Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v19.2.0 proposal #45615

Merged
merged 117 commits into from
Nov 29, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
117 commits
Select commit Hold shift + click to select a range
44886e5
diagnostics_channel: mark as stable
Nov 5, 2022
f79dd65
test: add a test to ensure the correctness of timezone upgrades
RaisinTen Nov 10, 2022
6704e78
meta: be more proactive about removing from teams
Trott Nov 10, 2022
7c6281a
tools: dynamically determine parallelism on GitHub Actions macOS
Trott Nov 10, 2022
6c56c97
buffer: introduce File
KhafraDev Nov 10, 2022
17e6031
deps: V8: cherry-pick 031b98b25cba
targos Nov 11, 2022
f86f90f
util: improve text decoder performance
anonrig Nov 9, 2022
b72b2ba
http: add JSDoc property descriptions
Trott Nov 8, 2022
4e5ad9d
esm: add JSDoc property descriptions for fetch
Trott Nov 8, 2022
8906a4e
esm: add JSDoc property descriptions for loader
Trott Nov 8, 2022
36bf87f
tools: enable jsdoc/require-property-description rule
Trott Nov 8, 2022
b7f8a44
tools: simplify regex in ESLint config
Trott Nov 12, 2022
93bc2ba
tools: simplify .eslintrc.js
Trott Nov 12, 2022
bb36acf
tools: do not run CQ on non-fast-tracked PRs open for less than 2 days
MoLow Nov 12, 2022
a6fe707
doc: fix typo in maintaining-dependencies.md
tniessen Nov 12, 2022
7c79ba7
util: add fast path for utf8 encoding
anonrig Nov 12, 2022
4fe5c4e
test: fix flaky test-repl-sigint-nested-eval
Trott Nov 13, 2022
a483d12
src: condense experimental warning message
Trott Nov 13, 2022
8a34ef4
tools: update lint-md-dependencies to rollup@3.3.0
nodejs-github-bot Nov 13, 2022
3263ceb
watch: watch for missing dependencies
MoLow Nov 13, 2022
94a6a97
doc: adjust wording to eliminate awkward typography
kovsu Nov 13, 2022
d13ea68
meta: update AUTHORS
nodejs-github-bot Nov 13, 2022
e9760b4
test_runner: support watch mode
MoLow Nov 13, 2022
1ce2f56
build: make scripts in gyp run with right python
gengjiawen Nov 14, 2022
f208db7
http: add debug log for ERR_UNESCAPED_CHARACTERS
aidant Nov 14, 2022
00a3b5f
test: remove flaky designation for test-worker-http2-stream-terminate
Trott Nov 14, 2022
39e8731
tools: include current release in the list of released versions
aduh95 Nov 14, 2022
ad8da86
deps: update acorn to 8.8.1
nodejs-github-bot Nov 15, 2022
4128c27
doc: include v19.1.0 in `CHANGELOG.md`
RafaelGSS Nov 15, 2022
7cff1e1
async_hooks: add hook to stop propagation
Flarna Nov 15, 2022
459d448
src: add --max-semi-space-size to the options allowed in NODE_OPTIONS
ehoogeveen-medweb Nov 15, 2022
51213c2
test: add test to validate changelogs for releases
richardlau Nov 15, 2022
9e0e97c
diagnostics_channel: built-in channels should remain experimental
Nov 15, 2022
45b54ee
test: update uses of _jabber._tcp.google.com
cjihrig Nov 13, 2022
413bf9a
deps: patch V8 to 10.7.193.22
targos Nov 16, 2022
c41e67f
deps: update zlib to upstream 8bbd6c31
lpinca Nov 9, 2022
45ba14b
deps: fix zlib compilation for CPUs without SIMD features
addaleax Apr 3, 2020
628891d
deps: update timezone to 2022f
nodejs-github-bot Nov 16, 2022
62ef1eb
build: add --v8-disable-object-print flag
fossamagna Nov 17, 2022
1277ffc
test: add lint rule to enforce trailing commas
aduh95 Nov 17, 2022
1812a89
doc: add lint rule to enforce trailing commas
aduh95 Nov 17, 2022
bbba42f
url: remove unnecessary object call to kFormat
anonrig Nov 17, 2022
efe19eb
crypto: clear OpenSSL error queue after calling X509_verify()
takuro-sato Nov 17, 2022
4de67d1
doc: add arm64 to os.machine()
sno2 Nov 17, 2022
38767b4
lib: do not throw if global property is no longer configurable
aduh95 Nov 17, 2022
10e7c2a
src: remove the unused PackageConfig class
joyeecheung Nov 17, 2022
5e5bf0c
src: don't run tasks on isolate termination
santigimeno Nov 17, 2022
208ea1a
meta: update VoltrexMaster's username
VoltrexKeyva Nov 18, 2022
2b760c3
fs: fix fs.rm support for loop symlinks
nathanael-ruf Nov 18, 2022
8ff16fd
node-api: fix immediate napi_remove_wrap test
legendecas Nov 18, 2022
117efe9
deps: V8: cherry-pick 9df5ef70ff18
anonrig Nov 18, 2022
b491504
test: enable the WPT for `structuredClone`
daeyeon Nov 18, 2022
8d96e2c
stream: add fast path for utf8
anonrig Nov 18, 2022
0f3cf7e
Revert "build: remove precompiled header and debug information for ho…
StefanStojanovic Nov 18, 2022
26ad54c
benchmark: add text-encoder benchmark
anonrig Nov 18, 2022
cca2033
tools: update certdata.txt
lpinca Nov 16, 2022
724addb
crypto: update root certificates
lpinca Nov 16, 2022
f441b04
trace_events: add new categories
theanarkh Nov 19, 2022
a3b9967
deps: update V8 to 10.8.168.20
targos Nov 18, 2022
54fd8a1
build: reset embedder string to "-node.0"
targos Nov 18, 2022
e929254
deps: fix V8 build issue with inline methods
gengjiawen Oct 14, 2020
9348bdd
deps: V8: fix v8-cppgc.h for MSVC
gengjiawen Mar 17, 2022
3cd6367
deps: silence irrelevant V8 warning
targos Jun 21, 2022
1370b1a
deps: fix V8 build on Windows with MSVC
targos Sep 21, 2022
51eb323
deps: V8: cherry-pick 92a7385171bb
targos Nov 2, 2022
e70c309
deps: V8: cherry-pick f1c888e7093e
targos Nov 15, 2022
aaa4ac7
deps: V8: cherry-pick 9df5ef70ff18
anonrig Nov 18, 2022
72f2df2
test: adapt test-v8-stats for V8 update
targos Sep 25, 2022
076e9ee
test: fix test-trace-gc-flag
tony-go Nov 11, 2022
496912d
stream: fix typo in `adapters.js` (#45515)
cola119 Nov 19, 2022
bd3accc
crypto: clear OpenSSL error queue after calling X509_check_private_key()
panva Nov 19, 2022
e0a271e
gyp: fix v8 canary build on aix
V-for-Vasili Nov 19, 2022
4a4f280
node-api: declare type napi_cleanup_hook
legendecas Nov 19, 2022
cce9e11
src: move FsStatsOffset and kFsStatsBufferLength to node_file.h
joyeecheung Nov 19, 2022
6bdd2c3
Revert "url: improve port validation"
Trott Nov 19, 2022
c9ba0b7
test: revise pull request guide text about code
Trott Nov 19, 2022
0d1b1c5
meta: update AUTHORS
nodejs-github-bot Nov 20, 2022
6fdd202
module: require.resolve.paths returns null with node schema
fossamagna Nov 20, 2022
118de4b
doc: fix RESOLVE_ESM_MATCH in modules.md
sapphi-red Nov 20, 2022
d4f30f0
tools: add missing step in update-base64.sh script
facutuesca Nov 18, 2022
43e002e
deps: update base64 to 0.5.0
facutuesca Nov 18, 2022
5274a8f
stream: avoid premature close when will not emit close
ronag Nov 20, 2022
c00258e
stream: add primordials to adapters
anonrig Nov 20, 2022
6f0bc09
doc: add async_hooks migration note
GeoffreyBooth Nov 6, 2022
56f22ea
src: set an appropriate thread pool size if given `--v8-pool-size=0`
daeyeon Nov 21, 2022
19d8493
doc: run license-builder
github-actions[bot] Nov 21, 2022
5c9b2a7
build: fix env.h for cpp20
gengjiawen Nov 21, 2022
5b1df22
doc: add Node.js Threat Model
RafaelGSS Nov 21, 2022
246cd35
doc: fix typo in threat model
tniessen Nov 21, 2022
d6c68ce
test: add trailing commas in `test/common` (#45550)
aduh95 Nov 21, 2022
731e874
test: add trailing commas in addons test (#45548)
aduh95 Nov 21, 2022
bb4c293
test: add trailing commas in async-hooks tests (#45549)
aduh95 Nov 21, 2022
f3f1aed
tools: add automation for updating libuv dependency
facutuesca Nov 21, 2022
f08f6a6
benchmark: add v8 serialize benchmark
anonrig Nov 21, 2022
16643db
doc: add missing documentation for paramEncoding
tniessen Nov 21, 2022
5745bcb
lib: improve AbortController creation duration
anonrig Nov 19, 2022
4c9159a
lib: improve transferable abort controller exec
anonrig Nov 19, 2022
eac26c0
Revert "http: headers(Distinct), trailers(Distinct) setters to be no-op"
Trott Nov 21, 2022
f720c58
stream: use ArrayBufferPrototypeGetByteLength
anonrig Nov 21, 2022
016749b
test_runner: add initial TAP parser
manekinekko Nov 21, 2022
4345732
doc: add version description about fsPromise.constants
lvqq Nov 21, 2022
81f63c2
tools: update eslint to 8.28.0
nodejs-github-bot Nov 22, 2022
42507e6
src,node-api: update `napi_is_detached_arraybuffer`
daeyeon Nov 22, 2022
9ffe3c0
build,deps,src: fix Intel VTune profiling support
Nov 22, 2022
649b31f
src: add missing include for `std::all_of`
targos Nov 22, 2022
57bca94
src: avoid unused variables and functions
targos Nov 22, 2022
6e1e25d
build: avoid redefined macro
targos Nov 22, 2022
160c88e
tools: have test-asan use ubuntu-20.04
panva Nov 22, 2022
c3fe907
test: add trailing commas in event tests
Trott Nov 22, 2022
015842f
doc: use console.error for error case in http2
deokjinkim Nov 23, 2022
128c9f6
src: use qualified `std::move` call in node_http2
targos Nov 23, 2022
d805d5a
doc: clarify changes in readableFlowing
cola119 Nov 23, 2022
f63ae52
deps: V8: cherry-pick 2ada52cffbff
targos Nov 24, 2022
b6b5b51
doc: deprecate use of invalid ports in `url.parse`
aduh95 Nov 24, 2022
38f1ede
node-api: address coverity warning
mhdawson Nov 21, 2022
e7a5b33
src: address coverity warning in node_file.cc
mhdawson Nov 21, 2022
8a4d7ac
2022-11-29, Version 19.2.0 (Current)
ruyadorno Nov 24, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
16 changes: 7 additions & 9 deletions .eslintrc.js
Original file line number Diff line number Diff line change
Expand Up @@ -117,17 +117,16 @@ module.exports = {
// https://eslint.org/docs/rules/
'accessor-pairs': 'error',
'array-callback-return': 'error',
'arrow-parens': ['error', 'always'],
'arrow-spacing': ['error', { before: true, after: true }],
'arrow-parens': 'error',
'arrow-spacing': 'error',
'block-scoped-var': 'error',
'block-spacing': 'error',
'brace-style': ['error', '1tbs', { allowSingleLine: true }],
'capitalized-comments': ['error', 'always', {
line: {
// Ignore all lines that have less characters than 20 and all lines that
// start with something that looks like a variable name or code.
// eslint-disable-next-line max-len
ignorePattern: '.{0,20}$|[a-z]+ ?[0-9A-Z_.(/=:[#-]|std|http|ssh|ftp|(let|var|const) [a-z_A-Z0-9]+ =|[b-z] |[a-z]*[0-9].* ',
ignorePattern: '.{0,20}$|[a-z]+ ?[0-9A-Z_.(/=:[#-]|std|http|ssh|ftp',
ignoreInlineComments: true,
ignoreConsecutiveComments: true,
},
Expand Down Expand Up @@ -162,9 +161,9 @@ module.exports = {
ObjectExpression: 'first',
SwitchCase: 1,
}],
'key-spacing': ['error', { mode: 'strict' }],
'key-spacing': 'error',
'keyword-spacing': 'error',
'linebreak-style': ['error', 'unix'],
'linebreak-style': 'error',
'max-len': ['error', {
code: 120,
ignorePattern: '^// Flags:',
Expand All @@ -178,7 +177,7 @@ module.exports = {
'no-constant-condition': ['error', { checkLoops: false }],
'no-constructor-return': 'error',
'no-duplicate-imports': 'error',
'no-else-return': ['error', { allowElseIf: true }],
'no-else-return': 'error',
'no-extra-parens': ['error', 'functions'],
'no-lonely-if': 'error',
'no-mixed-requires': 'error',
Expand Down Expand Up @@ -285,7 +284,7 @@ module.exports = {
named: 'never',
asyncArrow: 'always',
}],
'space-in-parens': ['error', 'never'],
'space-in-parens': 'error',
'space-infix-ops': 'error',
'space-unary-ops': 'error',
'spaced-comment': ['error', 'always', {
Expand All @@ -311,7 +310,6 @@ module.exports = {
'jsdoc/require-param': 'off',
'jsdoc/check-tag-names': 'off',
'jsdoc/require-returns': 'off',
'jsdoc/require-property-description': 'off',

// Custom rules from eslint-plugin-node-core
'node-core/no-unescaped-regexp-dot': 'error',
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/commit-queue.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,24 @@ jobs:
steps:
- name: Get Pull Requests
id: get_mergeable_prs
run: >
numbers=$(gh pr list \
run: |
prs=$(gh pr list \
--repo ${{ github.repository }} \
--base ${{ github.ref_name }} \
--label 'commit-queue' \
--json 'number' \
--search "created:<=$(date --date="2 days ago" +"%Y-%m-%dT%H:%M:%S%z")" \
-t '{{ range . }}{{ .number }} {{ end }}' \
--limit 100)
fast_track_prs=$(gh pr list \
--repo ${{ github.repository }} \
--base ${{ github.ref_name }} \
--label 'commit-queue' \
--label 'fast-track' \
--json 'number' \
-t '{{ range . }}{{ .number }} {{ end }}' \
--limit 100)
numbers=$(echo $prs' '$fast_track_prs | jq -r -s 'unique | join(" ")')
echo "numbers=$numbers" >> $GITHUB_OUTPUT
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/linters.yml
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ jobs:
- name: Get release version numbers
if: ${{ github.event.pull_request && github.event.pull_request.base.ref == github.event.pull_request.base.repo.default_branch }}
id: get-released-versions
run: ./tools/lint-md/list-released-versions-from-changelogs.mjs
run: ./tools/lint-md/list-released-versions-from-changelogs.mjs >> $GITHUB_OUTPUT
- name: Lint markdown files
run: |
echo "::add-matcher::.github/workflows/remark-lint-problem-matcher.json"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test-asan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ permissions:
jobs:
test-asan:
if: github.event.pull_request.draft == false
runs-on: ubuntu-latest
runs-on: ubuntu-20.04
env:
CC: clang
CXX: clang++
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test-macos.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,6 @@ jobs:
- name: tools/doc/node_modules workaround
run: make tools/doc/node_modules
- name: Build
run: make build-ci -j3 V=1 CONFIG_FLAGS="--error-on-warn"
run: make build-ci -j$(getconf _NPROCESSORS_ONLN) V=1 CONFIG_FLAGS="--error-on-warn"
- name: Test
run: make run-ci -j3 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"
run: make run-ci -j$(getconf _NPROCESSORS_ONLN) V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"
3 changes: 3 additions & 0 deletions .github/workflows/timezone-update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ jobs:

- run: ./tools/update-timezone.mjs

- name: Update the expected timezone version in test
run: echo "${{ env.new_version }}" > test/fixtures/tz-version.txt

- name: Open Pull Request
uses: gr2m/create-or-update-pull-request-action@dc1726cbf4dd3ce766af4ec29cfb660e0125e8ee # Create a PR or update the Action's existing PR
env:
Expand Down
16 changes: 16 additions & 0 deletions .github/workflows/tools.yml
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,22 @@ jobs:
echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
./tools/update-acorn-walk.sh
fi
- id: libuv
subsystem: deps
label: dependencies
run: |
NEW_VERSION=$(gh api repos/libuv/libuv/releases/latest -q '.tag_name|ltrimstr("v")')
VERSION_H="./deps/uv/include/uv/version.h"
CURRENT_MAJOR_VERSION=$(grep "#define UV_VERSION_MAJOR" $VERSION_H | sed -n "s/^.*MAJOR \(.*\)/\1/p")
CURRENT_MINOR_VERSION=$(grep "#define UV_VERSION_MINOR" $VERSION_H | sed -n "s/^.*MINOR \(.*\)/\1/p")
CURRENT_PATCH_VERSION=$(grep "#define UV_VERSION_PATCH" $VERSION_H | sed -n "s/^.*PATCH \(.*\)/\1/p")
CURRENT_SUFFIX_VERSION=$(grep "#define UV_VERSION_SUFFIX" $VERSION_H | sed -n "s/^.*SUFFIX \"\(.*\)\"/\1/p")
SUFFIX_STRING=$([[ -z "$CURRENT_SUFFIX_VERSION" ]] && echo "" || echo "-$CURRENT_SUFFIX_VERSION")
CURRENT_VERSION="$CURRENT_MAJOR_VERSION.$CURRENT_MINOR_VERSION.$CURRENT_PATCH_VERSION$SUFFIX_STRING"
if [ "$NEW_VERSION" != "$CURRENT_VERSION" ]; then
echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
./tools/dep_updaters/update-libuv.sh "$NEW_VERSION"
fi
steps:
- uses: actions/checkout@v3
with:
Expand Down
1 change: 1 addition & 0 deletions .mailmap
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ Christian Clauss <cclauss@me.com> <cclauss@bluewin.ch>
Christophe Naud-Dulude <christophe.naud.dulude@gmail.com>
Christopher Lenz <cmlenz@gmail.com> <chris@lamech.local>
Claudio Rodriguez <cjrodr@yahoo.com> <cr@fansworld.tv>
Claudio Wunder <cwunder@gnome.org> <cwunder@hubspot.com>
Clemens Backes <post@clemens-backes.de> <clemensb@chromium.org>
Colin Ihrig <cjihrig@gmail.com>
Corey Martin <coreymartin496@gmail.com>
Expand Down
8 changes: 8 additions & 0 deletions AUTHORS
Original file line number Diff line number Diff line change
Expand Up @@ -3567,5 +3567,13 @@ Tim Shilov <tim@shilov.dev>
Obiwac <obiwac@gmail.com>
Yu Gu <guyu2876@gmail.com>
andreysoktoev <andrey.soktoev@gmail.com>
Pavel Horal <pavel.horal@orchitech.cz>
Konv <82451257+kovsu@users.noreply.github.com>
Aidan Temple <15520814+aidant@users.noreply.github.com>
Emanuel Hoogeveen <emanuel@medweb.nl>
Takuro Sato <79583855+takuro-sato@users.noreply.github.com>
Carter Snook <cartersnook04@gmail.com>
Nathanael Ruf <104262550+nathanael-ruf@users.noreply.github.com>
Vasili Skurydzin <vasili.skurydzin@protonmail.com>

# Generated by tools/update-authors.mjs
4 changes: 3 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,9 @@ release.
</tr>
<tr>
<td valign="top">
<b><a href="doc/changelogs/CHANGELOG_V19.md#19.0.1">19.0.1</a></b><br/>
<b><a href="doc/changelogs/CHANGELOG_V19.md#19.2.0">19.2.0</a></b><br/>
<a href="doc/changelogs/CHANGELOG_V19.md#19.1.0">19.1.0</a><br/>
<a href="doc/changelogs/CHANGELOG_V19.md#19.0.1">19.0.1</a><br/>
<a href="doc/changelogs/CHANGELOG_V19.md#19.0.0">19.0.0</a><br/>
</td>
<td valign="top">
Expand Down
16 changes: 14 additions & 2 deletions LICENSE
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,18 @@ The externally maintained libraries used by Node.js are:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"""

- ittapi, located at deps/v8/third_party/ittapi, is licensed as follows:
"""
Copyright (c) 2019 Intel Corporation. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
"""

- ICU, located at deps/icu-small, is licensed as follows:
"""
UNICODE, INC. LICENSE AGREEMENT - DATA FILES AND SOFTWARE
Expand Down Expand Up @@ -1040,9 +1052,9 @@ The externally maintained libraries used by Node.js are:
- zlib, located at deps/zlib, is licensed as follows:
"""
zlib.h -- interface of the 'zlib' general purpose compression library
version 1.2.11, January 15th, 2017
version 1.2.13, October 13th, 2022

Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -444,7 +444,7 @@ For information about the governance of the Node.js project, see
**Rich Trott** <<rtrott@gmail.com>> (he/him)
* [vdeturckheim](https://github.com/vdeturckheim) -
**Vladimir de Turckheim** <<vlad2t@hotmail.com>> (he/him)
* [VoltrexMaster](https://github.com/VoltrexMaster) -
* [VoltrexKeyva](https://github.com/VoltrexKeyva) -
**Mohammed Keyvanzadeh** <<mohammadkeyvanzade94@gmail.com>> (he/him)
* [watilde](https://github.com/watilde) -
**Daijiro Wachi** <<daijiro.wachi@gmail.com>> (he/him)
Expand Down Expand Up @@ -690,7 +690,7 @@ maintaining the Node.js project.
**Pooja Durgad** <<Pooja.D.P@ibm.com>>
* [RaisinTen](https://github.com/RaisinTen) -
**Darshan Sen** <<raisinten@gmail.com>>
* [VoltrexMaster](https://github.com/VoltrexMaster) -
* [VoltrexKeyva](https://github.com/VoltrexKeyva) -
**Mohammed Keyvanzadeh** <<mohammadkeyvanzade94@gmail.com>> (he/him)

Triagers follow the [Triage Guide](./doc/contributing/issues.md#triaging-a-bug-report) when
Expand Down
126 changes: 126 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,132 @@ Here is the security disclosure policy for Node.js
the release process above to ensure that the disclosure is handled in a
consistent manner.

## The Node.js threat model

In the Node.js threat model, there are trusted elements such as the
underlying operating system. Vulnerabilities that require the compromise
of these trusted elements are outside the scope of the Node.js threat
model.

For a vulnerability to be eligible for a bug bounty, it must be a
vulnerability in the context of the Node.js threat model. In other
words, it cannot assume that a trusted element (such as the operating
system) has been compromised.

Being able to cause the following through control of the elements that Node.js
does not trust is considered a vulnerability:

* Disclosure or loss of integrity or confidentiality of data protected through
the correct use of Node.js APIs.
* The unavailability of the runtime, including the unbounded degradation of its
performance.

If Node.js loads configuration files or runs code by default (without a
specific request from the user), and this is not documented, it is considered a
vulnerability.
Vulnerabilities related to this case may be fixed by a documentation update.

**Node.js does NOT trust**:

1. The data from network connections that are created through the use of Node.js
APIs and which is transformed/validated by Node.js before being passed to the
application. This includes:
* HTTP APIs (all flavors) client and server APIs.
* DNS APIs.
2. Consumers of data protected through the use of Node.js APIs (for example
people who have access to data encrypted through the Node.js crypto APIs).
3. The file content or other I/O that is opened for reading or writing by the
use of Node.js APIs (ex: stdin, stdout, stderr).

In other words, if the data passing through Node.js to/from the application
can trigger actions other than those documented for the APIs, there is likely
a security vulnerability. Examples of unwanted actions are polluting globals,
causing an unrecoverable crash, or any other unexpected side effects that can
lead to a loss of confidentiality, integrity, or availability.

**Node.js trusts everything else**. As some examples this includes:

1. The developers and infrastructure that runs it.
2. The operating system that Node.js is running under and its configuration,
along with anything under control of the operating system.
3. The code it is asked to run including JavaScript and native code, even if
said code is dynamically loaded, e.g. all dependencies installed from the
npm registry.
The code run inherits all the privileges of the execution user.
4. Inputs provided to it by the code it is asked to run, as it is the
responsibility of the application to perform the required input validations.
5. Any connection used for inspector (debugger protocol) regardless of being
opened by command line options or Node.js APIs, and regardless of the remote
end being on the local machine or remote.
6. The file system when requiring a module.
See <https://nodejs.org/api/modules.html#all-together>.

Any unexpected behavior from the data manipulation from Node.js Internal
functions are considered a vulnerability.

In addition to addressing vulnerabilities based on the above, the project works
to avoid APIs and internal implementations that make it "easy" for application
code to use the APIs incorrectly in a way that results in vulnerabilities within
the application code itself. While we don’t consider those vulnerabilities in
Node.js itself and will not necessarily issue a CVE we do want them to be
reported privately to Node.js first.
We often choose to work to improve our APIs based on those reports and issue
fixes either in regular or security releases depending on how much of a risk to
the community they pose.

### Examples of vulneratibities

#### Improper Certificate Validation (CWE-295)

* Node.js provides APIs to validate handling of Subject Alternative Names (SANs)
in certficates used to connect to a TLS/SSL endpoint. If certificates can be
crafted which result in incorrect validation by the Node.js APIs that is
considered a vulnerability.

#### Inconsistent Interpretation of HTTP Requests (CWE-444)

* Node.js provides APIs to accept http connections. Those APIs parse the
headers received for a connection and pass them on to the application.
Bugs in parsing those headers which can result in request smuggling are
considered vulnerabilities.

#### Missing Cryptographic Step (CWE-325)

* Node.js provides APIs to encrypt data. Bugs that would allow an attacker
to get the original data without requiring the decryption key are
considered vulnerabilities.

#### External Control of System or Configuration Setting (CWE-15)

* If Node.js automatically loads a configuration file which is not documented
and modification of that configuration can affect the confidentiality of
data protected using the Node.js APIs this is considered a vulnerability.

### Examples of non-vulneratibities

#### Malicious Third-Party Modules (CWE-1357)

* Code is trusted by Node.js, therefore any scenario that requires a malicious
third-party module cannot result in a vulnerability in Node.js.

#### Prototype Pollution Attacks (CWE-1321)

* Node.js trusts the inputs provided to it by application code.
It is up to the application to sanitize appropriately, therefore any scenario
that requires control over user input is not considered a vulnerability.

#### Uncontrolled Search Path Element (CWE-427)

* Node.js trusts the file system in the environment accessible to it.
Therefore, it is not a vulnerability if it accesses/loads files from any path
that is accessible to it.

#### External Control of System or Configuration Setting (CWE-15)

* If Node.js automatically loads a configuration file which is documented
no scenario that requires modification of that configuration file is
considered a vulnerability.

## Receiving security updates

Security notifications will be distributed via the following methods.
Expand Down
34 changes: 34 additions & 0 deletions benchmark/blob/file.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
'use strict';
const common = require('../common.js');
const { File } = require('buffer');

const bench = common.createBenchmark(main, {
bytes: [128, 1024, 1024 ** 2],
n: [1e6],
operation: ['text', 'arrayBuffer']
});

const options = {
lastModified: Date.now() - 1e6,
};

async function run(n, bytes, operation) {
const buff = Buffer.allocUnsafe(bytes);
const source = new File(buff, 'dummy.txt', options);
bench.start();
for (let i = 0; i < n; i++) {
switch (operation) {
case 'text':
await source.text();
break;
case 'arrayBuffer':
await source.arrayBuffer();
break;
}
}
bench.end(n);
}

function main(conf) {
run(conf.n, conf.bytes, conf.operation).catch(console.log);
}
Loading