deps: upgrade to npm 2.14.4 #2958
Conversation
|
(oops, I pushed the submit button on this before tests finished running, please hold) EDIT: We're all good now. :) |
brendanashworth
added
the
npm
|
Rubber stamp LGTM |
|
@zkat re npm@3, you might want to prime Rebecca on this, but we should be able to start accepting npm@3 pull requests to I'm making an assumption here that there would be no objections amongst @nodejs/collaborators to jumping to npm@3 for v5+ (collaborators: pipe up in here if you think this might not be a good idea). Also, node-gyp@3.0.3 would be good on top of this, unfortunately (sorry), it's got 2 fixes that are fairly important. Thanks! |
|
+1 for npm@3 in |
|
Added |
PR-URL: #2958 Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
PR-URL: #2958 Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
|
Thanks, landed in 61d48b4...2c09a53 :) |
|
Thanks, Jeremiah! :D |
PR-URL: #2958 Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
PR-URL: #2958 Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Notable changes * buffer: Fixed a bug introduced in v4.1.0 where allocating a new zero-length buffer can result in the next allocation of a TypedArray in JavaScript not being zero-filled. In certain circumstances this could result in data leakage via reuse of memory space in TypedArrays, breaking the normally safe assumption that TypedArrays should be always zero-filled. (Trevor Norris) #2931. * http: Guard against response-splitting of HTTP trailing headers added via response.addTrailers() by removing new-line ([\r\n]) characters from values. Note that standard header values are already stripped of new-line characters. The expected security impact is low because trailing headers are rarely used. (Ben Noordhuis) #2945. * npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full details (Kat Marchán) #2958 - Upgrades graceful-fs on multiple dependencies to no longer rely on monkey-patching fs - Fix npm link for pre-release / RC builds of Node * v8: Update post-mortem metadata to allow post-mortem debugging tools to find and inspect: - JavaScript objects that use dictionary properties (Julien Gilli) #2959 - ScopeInfo and thus closures (Julien Gilli) #2974
Notable changes * buffer: Fixed a bug introduced in v4.1.0 where allocating a new zero-length buffer can result in the next allocation of a TypedArray in JavaScript not being zero-filled. In certain circumstances this could result in data leakage via reuse of memory space in TypedArrays, breaking the normally safe assumption that TypedArrays should be always zero-filled. (Trevor Norris) #2931. * http: Guard against response-splitting of HTTP trailing headers added via response.addTrailers() by removing new-line ([\r\n]) characters from values. Note that standard header values are already stripped of new-line characters. The expected security impact is low because trailing headers are rarely used. (Ben Noordhuis) #2945. * npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full details (Kat Marchán) #2958 - Upgrades graceful-fs on multiple dependencies to no longer rely on monkey-patching fs - Fix npm link for pre-release / RC builds of Node * v8: Update post-mortem metadata to allow post-mortem debugging tools to find and inspect: - JavaScript objects that use dictionary properties (Julien Gilli) #2959 - ScopeInfo and thus closures (Julien Gilli) #2974 PR-URL: #2995
|
@rvagg FYI: Because of npm/npm#9695, I won't be making a pull request to bring in npm@3 till 3.3.5, when that patch is |
|
@iarna as per #3000 there's no great rush just yet, we're going to have v4 be LTS soon but you probably have until the next V8 stable before we ship v5 which could be as late as mid-October or later. Will keep you informed of progress though and if we have to punt to v6 then that's fine too because v5 won't end up as LTS anyway. |
Heyo!
This release is the first one to officially include
node-gyp(@3.0.1), so it shouldn't need any hotfixes cherry-picked over! Otherwise, I can add a commit to this that bumps it to@3.0.3(which will come in with next week's downstreaming anyway).This also includes most of @thefourtheye's
graceful-fsupgrades, a Windows fix fornpm link, and a removal of our only usage of a deprecated API (process.binding).You can see the full release notes at https://github.com/npm/npm/releases/tag/v2.14.4
lmk if you want that
node-gyppatch added to this PR!Also note that we finally released
npm@3this week (as you may have heard), but I'll continue to submitnpm@2release PRs -- you can expect a potential slowing, though, since we're also switching to LTS more withnpm@2, so it won't see very much in terms of new features and such.Cheers!