2024-02-14, Version 21.6.2 (Current), @RafaelGSS

Notable changes

This is a security release.

Notable changes

• CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
• CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
• CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
• CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
• CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
• CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
• CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
• CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
• undici version 5.28.3
• libuv version 1.48.0
• OpenSSL version 3.0.13+quic1

Commits

• [8344719369] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
• [d093600ac4] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [6cd930e5e8] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [9590c15d3d] - deps: upgrade libuv to 1.48.0 (Santiago Gimeno) #51698
• [666096298c] - deps: disable io_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#528
• [a4edd22e30] - fs: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#497
• [6155a1ffaf] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#518
• [777509495e] - lib: use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516
• [9d2ac2b3fc] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#538
• [208b3940c7] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
• [fc2454f29c] - src,deps: disable setuid() etc if io_uring enabled (Tobias Nießen) nodejs-private/node-private#528
• [ef3eea20be] - test,doc: clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517
• [8547196964] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#540

2024-02-14, Version 20.11.1 'Iron' (LTS), @RafaelGSS prepared by @marco-ippolito

Notable changes

This is a security release.

Notable changes

• CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
• CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
• CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
• CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
• CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
• CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
• CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
• CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
• undici version 5.28.3
• libuv version 1.48.0
• OpenSSL version 3.0.13+quic1

Commits

• [7079c062bb] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
• [186a6e1ffb] - deps: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51737
• [686da19abb] - deps: disable io_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#529
• [f7b44bfbce] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [7a30fecea2] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [480fc169a8] - fs: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#497
• [77ac7c3153] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#519
• [ed7d149675] - lib: use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516
• [89bd5fc38f] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#539
• [d01dd4291d] - permission: fix wildcard when children > 1 (Rafael Gonzaga) #51209
• [40ff37dfcc] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
• [3f6addd590] - src,deps: disable setuid() etc if io_uring enabled (Tobias Nießen) nodejs-private/node-private#529
• [d6da413aa4] - test,doc: clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517
• [c213910aea] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#541

2024-02-14, Version 18.19.1 'Hydrogen' (LTS), @RafaelGSS prepared by @marco-ippolito

Notable changes

This is a security release.

Notable changes

• CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
• CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
• CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
• CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
• undici version 5.28.3
• npm version 10.2.4

Commits

• [69e0a1dba8] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
• [d3d357ab09] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
• [3d27175c42] - deps: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51614
• [331558b8ab] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [99b77dfb9c] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [6cdc71bff1] - deps: upgrade npm to 10.2.4 (npm team) #50751
• [911cb33cda] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520
• [f48b89689d] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536
• [e6b4c105e0] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
• [97c49076cd] - test: skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) #49621
• [60affdde8e] - tools: add macOS notarization verification step (Ulises Gascón) #50833
• [ccc676a327] - tools: use macOS keychain to notarize the releases (Ulises Gascón) #50715
• [31f1ceb380] - tools: remove unused file (Ulises Gascon) #50622
• [bd5f6fb92a] - tools: add macOS notarization stapler (Ulises Gascón) #50625
• [4168c4f71b] - tools: improve macOS notarization process output readability (Ulises Gascón) #50389
• [4622f775aa] - tools: remove unused version function (Ulises Gascón) #50390
• [b90804b1e7] - win,tools: upgrade Windows signing to smctl (Stefan Stojanovic) #50956
• [f31d47e135] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542

2024-01-22, Version 21.6.1 (Current), @RafaelGSS

Notable Changes

This release fixes a bug in undici using WebStreams

Commits

• [662ac95729] - Revert "stream: fix cloned webstreams not being unref'd" (Matteo Collina) #51491
• [1b8bba8aee] - test: add regression test for 51586 (Matteo Collina) #51491

2024-01-15, Version 21.6.0 (Current), @RafaelGSS

New connection attempt events

Three new events were added in the net.createConnection flow:

• connectionAttempt: Emitted when a new connection attempt is established. In case of Happy Eyeballs, this might emitted multiple times.
• connectionAttemptFailed: Emitted when a connection attempt failed. In case of Happy Eyeballs, this might emitted multiple times.
• connectionAttemptTimeout: Emitted when a connection attempt timed out. In case of Happy Eyeballs, this will not be emitted for the last attempt. This is not emitted at all if Happy Eyeballs is not used.

Additionally, a previous bug has been fixed where a new connection attempt could have been started after a previous one failed and after the connection was destroyed by the user.
This led to a failed assertion.

Contributed by Paolo Insogna in #51045.

Changes to the Permission Model

Node.js 21.6.0 comes with several fixes for the experimental permission model and two new semver-minor commits.
We're adding a new flag --allow-addons to enable addon usage when using the Permission Model.

$ node --experimental-permission --allow-addons

Contributed by Rafael Gonzaga in #51183

And relative paths are now supported through the --allow-fs-* flags.
Therefore, with this release one can use:

$ node --experimental-permission --allow-fs-read=./index.js

To give only read access to the entrypoint of the application.

Contributed by Rafael Gonzaga and Carlos Espa in #50758

Support configurable snapshot through --build-snapshot-config flag

We are adding a new flag --build-snapshot-config to configure snapshots through a custom JSON configuration file.

$ node --build-snapshot-config=/path/to/myconfig.json

When using this flag, additional script files provided on the command line will
not be executed and instead be interpreted as regular command line arguments.

These changes were contributed by Joyee Cheung and Anna Henningsen in #50453

Other Notable Changes

• [c31ed51373] - (SEMVER-MINOR) timers: export timers.promises (Marco Ippolito) #51246

Commits

• [13a1241b83] - assert,crypto: make KeyObject and CryptoKey testable for equality (Filip Skokan) #50897
• [4dcc5114aa] - benchmark: remove dependency on unshipped tools (Adam Majer) #51146
• [2eb41f86b3] - build: fix for VScode "Reopen in Container" (Serg Kryvonos) #51271
• [e03ac83c19] - build: fix arm64 cross-compilation (Michaël Zasso) #51256
• [cd61fce34e] - build: add -flax-vector-conversions to V8 build (Michaël Zasso) #51257
• [e5017a522e] - crypto: update CryptoKey symbol properties (Filip Skokan) #50897
• [c0d2e8be11] - deps: update corepack to 0.24.0 (Node.js GitHub Bot) #51318
• [24a9a72492] - deps: update acorn to 8.11.3 (Node.js GitHub Bot) #51317
• [e53cbb22c2] - deps: update ngtcp2 and nghttp3 (James M Snell) #51291
• [f00f1204f1] - deps: update brotli to 1.1.0 (Node.js GitHub Bot) #50804
• [a41dca0c51] - deps: update zlib to 1.3.0.1-motley-40e35a7 (Node.js GitHub Bot) #51274
• [efa12a89c6] - deps: update simdutf to 4.0.8 (Node.js GitHub Bot) #51000
• [25eba3d20b] - deps: V8: cherry-pick de611e69ad51 (Keyhan Vakil) #51200
• [a07d6e23e4] - deps: update simdjson to 3.6.3 (Node.js GitHub Bot) #51104
• [6d1bfcb2dd] - deps: update googletest to 530d5c8 (Node.js GitHub Bot) #51191
• [75e5615c43] - deps: update acorn-walk to 8.3.1 (Node.js GitHub Bot) #50457
• [3ecc7dcc00] - deps: update acorn-walk to 8.3.0 (Node.js GitHub Bot) #50457
• [e2f8d741c8] - deps: update zlib to 1.3.0.1-motley-dd5fc13 (Node.js GitHub Bot) #51105
• [4a5d3bda72] - doc: the GN files should use Node's license (Cheng Zhao) #50694
• [84127514ba] - doc: improve localWindowSize event descriptions (Davy Landman) #51071
• [8ee882a49c] - doc: mark --jitless as experimental (Antoine du Hamel) #51247
• [876743ece1] - doc: run license-builder (github-actions[bot]) #51199
• [ec6fcff009] - doc: fix limitations and known issues in pm (Rafael Gonzaga) #51184
• [c13a5c0373] - doc: mention node:wasi in the Threat Model (Rafael Gonzaga) #51211
• [4b19e62444] - doc: remove ambiguous 'considered' (Rich Trott) #51207
• [5453abd6ad] - doc: set exit code in custom test runner example (Matteo Collina) #51056
• [f9d4e07faf] - doc: remove version from maintaining-dependencies.md (Antoine du Hamel) #51195
• [df8927a073] - doc: mention native addons are restricted in pm (Rafael Gonzaga) #51185
• [e636d83914] - doc: correct note on behavior of stats.isDirectory (Nick Reilingh) #50946
• [1c71435c2a] - doc: fix TestsStream parent class (Jungku Lee) #51181
• [2c227b0d64] - doc: fix simdjson wrong link (Marco Ippolito) #51177
• [efa13e1943] - (SEMVER-MINOR) doc: add documentation for --build-snapshot-config (Anna Henningsen) #50453
• [941aedc6fc] - errors: fix stacktrace of SystemError (uzlopak) #49956
• [47548d9e61] - esm: fix hint on invalid module specifier (Antoine du Hamel) #51223
• [091098f40a] - fs: fix fs.promises.realpath for long paths on Windows (翠 / green) #51032
• [e5a8fa01aa] - fs: make offset, position & length args in fh.read() optional (Pulkit Gupta) #51087
• [c87e5d51cc] - fs: add missing jsdoc parameters to readSync (Yagiz Nizipli) #51225
• [e24249cf37] - fs: remove internalModuleReadJSON binding (Yagiz Nizipli) #51224
• [7421467812] - fs: improve mkdtemp performance for buffer prefix (Yagiz Nizipli) #51078
• [5b229d775f] - fs: validate fd synchronously on c++ (Yagiz Nizipli) #51027
• [[...

2024-01-09, Version 20.11.0 'Iron' (LTS), @UlisesGascon

Notable Changes

• [833190fe7c] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
• [a541b78bdb] - doc: add MrJithil to collaborators (Jithil P Ponnan) #50666
• [d4be8fad83] - doc: add Ethan-Arrowood as a collaborator (Ethan Arrowood) #50393
• [c1a196c897] - (SEMVER-MINOR) esm: add import.meta.dirname and import.meta.filename (James Sumners) #48740
• [aa3209b880] - fs: add c++ fast path for writeFileSync utf8 (CanadaHonk) #49884
• [8e886a2fff] - (SEMVER-MINOR) module: remove useCustomLoadersIfPresent flag (Chengzhong Wu) #48655
• [21ab3c0f0b] - (SEMVER-MINOR) module: bootstrap module loaders in shadow realm (Chengzhong Wu) #48655
• [29d91b13e3] - (SEMVER-MINOR) src: add --disable-warning option (Ethan Arrowood) #50661
• [11b3e470db] - (SEMVER-MINOR) src: create per isolate proxy env template (Chengzhong Wu) #48655
• [621c4d66c2] - (SEMVER-MINOR) src: make process binding data weak (Chengzhong Wu) #48655
• [139d6c8d3b] - stream: use Array for Readable buffer (Robert Nagy) #50341
• [6206957e8d] - stream: optimize creation (Robert Nagy) #50337
• [e64378643d] - (SEMVER-MINOR) test_runner: adds built in lcov reporter (Phil Nash) #50018
• [4a830c2d9d] - (SEMVER-MINOR) test_runner: add Date to the supported mock APIs (Lucas Santos) #48638
• [842dc01def] - (SEMVER-MINOR) test_runner, cli: add --test-timeout flag (Shubham Pandey) #50443

Commits

• [e40a559ab1] - benchmark: update iterations in benchmark/util/splice-one.js (Liu Jia) #50698
• [00f7a5d26f] - benchmark: increase the iteration number to an appropriate value (Lei Shi) #50766
• [be6ad3f375] - benchmark: rewrite import.meta benchmark (Joyee Cheung) #50683
• [9857364129] - benchmark: add misc/startup-cli-version benchmark (Joyee Cheung) #50684
• [22d729e7f5] - benchmark: remove punycode from require-builtins fixture (Joyee Cheung) #50689
• [4cf10a149a] - benchmark: change iterations in benchmark/es/string-concatenations.js (Liu Jia) #50585
• [15c2ed93a8] - benchmark: add benchmarks for encodings (Aras Abbasi) #50348
• [8a896428ca] - benchmark: add more cases to Readable.from (Raz Luvaton) #50351
• [dbe6c5f354] - benchmark: skip test-benchmark-os on IBMi (Michael Dawson) #50286
• [179b4b6e62] - benchmark: move permission-fs-read to permission-processhas-fs-read (Aki Hasegawa-Johnson) #49770
• [32d65c001d] - buffer: improve Buffer.equals performance (kylo5aby) #50621
• [80ea83757e] - build: add GN configurations for simdjson (Cheng Zhao) #50831
• [904e645bcd] - build: add configuration flag to enable Maglev (Keyhan Vakil) #50692
• [019efa8a5a] - build: fix GN configuration for deps/base64 (Cheng Zhao) #50696
• [a645d5ac54] - build: disable flag v8_scriptormodule_legacy_lifetime (Chengzhong Wu) #50616
• [8705058b09] - build: add GN build files (Cheng Zhao) #47637
• [0a5e9c12cf] - build: fix build with Python 3.12 (Luigi Pinca) #50582
• [ff5713dd43] - build: support Python 3.12 (Shi Pujin) #50209
• [cfd50f229a] - build: fix building when there is only python3 (Cheng Zhao) #48462
• [833190fe7c] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
• [54c46dae9e] - deps: update zlib to 1.2.13.1-motley-5daffc7 (Node.js GitHub Bot) #50803
• [0be84e5a28] - deps: update undici to 5.27.2 (Node.js GitHub Bot) #50813
• [ec67890824] - deps: V8: cherry-pick 0f9ebbc672c7 (Chengzhong Wu) #50867
• [bc2ebb972b] - deps: V8: cherry-pick 13192d6e10fa (Levi Zim) #50552
• [656135d70a] - deps: update zlib to 1.2.13.1-motley-dfc48fc (Node.js GitHub Bot) #50456
• [41ee4bcc5d] - deps: update ada to 2.7.4 (Node.js GitHub Bot) #50815
• [a40948b5c5] - deps: update minimatch to 9.0.3 (Node.js GitHub Bot) #50806
• [7be1222c4a] - deps: update simdutf to 4.0.4 (Node.js GitHub Bot) #50772
• [68e7d49db6] - deps: upgrade npm to 10.2.4 (npm team) #50751
• [3d82d38336] - deps: escape Python strings correctly (Michaël Zasso) #50695
• [d3870ac957] - deps: update base64 to 0.5.1 (Node.js GitHub Bot) #50629
• [4b219b6ece] - deps: update corepack to 0.23.0 (Node.js GitHub Bot) #50563
• [6c41b50922] - deps: update nghttp2 to 1.58.0 (Node.js GitHub Bot) #50441
• [3beee0ae8f] - deps: update acorn to 8.11.2 (Node.js GitHub Bot) #50460
• [220916fa93] - deps: update undici to 5.27.0 (Node.js GitHub Bot) #50463
• [f9960b3545] - deps: update googletest to 116b7e5 (Node.js GitHub Bot) #50324
• [d5c16f897a] - dns: call handle.setServers() with a valid array (Luigi Pinca) #50811
• [1bd6537c97] - doc...

2023-12-19, Version 21.5.0 (Current), @RafaelGSS

Notable Changes

• [0dd53da722] - (SEMVER-MINOR) deps: add simdjson (Yagiz Nizipli) #50322
• [9f54987fbc] - module: merge config with package_json_reader (Yagiz Nizipli) #50322
• [45e4f82912] - src: move package resolver to c++ (Yagiz Nizipli) #50322

Deprecations

• [26ed4ad01f] - doc: deprecate hash constructor (Marco Ippolito) #51077
• [58ca66a1a7] - doc: deprecate dirent.path (Antoine du Hamel) #51020

Commits

• [1bbdbdfbeb] - benchmark: update iterations in benchmark/perf_hooks (Lei Shi) #50869
• [087fb0908e] - benchmark: update iterations in benchmark/crypto/aes-gcm-throughput.js (Lei Shi) #50929
• [53b16c71fb] - benchmark: update iteration and size in benchmark/crypto/randomBytes.js (Lei Shi) #50868
• [38fd0ca753] - benchmark: add undici websocket benchmark (Chenyu Yang) #50586
• [b148c43244] - benchmark: add create-hash benchmark (Joyee Cheung) #51026
• [fdd8c18f96] - benchmark: update interations and len in benchmark/util/text-decoder.js (Lei Shi) #50938
• [a9972057ac] - benchmark: update iterations of benchmark/util/type-check.js (Lei Shi) #50937
• [b80bb1329b] - benchmark: update iterations in benchmark/util/normalize-encoding.js (Lei Shi) #50934
• [dbee03d646] - benchmark: update iterations in benchmark/util/inspect-array.js (Lei Shi) #50933
• [f2d83a3a84] - benchmark: update iterations in benchmark/util/format.js (Lei Shi) #50932
• [2581fce553] - bootstrap: improve snapshot unsupported builtin warnings (Joyee Cheung) #50944
• [735bad3694] - build: fix warnings from uv for gn build (Cheng Zhao) #51069
• [8da9d969f9] - deps: V8: cherry-pick 0fd478bcdabd (Joyee Cheung) #50572
• [429fbb37c1] - deps: update simdjson to v3.6.2 (Yagiz Nizipli) #50986
• [9950103253] - deps: update zlib to 1.3-22124f5 (Node.js GitHub Bot) #50910
• [0b61823e8b] - deps: update undici to 5.28.2 (Node.js GitHub Bot) #51024
• [95d8a273cc] - deps: cherry-pick bfbe4e38d7 from libuv upstream (Abdirahim Musse) #50650
• [06038a489e] - deps: update libuv to 1.47.0 (Node.js GitHub Bot) #50650
• [0dd53da722] - (SEMVER-MINOR) deps: add simdjson (Yagiz Nizipli) #50322
• [04eaa5cdd7] - doc: run license-builder (github-actions[bot]) #51111
• [26ed4ad01f] - doc: deprecate hash constructor (Marco Ippolito) #51077
• [637ffce4c4] - doc: add note regarding --experimental-detect-module (Shubherthi Mitra) #51089
• [838179b096] - doc: correct tracingChannel.traceCallback() (Gerhard Stöbich) #51068
• [539bee4f0a] - doc: use length argument in pbkdf2Key (Tobias Nießen) #51066
• [c45a9a3187] - doc: add deprecation notice to dirent.path (Antoine du Hamel) #51059
• [58ca66a1a7] - doc: deprecate dirent.path (Antoine du Hamel) #51020
• [c2b6edf9ab] - esm: fix hook name in error message (Bruce MacNaughton) #50466
• [35e8f26f07] - fs: throw fchownSync error from c++ (Yagiz Nizipli) #51075
• [c3c8237089] - fs: update params in jsdoc for createReadStream and createWriteStream (Jungku Lee) #51063
• [3f7f3ce8c9] - fs: improve error performance of readvSync (IlyasShabi) #50100
• [7f95926f17] - http: handle multi-value content-disposition header (Arsalan Ahmad) #50977
• [7a8a2d5632] - lib: don't parse windows drive letters as schemes (华) #50580
• [aa2be4bb76] - module: load source maps in commonjs translator (Hiroki Osame) #51033
• [c0e5e74876] - module: document parentURL in register options (Hiroki Osame) #51039
• [4eedf5e694] - module: fix recently introduced coverity warning (Michael Dawson) #50843
• [9f54987fbc] - module: merge config with package_json_reader (Yagiz Nizipli) #50322
• [5f95dca638] - node-api: introduce experimental feature flags (Gabriel Schulhof) #50991
• [3fb7fc909e] - quic: further implementation details (James M Snell) #48244
• [fa25e069fc] - src: implement countObjectsWithPrototype (Joyee Cheung) #50572
• [abe90527e4] - src: register udp_wrap external references (Joyee Cheung) #50943
• [84e2f51d14] - src: register spawn_sync external references (Joyee Cheung) #50943
• [2cfee53d7b] - src: register process_wrap external references (Joyee Cheung) #50943
• [9b7f79a8bd] - src: fix double free reported by coverity (Michael Dawson) #51046
• [fc5503246e] - src: remove unused headers in node_file.cc (Jungku Lee) #50927
• [c3abdc58af] - src: implement --trace-promises (Joyee Cheung) #50899
• [f90fc83e97] - src: fix dynamically linked zlib version (Richard Lau) #51007
• [9bf144379f] - src: omit bool values of package.json main field (Yagiz Nizipli) #50965
• [45e4f82912] - src:...

2023-12-05, Version 21.4.0 (Current), @targos

Notable Changes

This release fixes a regression introduced in v21.3.0 that caused the fs.writeFileSync
method to throw when called with 'utf8' encoding, no flag option, and if the target file didn't exist yet.

• [32acafeeb6] - (SEMVER-MINOR) fs: introduce dirent.parentPath (Antoine du Hamel) #50976
• [724548674d] - fs: use default w flag for writeFileSync with utf8 encoding (Murilo Kakazu) #50990

Commits

• [b24ee15fb2] - benchmark: update iterations in benchmark/crypto/hkdf.js (Lei Shi) #50866
• [f79b54e60e] - benchmark: update iterations in benchmark/crypto/get-ciphers.js (Lei Shi) #50863
• [dc049acbbb] - benchmark: update number of iterations for util.inspect (kylo5aby) #50651
• [d7c562ae38] - deps: update googletest to 76bb2af (Node.js GitHub Bot) #50555
• [59a45ddbef] - deps: update googletest to b10fad3 (Node.js GitHub Bot) #50555
• [099ebdb781] - deps: update undici to 5.28.1 (Node.js GitHub Bot) #50975
• [4b1bed04f7] - deps: update undici to 5.28.0 (Node.js GitHub Bot) #50915
• [b281e98b1e] - doc: add additional details about --input-type (Shubham Pandey) #50796
• [b7036f2028] - doc: add procedure when CVEs don't get published (Rafael Gonzaga) #50945
• [7adf239af0] - doc: fix some errors in esm resolution algorithms (Christopher Jeffrey (JJ)) #50898
• [759ebcaead] - doc: reserve 121 for Electron 29 (Shelley Vohr) #50957
• [cedc3427fa] - doc: run license-builder (github-actions[bot]) #50926
• [30a6f19769] - doc: document non-node_modules-only runtime deprecation (Joyee Cheung) #50748
• [eecab883f0] - doc: add doc for Unix abstract socket (theanarkh) #50904
• [ec74b93b38] - doc: remove flicker on page load on dark theme (Dima Demakov) #50942
• [724548674d] - fs: use default w flag for writeFileSync with utf8 encoding (Murilo Kakazu) #50990
• [32acafeeb6] - (SEMVER-MINOR) fs: introduce dirent.parentPath (Antoine du Hamel) #50976
• [c1ee506454] - fs: remove workaround for esm package (Yagiz Nizipli) #50907
• [1cf087dfb3] - lib: refactor to use validateFunction in diagnostics_channel (Deokjin Kim) #50955
• [c37d18d5e1] - lib: streamline process.binding() handling (Joyee Cheung) #50773
• [246cf73631] - lib,src: replace toUSVString with toWellFormed() (Yagiz Nizipli) #47342
• [9bc79173a0] - loader: speed up line length calc used by moduleProvider (Mudit) #50969
• [812ab9e4f8] - meta: bump step-security/harden-runner from 2.6.0 to 2.6.1 (dependabot[bot]) #50999
• [1dbe1af19a] - meta: bump github/codeql-action from 2.22.5 to 2.22.8 (dependabot[bot]) #50998
• [bed1b93f8a] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #50931
• [1e7d101428] - src: make ModifyCodeGenerationFromStrings more robust (Joyee Cheung) #50763
• [709ac479eb] - src: disable uncaught exception abortion for ESM syntax detection (Yagiz Nizipli) #50987
• [f6ff11c9f9] - src: fix backtrace with tail [[noreturn]] abort (Chengzhong Wu) #50849
• [74f5a1cbc9] - src: print MKSNAPSHOT debug logs to stderr (Joyee Cheung) #50759
• [3a1c664a97] - test: replace forEach to for.. test-webcrypto-export-import-cfrg.js (Angelo Parziale) #50785
• [ac3a6eefe3] - test: log more information in SEA tests (Joyee Cheung) #50759
• [94462d42f5] - test: consolidate utf8 text fixtures in tests (Joyee Cheung) #50732
• [8e1a70a347] - tools: add triggers to update release links workflow (Moshe Atlow) #50974
• [ca10cbb774] - tools: update lint-md-dependencies to [email protected] (Node.js GitHub Bot) #50913
• [1e40c4a366] - tools: fix current version check (Marco Ippolito) #50951
• [3faed331e1] - typings: fix JSDoc in internal/modules/esm/hooks (Alex Yang) #50887
• [6a087ceffa] - url: throw error if argument length of revokeObjectURL is 0 (DylanTet) #50433

2023-11-30, Version 21.3.0 (Current), @RafaelGSS

Notable Changes

New --disable-warning flag

This version adds a new --disable-warning option that allows users to disable specific warnings either by code
(i.e. DEP0025) or type (i.e. DeprecationWarning, ExperimentalWarning).

This option works alongside existing --warnings and --no-warnings.

For example, the following script will not emit DEP0025 require('node:sys') when executed with
node --disable-warning=DEP0025:

import sys from 'node:sys';

Contributed by Ethan-Arrowood in #50661

Update Root Certificates to NSS 3.95

This is the certdata.txt from NSS 3.95, released on 2023-11-16.

This is the version of NSS that will ship in Firefox 121 on
2023-12-19.

Certificates added:

• TrustAsia Global Root CA G3
• TrustAsia Global Root CA G4
• CommScope Public Trust ECC Root-01
• CommScope Public Trust ECC Root-02
• CommScope Public Trust RSA Root-01
• CommScope Public Trust RSA Root-02

Certificates removed:

• Autoridad de Certificacion Firmaprofesional CIF A62634068

Fast fs.writeFileSync with UTF-8 Strings

Enhanced writeFileSync functionality by implementing a highly efficient fast path primarily in C++ for UTF8-encoded string data.
Additionally, optimized the appendFileSync method by leveraging the improved writeFileSync functionality.
For simplicity and performance considerations, the current implementation supports only string data,
as benchmark results raise concerns about the efficacy of using Buffer for this purpose.
Future optimizations and expansions may be explored, but for now, the focus is on maximizing efficiency for string data operations.

Contributed by CanadaHonk in #49884.

Other Notable Changes

• [c7a7493ca2] - (SEMVER-MINOR) module: bootstrap module loaders in shadow realm (Chengzhong Wu) #48655
• [bc3f7b5401] - (SEMVER-MINOR) module: remove useCustomLoadersIfPresent flag (Chengzhong Wu) #48655
• [aadff07e59] - (SEMVER-MINOR) src: create per isolate proxy env template (Chengzhong Wu) #48655
• [91aa9dd23a] - (SEMVER-MINOR) src: create fs_dir per isolate properties (Chengzhong Wu) #48655
• [5c5834190a] - (SEMVER-MINOR) src: create worker per isolate properties (Chengzhong Wu) #48655
• [4a1ce45181] - (SEMVER-MINOR) src: make process binding data weak (Chengzhong Wu) #48655

Commits

• [4a20912279] - benchmark: update iterations in benchmark/util/splice-one.js (Liu Jia) #50698
• [36380eb53d] - benchmark: increase the iteration number to an appropriate value (Lei Shi) #50766
• [23f56d8bb3] - benchmark: rewrite import.meta benchmark (Joyee Cheung) #50683
• [f7245d73d9] - benchmark: add misc/startup-cli-version benchmark (Joyee Cheung) #50684
• [c81d2acfe0] - benchmark: remove punycode from require-builtins fixture (Joyee Cheung) #50689
• [5849f09874] - build: add GN configurations for simdjson (Cheng Zhao) #50831
• [12605e8f7d] - build: add configuration flag to enable Maglev (Keyhan Vakil) #50692
• [43da9ea9e5] - build: fix GN configuration for deps/base64 (Cheng Zhao) #50696
• [465f75b58a] - build: disable flag v8_scriptormodule_legacy_lifetime (Chengzhong Wu) #50616
• [d2c0dfb1b7] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
• [8d3a1d8911] - deps: update zlib to 1.2.13.1-motley-5daffc7 (Node.js GitHub Bot) #50803
• [e02f304de7] - deps: V8: cherry-pick 0f9ebbc672c7 (Chengzhong Wu) #50867
• [c31ad5ceaa] - deps: update icu to 74.1 (Node.js GitHub Bot) #50515
• [3ff2bda34e] - deps: update ada to 2.7.4 (Node.js GitHub Bot) #50815
• [221f02df6d] - deps: update undici to 5.27.2 (Node.js GitHub Bot) #50813
• [ee69c613a2] - deps: update minimatch to 9.0.3 (Node.js GitHub Bot) #50806
• [00dab30fd2] - deps: V8: cherry-pick 475c8cdf9a95 (Keyhan Vakil) #50680
• [a0c01b23b4] - deps: update simdutf to 4.0.4 (Node.js GitHub Bot) #50772
• [071e46ae56] - deps: upgrade npm to 10.2.4 (npm team) #50751
• [5d28f8d18f] - deps: escape Python strings correctly (Michaël Zasso) #50695
• [3731f836ed] - deps: V8: cherry-pick 8f0b94671ddb (Lu Yahan) #50654
• [6dfe1023c3] - dns: call handle.setServers() with a valid array (Luigi Pinca) #50811
• [2f13db475e] - doc: make theme consistent across api and other docs (Dima Demakov) #50877
• [8c4976b732] - doc: add a section regarding instanceof in primordials.md (Antoine du Hamel) #50874
• [6485687642] - doc: update email to reflect affiliation (Yagiz Nizipli) #50856
• [bc31375a09] - doc: shard not supported with watch mode (Pulkit Gupta) #50640
• [08c3b0ab20] - doc: get rid of unnecessary eslint-skip comments (Antoine du Hamel) #50829
• [98fb1faff1] - doc: create deprecation code for isWebAssemblyCompiledModule (Marco Ippolito) #50486
• [e116fcdb01] - doc: add CanadaHonk to triagers (CanadaHonk) #50848
• [a37d9ee1e3] - doc: fix typos in --allow-fs-* (Tobias Nießen) #50845
• [8468daf1a9] - doc: update Crypto API doc for x509.keyUsage (Daniel Meechan) #50603
• [b4935dde60] - doc: fix fs.writeFileSync return value documentation (Ryan Zimmerman) #50760
• [ead9879a04] - doc: update print results(detail) in PerformanceEntry (Jungku Lee) #50723
• [6b7403c5df] - doc: fix Buffer.allocUnsafe documentation (Mert Can Altın) #50686
• [713fdf1fc3] - doc: run license-builder (github-actions[bot]) #50691
• [50f336c06f] - esm: fallback to getSource when load returns nullish source (Antoine du Hamel) #50825...

2023-11-29, Version 18.19.0 'Hydrogen' (LTS), @targos

Notable Changes

npm updated to v10

After two months of baking time in Node.js 20, npm 10 is backported, so that all
release lines include a supported version of npm. This release includes npm v10.2.3.

Refer to nodejs/Release#884 for the plan to land npm 10.

ESM and customization hook changes

Leverage loaders when resolving subsequent loaders

Loaders now apply to subsequent loaders, for example: --experimental-loader ts-node --experimental-loader loader-written-in-typescript.

Contributed by Maël Nison in #43772.

New node:module API register for module customization hooks; new initialize hook

There is a new API register available on node:module to specify a file that exports module customization hooks, and pass data to the hooks, and establish communication channels with them. The “define the file with the hooks” part was previously handled by a flag --experimental-loader, but when the hooks moved into a dedicated thread in 20.0.0 there was a need to provide a way to communicate between the main (application) thread and the hooks thread. This can now be done by calling register from the main thread and passing data, including MessageChannel instances.

We encourage users to migrate to an approach that uses --import with register, such as:

node --import ./file-that-calls-register.js ./app.js

Using --import ensures that the customization hooks are registered before any application code runs, even the entry point.

Contributed by João Lenon and Jacob Smith in #46826, Izaak Schroeder and Jacob Smith in #48842 and #48559.

import.meta.resolve unflagged

In ES modules, import.meta.resolve(specifier)
can be used to get an absolute URL string to which specifier resolves, similar
to require.resolve in CommonJS. This aligns Node.js with browsers and other server-side runtimes.

Contributed by Guy Bedford in #49028.

--experimental-default-type flag to flip module defaults

The new flag --experimental-default-type can be used to flip the default
module system used by Node.js. Input that is already explicitly defined as ES
modules or CommonJS, such as by a package.json "type" field or .mjs/.cjs
file extension or the --input-type flag, is unaffected. What is currently
implicitly CommonJS would instead be interpreted as ES modules under
--experimental-default-type=module:

• String input provided via --eval or STDIN, if --input-type is unspecified.

• Files ending in .js or with no extension, if there is no package.json file
  present in the same folder or any parent folder.

• Files ending in .js or with no extension, if the nearest parent
  package.json field lacks a type field; unless the folder is inside a
  node_modules folder.

In addition, extensionless files are interpreted as Wasm if
--experimental-wasm-modules is passed and the file contains the "magic bytes"
Wasm header.

Contributed by Geoffrey Booth in #49869.

Other ESM-related changes

• [ed2d46f4cc] - doc: move and rename loaders section (Geoffrey Booth) #49261
• [92734d4480] - esm: use import attributes instead of import assertions (Antoine du Hamel) #50140
• [e96f7ef881] - (SEMVER-MINOR) vm: use import attributes instead of import assertions (Antoine du Hamel) #50141

Test runner changes

Many changes to the built-in test runner have been backported. This includes
the following additions:

• [b283ae4238] - (SEMVER-MINOR) test_runner: accept testOnly in run (Moshe Atlow) #49753
• [059b1945d8] - (SEMVER-MINOR) test_runner: add junit reporter (Moshe Atlow) #49614
• [d61a505546] - (SEMVER-MINOR) test_runner: expose location of tests (Colin Ihrig) #48975
• [b55eb2a8d1] - (SEMVER-MINOR) test_runner: add shards support (Raz Luvaton) #48639
• [05e7f28b40] - (SEMVER-MINOR) test_runner: add initial draft for fakeTimers (Erick Wendel) #47775
• [428301ad27] - (SEMVER-MINOR) test_runner, cli: add --test-concurrency flag (Colin Ihrig) #49996

Other notable changes

• [0c4a84e8e9] - (SEMVER-MINOR) deps: update uvwasi to 0.0.19 (Node.js GitHub Bot) #49908
• [fae60c5841] - stream: use bitmap in readable state (Benjamin Gruenbaum) #49745
• [17246be158] - (SEMVER-MINOR) lib: add api to detect whether source-maps are enabled (翠 / green) #46391
• [2e9f7284a1] - (SEMVER-MINOR) lib: add tracing channel to diagnostics_channel (Stephen Belanger) #44943
• [cc7bf1f641] - (SEMVER-MINOR) src: add cjs_module_lexer_version base64_version (Jithil P Ponnan) #45629
• [b5d16cd8f0] - (SEMVER-MINOR) tls: add ALPNCallback server option for dynamic ALPN negotiation (Tim Perry) #45190

Commits

• [0d0eb47e2a] - benchmark: add benchmarks for the test_runner (Raz Luvaton) #48931
• [8bb03d10f4] - benchmark: differentiate whatwg and legacy url (Yagiz Nizipli) #47377
• [3d7734cbe3] - benchmark: lower URL.canParse runs (Khafra) #47351
• [24d3fcf415] - benchmark: stablize encode benchmark (Joyee Cheung) #46658
• [e08fd98bcc] - bootstrap: use correct descriptor for Symbol.{dispose,asyncDispose} (Jordan Harband) #48703
• [cf9ddcd6c8] - bootstrap: simplify initialization of source map handlers (Joyee Cheung) #48304
• [12d731e431] - bootstrap: log isolate data info in mksnapshot debug logs (Joyee Cheung) #47768
• [d66873871a] - bootstrap: store internal loaders in C++ via a binding (Joyee Cheung) #47215
• [1a499c5082] - bootstrap: optimize modules loaded in the built-in snapshot (Joyee Cheung) #45849
• [e0e09caafe] - bootstrap: make CJS loader snapshotable (Joyee Cheung) #45849
• [5f37decd56] - bootstrap: include event_target into the built-in snapshot (Joyee Cheung) #45849
• [c3f56a3dee] - bootstrap: support module_wrap binding in snapshot (Joyee Cheung) #45849
• [6466acbc89] - bootstrap: lazy load non-essential modules (Joyee Cheung) #45659
• [a0d4b69df4] - bootstrap: lazy-load Performance.prototype.timeOrigin (Joyee Cheung) #46425
• [c1bc8118e3] - bootstrap: generate bootstrapper arguments in BuiltinLoader (Joyee Cheung) #44488
• [075c57e88b] - build: add symlink to compile_commands.json file if needed (Juan José) #49260
• [[9e1c531b8d](9e1c531b...