are updates to dependencies.
* **buffer**: coerce slice parameters consistently (Sakthipriyan Vairamani (thefourtheye)) [#9101](https://github.com/nodejs/node/pull/9101)
* **deps**:
- *npm*: upgrade npm to 3.10.9 (Kat Marchán) [#9286](https://github.com/nodejs/node/pull/9286)
- *V8*: Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli) [#9138](https://github.com/nodejs/node/pull/9138)
- cherry pick 7166503 from upstream v8 (Cristian Cavalli) [#9173](https://github.com/nodejs/node/pull/9173)
- *npm*: upgrade npm to 3.10.9 (Kat Marchán) [#9286](https://github.com/nodejs/node/pull/9286)
- *V8*: Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli) [#9138](https://github.com/nodejs/node/pull/9138)
- cherry pick 7166503 from upstream v8 (Cristian Cavalli) [#9173](https://github.com/nodejs/node/pull/9173)
* **gtest**: the test reporter now outputs tap comments as yamlish (Johan Bergström) [#9262](https://github.com/nodejs/node/pull/9262)
* **inspector**: inspector now prompts user to use 127.0.0.1 rather than localhost (Eugene Ostroukhov) [#9451](https://github.com/nodejs/node/pull/9451)
* **tls**: fix memory leak when writing data to TLSWrap instance during handshake (Fedor Indutny) [#9586](https://github.com/nodejs/node/pull/9586)

8
doc/changelogs/CHANGELOG_V7.md
View File

@ -786,10 +786,10 @@ This release contains **v8 5.5**, you can read more about this version in the of
### Notable changes
* **deps**:
* update V8 to 5.5 (Michaël Zasso) [#11029](https://github.com/nodejs/node/pull/11029)
* upgrade libuv to 1.11.0 (cjihrig) [#11094](https://github.com/nodejs/node/pull/11094)
* add node-inspect 1.10.4 (Jan Krems) [#10187](https://github.com/nodejs/node/pull/10187)
* upgrade zlib to 1.2.11 (Sam Roberts) [#10980](https://github.com/nodejs/node/pull/10980)
* update V8 to 5.5 (Michaël Zasso) [#11029](https://github.com/nodejs/node/pull/11029)
* upgrade libuv to 1.11.0 (cjihrig) [#11094](https://github.com/nodejs/node/pull/11094)
* add node-inspect 1.10.4 (Jan Krems) [#10187](https://github.com/nodejs/node/pull/10187)
* upgrade zlib to 1.2.11 (Sam Roberts) [#10980](https://github.com/nodejs/node/pull/10980)
* **lib**: build `node inspect` into `node` (Anna Henningsen) [#10187](https://github.com/nodejs/node/pull/10187)
* **crypto**: Remove expired certs from CNNIC whitelist (Shigeki Ohtsu) [#9469](https://github.com/nodejs/node/pull/9469)
* **inspector**: add --inspect-brk (Josh Gavant) [#11149](https://github.com/nodejs/node/pull/11149)

14
doc/changelogs/CHANGELOG_V8.md
View File

@ -332,9 +332,9 @@ Fixes for the following CVEs are included in this release:
* **deps**: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* **http**:
* Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina)
* Two-byte characters are now strictly disallowed for the `path` option in HTTP client requests. Paths containing characters outside of the range `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior can be reverted if necessary by supplying the `--security-revert=CVE-2018-12116` command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by [Arkadiy Tetelman](https://twitter.com/arkadiyt) ([Lob](https://lob.com)), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)
* Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina)
* Two-byte characters are now strictly disallowed for the `path` option in HTTP client requests. Paths containing characters outside of the range `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior can be reverted if necessary by supplying the `--security-revert=CVE-2018-12116` command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by [Arkadiy Tetelman](https://twitter.com/arkadiyt) ([Lob](https://lob.com)), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)
* **url**: Fix a bug that would allow a hostname being spoofed when parsing URLs with `url.parse()` with the `'javascript:'` protocol. Reported by [Martin Bajanik](https://twitter.com/_bayotop) ([Kentico](https://kenticocloud.com/)). (CVE-2018-12123 / Matteo Collina)
### Commits
@ -3475,10 +3475,10 @@ Big thanks to @addaleax who prepared the vast majority of this release.
[[`dc3f6b9ac1`](https://github.com/nodejs/node/commit/dc3f6b9ac1)]
[#14235](https://github.com/nodejs/node/pull/14235)
* `npm` Changelogs:
- [v5.0.4](https://github.com/npm/npm/releases/tag/v5.0.4)
- [v5.1.0](https://github.com/npm/npm/releases/tag/v5.1.0)
- [v5.2.0](https://github.com/npm/npm/releases/tag/v5.2.0)
- [v5.3.0](https://github.com/npm/npm/releases/tag/v5.3.0)
- [v5.0.4](https://github.com/npm/npm/releases/tag/v5.0.4)
- [v5.1.0](https://github.com/npm/npm/releases/tag/v5.1.0)
- [v5.2.0](https://github.com/npm/npm/releases/tag/v5.2.0)
- [v5.3.0](https://github.com/npm/npm/releases/tag/v5.3.0)
### Commits

52
doc/guides/adding-new-napi-api.md
View File

@ -6,16 +6,16 @@ a set of principles and guidelines to keep in mind while adding a new
N-API API.
* A new API **must** adhere to N-API API shape and spirit.
* **Must** be a C API.
* **Must** not throw exceptions.
* **Must** return `napi_status`.
* **Should** consume `napi_env`.
* **Must** operate only on primitive data types, pointers to primitive
datatypes or opaque handles.
* **Must** be a necessary API and not a nice to have. Convenience APIs
belong in node-addon-api.
* **Must** not change the signature of an existing N-API API or break
ABI compatibility with other versions of Node.js.
* **Must** be a C API.
* **Must** not throw exceptions.
* **Must** return `napi_status`.
* **Should** consume `napi_env`.
* **Must** operate only on primitive data types, pointers to primitive
datatypes or opaque handles.
* **Must** be a necessary API and not a nice to have. Convenience APIs
belong in node-addon-api.
* **Must** not change the signature of an existing N-API API or break
ABI compatibility with other versions of Node.js.
* New API **should** be agnostic towards the underlying JavaScript VM.
* New API PRs **must** have a corresponding documentation update.
* New API PRs **must** be tagged as **n-api**.
@ -31,19 +31,19 @@ N-API API.
* A new API **must** be considered experimental for at least one minor
version release of Node.js before it can be considered for promotion out
of experimental.
* Experimental APIs **must** be documented as such.
* Experimental APIs **must** require an explicit compile-time flag
(`#define`) to be set to opt-in.
* Experimental APIs **must** be considered for backport.
* Experimental status exit criteria **must** involve at least the
following:
* A new PR **must** be opened in `nodejs/node` to remove experimental
status. This PR **must** be tagged as **n-api** and **semver-minor**.
* Exiting an API from experimental **must** be signed off by the team.
* If a backport is merited, an API **must** have a down-level
implementation.
* The API **should** be used by a published real-world module. Use of
the API by a real-world published module will contribute favorably
to the decision to take an API out of experimental status.
* The API **must** be implemented in a Node.js implementation with an
alternate VM.
* Experimental APIs **must** be documented as such.
* Experimental APIs **must** require an explicit compile-time flag
(`#define`) to be set to opt-in.
* Experimental APIs **must** be considered for backport.
* Experimental status exit criteria **must** involve at least the
following:
* A new PR **must** be opened in `nodejs/node` to remove experimental
status. This PR **must** be tagged as **n-api** and **semver-minor**.
* Exiting an API from experimental **must** be signed off by the team.
* If a backport is merited, an API **must** have a down-level
implementation.
* The API **should** be used by a published real-world module. Use of
the API by a real-world published module will contribute favorably
to the decision to take an API out of experimental status.
* The API **must** be implemented in a Node.js implementation with an
alternate VM.

34
doc/guides/diagnostic-tooling-support-tiers.md
View File

@ -18,16 +18,16 @@ the following tiers.
early warning of potential issues. No commit to the current and LTS
release branches should break this tool/API if the next major release
is within 1 month. In addition:
* The maintainers of the tool must remain responsive when there
are problems;
* The tool must be actively used by the ecosystem;
* The tool must be heavily depended on;
* The tool must have a guide or other documentation in the Node.js GitHub
organization or website;
* The tool must be working on all supported platforms;
* The tool must only be using APIs exposed by Nodejs as opposed to
its dependencies; and
* The tool must be open source.
* The maintainers of the tool must remain responsive when there
are problems;
* The tool must be actively used by the ecosystem;
* The tool must be heavily depended on;
* The tool must have a guide or other documentation in the Node.js GitHub
organization or website;
* The tool must be working on all supported platforms;
* The tool must only be using APIs exposed by Nodejs as opposed to
its dependencies; and
* The tool must be open source.
* Tier 2 - Must be working(CI tests passing) for all
LTS releases. An LTS release will not be shipped if the test
@ -35,13 +35,13 @@ the following tiers.
in this tier it must have a good test suite and that test suite and a job
must exist in the Node.js CI so that it can be run as part of the release
process. In addition:
* The maintainers of the tool must remain responsive when
there are problems;
* The tool must be actively used by the ecosystem;
* The tool must be heavily depended on;
* The tool must have a guide or other documentation in the Node.js GitHub
organization or website;
* The tool must be open source.
* The maintainers of the tool must remain responsive when
there are problems;
* The tool must be actively used by the ecosystem;
* The tool must be heavily depended on;
* The tool must have a guide or other documentation in the Node.js GitHub
organization or website;
* The tool must be open source.
* Tier 3 - If possible its test suite
will be run at least nightly in the Node.js CI and issues opened for

8
doc/offboarding.md
View File

@ -10,7 +10,7 @@ Emeritus or leaves the project.
moving to Collaborator Emeritus.
* Determine what GitHub teams the Collaborator belongs to. In consultation with
the Collaborator, determine which of those teams they should be removed from.
* Some teams may also require a pull request to remove the Collaborator from
a team listing. For example, if someone is removed from @nodejs/build,
they should also be removed from the Build WG README.md file in the
https://github.com/nodejs/build repository.
* Some teams may also require a pull request to remove the Collaborator from
a team listing. For example, if someone is removed from @nodejs/build,
they should also be removed from the Build WG README.md file in the
https://github.com/nodejs/build repository.