v6.2.2 proposal

[evanlucas]

Notable changes:

• http:
  • req.read(0) could cause incoming connections to stall and time out under certain conditions. (Fedor Indutny) #7211
  • When freeing the socket to be reused in keep-alive Agent wait for
    both prefinish and end events. Otherwise the next request may be
    written before the previous one has finished sending the body, leading
    to a parser errors. (Fedor Indutny) #7149
• npm: upgrade npm to 3.9.5 (Kat Marchán) #7139

Commits

• [d71ede8113] - benchmark: don't convert arguments to numbers (Brian White) #6570
• [32f76983e2] - benchmark: increase http token check iterations (Brian White) #6570
• [23a495a9a9] - benchmark: add benchmark for url.format() (Rich Trott) #7250
• [27ed7fc56c] - benchmark: fix child-process-exec-stdout on win (Bartosz Sosnowski) #7178
• [5e5af8b4bb] - benchmark: fix child-process-read on Windows (Bartosz Sosnowski) #6971
• [d24e4095bf] - benchmark: add benchmark for Buffer.concat (Anna Henningsen) #7054
• [666b6f9302] - build: add REPLACEME tag for version info in docs (Ben Noordhuis) #6864
• [6d3d2d1ae4] - cluster: don't send messages if no IPC channel (Santiago Gimeno) #7132
• [068718c91c] - debugger: remove obsolete setTimeout (Rich Trott) #7154
• [2961f06f6f] - debugger: fix --debug-brk interaction with -e (Rich Trott) #7089
• [701e699d4f] - deps: upgrade npm to 3.9.5 (Kat Marchán) #7139
• [1095ae1ac5] - doc: Add CII Best Practices badge to README.md (David A. Wheeler) #6819
• [0198987b0d] - doc: add internal link in GOVERNANCE.md (Rich Trott) #7279
• [8e14f761bb] - doc: use Buffer.byteLength for Content-Length (kimown) #7274
• [5d03bdd94f] - doc: add information for IncomingMessage.destroy() (Rich Trott) #7237
• [a113734099] - doc: general improvements to path.md copy (James M Snell) #7122
• [b5e44df9a3] - doc: make pull request template more concise (Rich Trott) #7239
• [40a5974a0e] - doc: url.format() parameter may be a string (Rich Trott) #7235
• [a7d813915e] - doc: clarify use of 0 port value (Rich Trott) #7206
• [0fc8012b65] - doc: remove cluster.setupMaster() myth (cjihrig) #7179
• [70167fd1d4] - doc: fix IRC link (Ilkka Myller) #7210
• [4f2215fd98] - doc: fix minor nit introduced in readline.md (James M Snell) #7198
• [d31f728e09] - doc: clarify rl.question callback args (James M Snell) #7022
• [70f2f357be] - doc: general improvements to readline.md copy (James M Snell) #7022
• [c2aba5ba27] - doc: consolidate test/lint text in GH PR template (Rich Trott) #7155
• [712120112f] - doc: use consistent typography in streams.md (Rich Trott) #6986
• [e2f6f8061b] - doc: general improvements to process.md copy (James M Snell) #7029
• [84ea6fc57c] - doc: general improvements to repl.md copy (James M Snell) #7002
• [bfb7e3cc6e] - doc: add added: information for readline (Julian Duque) #6996
• [632b411cd0] - doc: improved syntax consistency in console.md (Jonathan Montane) #7062
• [826bd99486] - doc: specify how to link issues in commit log (Luigi Pinca) #7161
• [865644a604] - doc: general improvements to querystring.md copy (James M Snell) #7023
• [dd4c607267] - doc: fix header depth of util.isSymbol (James M Snell) #7138
• [5086e5f3ee] - doc: general improvements to stream.md copy (James M Snell) #6947
• [75d6875034] - doc: update licenses (Myles Borins) #7121
• [dc8cb93c4f] - doc: add added: information for dns (Julian Duque) #7021
• [a7c85e6fd5] - doc: add added: information for path (Julian Duque) #6985
• [026bf17378] - doc: add added information for net (Italo A. Casas) #7038
• [d4a2c82f5f] - doc: general improvements to punycode.md copy (James M Snell) #7025
• [51d295efe6] - doc: add links to platform specific mechanisms (Michael Dawson) #7071
• [1600966f59] - fs: execute mkdtemp's callback with no context (Sakthipriyan Vairamani) #7068
• [ad1045c829] - http: fix no dumping after maybeReadMore (Fedor Indutny) #7211
• [2a462ba1e2] - http: optimize checkInvalidHeaderChar() (Brian White) #6570
• [4a63be031f] - http: optimize checkIsHttpToken() (Brian White) #6570
• [40e49dee82] - http: wait for both prefinish/end to keepalive (Fedor Indutny) #7149
• [e8c91e7557] - repl: refine handling of illegal tokens (Rich Trott) #7104
• [cf0928ccb7] - src: clean up string_search (Brian White) #7174
• [b0225e5926] - stream: ensure awaitDrain is increased once (David Halls) #7292
• [9c6b69ec1b] - stream: reset awaitDrain after manual .resume() (Anna Henningsen) #7160
• [caa6718a01] - test: fix test-net-* error code check for getaddrinfo(3) (Natanael Copa) #5099
• [535c8dd554] - test: add more http token/value checking tests (Brian White) #6570
• [257f4e6202] - test: add note about duration_ms in TAP reporter (Rod Vagg) #7216
• [798a737f45] - _Revert_ "test: change duration_ms to duration" (Rod Vagg) #7216
• [72e4e43b91] - test: rebuild add-ons when their sources change (Ben Noordhuis) #7262
• [eded11705b] - test: use random ports where possible (Brian White) #7045
• [d54c7c19a6] - test: fix spawn on windows (Brian White) #7049
• [e873063a3c] - test: enable test-debug-brk-no-arg (Rich Trott) #7143
• [d6091c8194] - test: use common.fixturesDir almost everywhere (Bryan English) #6997
• [e8b1456d8b] - test: change duration_ms to duration (Gibson Fahnestock) #7133
• [6ce26c8c8b] - test: add test for uid/gid setting in spawn (Rich Trott) #7084
• [40604b54d4] - test: remove disabled eio race test (Rich Trott) #7083
• [9545c41cba] - tools: fix license builder to work with icu-small (Myles Borins) #7119
• [6562c9fc75] - tools,doc: add example usage for REPLACEME tag (Anna Henningsen) #6864

[evanlucas]

ci: https://ci.nodejs.org/job/node-test-pull-request/3009/
citgm: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/306/

[MylesBorins]

changelog LGTM if ci + citgm are green

[bnoordhuis]

When maybeReadMore kicks in on a first bytes of incoming data, the req.read(0) will be invoked and the req._consuming will be set to true. This seemingly harmless property leads to a dire consequences: the server won't call req._dump() and the whole HTTP/1.1 pipeline will hang (single connection).

Perhaps a touch too long and dramatic. I'd shorten it to e.g. "req.read(0) could stall incoming connections under certain conditions."

Or maybe "req.read(0) could cause incoming connections to stall and time out under certain conditions", to stress that it's a bug but not really a denial-of-service.

[evanlucas]

thanks @bnoordhuis I'll update it. Does the other http one need to be changed/shortened as well?

[bnoordhuis]

The other one is not too bad. It could be shorter but it's acceptable as-is, IMO.

[Fishrock123]

Could you use code ticks for maybeReadMore(), req.read(0), HTTP/1.1, and keep-alive? Thanks!

[Fishrock123]

@evanlucas Hold up, you need to include #7284 or we'll be making a breaking change

[evanlucas]

@Fishrock123 that depends on #7111 right? If so, it shouldn't be necessary to include because that pr was semver-minor

[bnoordhuis]

I've changed #7111 to semver-major, see #7111 (comment).

[Fishrock123]

Ok, sounds good.