diff --git a/dist-indexer.js b/dist-indexer.js
index 0600c8f..e2c44cf 100755
--- a/dist-indexer.js
+++ b/dist-indexer.js
@@ -13,6 +13,7 @@ const fs = require('fs')
, transformFilename = require('./transform-filename')
, decodeRef = require('./decode-ref')
+ , isSecurityRelease = require('./is-security-release')
, versionCachePath = path.join(process.env.HOME, '.dist-indexer-version-cache')
@@ -39,6 +40,7 @@ const fs = require('fs')
, `${githubContentUrl}/src/node.h`
]
, ltsVersionUrl = `${githubContentUrl}/src/node_version.h`
+ , isSecurityUrl = 'https://github.com/nodejs/{repo}/commits/{gitref}.atom'
, githubOptions = { headers: {
'accept': 'text/plain,application/vnd.github.v3.raw'
} }
@@ -339,6 +341,23 @@ function fetchLtsVersion (gitref, callback) {
}
+function fetchSecurity (gitref, callback) {
+ var security = cacheGet(gitref, 'security')
+
+ if (security || security === false)
+ return setImmediate(callback.bind(null, null, security))
+
+ fetch(isSecurityUrl, gitref, function (err, rawData) {
+ if (err)
+ return callback(err)
+
+ security = isSecurityRelease(rawData)
+ cachePut(gitref, 'security', security)
+ callback(null, security)
+ })
+}
+
+
function dirDate (dir, callback) {
fs.readdir(path.join(argv.dist, dir), function (err, files) {
if (err)
@@ -392,6 +411,7 @@ function inspectDir (dir, callback) {
, zlibVersion
, modVersion
, ltsVersion
+ , securityRelease
, date
if (!gitref) {
@@ -412,7 +432,7 @@ function inspectDir (dir, callback) {
files = _files
- var done = after(8, afterAll)
+ var done = after(9, afterAll)
dirDate(dir, function (err, _date) {
if (err)
@@ -484,6 +504,15 @@ function inspectDir (dir, callback) {
ltsVersion = version
done()
})
+
+ fetchSecurity(gitref, function (err, security) {
+ if (err) {
+ console.error(err)
+ console.error('(ignoring error fetching security release for %s)', gitref)
+ }
+ securityRelease = security
+ done()
+ })
})
function afterAll (err) {
@@ -504,6 +533,7 @@ function inspectDir (dir, callback) {
, openssl : sslVersion
, modules : modVersion
, lts : ltsVersion
+ , security : securityRelease
})
}
}
@@ -533,7 +563,7 @@ function afterMap (err, dirs) {
}
jsonOut.write('[\n')
- tabWrite('version', 'date', 'files', 'npm', 'v8', 'uv', 'zlib', 'openssl', 'modules', 'lts')
+ tabWrite('version', 'date', 'files', 'npm', 'v8', 'uv', 'zlib', 'openssl', 'modules', 'lts', 'security')
dirs.forEach(function (dir, i) {
jsonOut.write(JSON.stringify(dir) + (i != dirs.length - 1 ? ',\n' : '\n'))
@@ -548,6 +578,7 @@ function afterMap (err, dirs) {
, dir.openssl
, dir.modules
, dir.lts
+ , dir.security
)
})
diff --git a/is-security-release.js b/is-security-release.js
new file mode 100644
index 0000000..a656621
--- /dev/null
+++ b/is-security-release.js
@@ -0,0 +1,34 @@
+const notesre = /Version \d+\.\d+\.\d+.*\n(?!\w+<\/title>)\n(.*)\n/m
+ , securityre = /This is a security release\./
+
+
+function isSecurityRelease (notes) {
+ const m = notes.match(notesre)
+ if (m && securityre.test(m[1]))
+ return true
+
+ return false
+}
+
+
+module.exports = isSecurityRelease
+
+
+if (module === require.main) {
+ const assert = require('assert')
+ const fs = require('fs')
+ const path = require('path')
+ const fixturespath = path.join(__dirname, 'test', 'fixtures', 'release-notes')
+ const tests = [
+ { fixture: 'v10.14.0.atom', expected: true }
+ , { fixture: 'v10.14.1.atom', expected: false }
+ , { fixture: 'v11.3.0.atom' , expected: true }
+ ]
+
+ tests.forEach(function (test) {
+ console.log(`testing ${test.fixture} -> ${test.expected}`)
+ const fixture = path.join(fixturespath, test.fixture)
+ const notes = fs.readFileSync(fixture, { encoding: 'utf8' })
+ assert.equal(isSecurityRelease(notes), test.expected)
+ })
+}
diff --git a/test/fixtures/release-notes/v10.14.0.atom b/test/fixtures/release-notes/v10.14.0.atom
new file mode 100644
index 0000000..e82db56
--- /dev/null
+++ b/test/fixtures/release-notes/v10.14.0.atom
@@ -0,0 +1,588 @@
+
+
+ tag:github.com,2008:/nodejs/node/commits/v10.14.0
+
+
+ Recent Commits to node:v10.14.0
+ 2018-11-27T22:17:04Z
+
+ tag:github.com,2008:Grit::Commit/b7103135bc7987dee97e8795b0b38293d05fd842
+
+
+ 2018-11-27, Version 10.14.0 'Dubnium' (LTS)
+
+ 2018-11-27T22:17:04Z
+
+
+ rvagg
+ https://github.com/rvagg
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>2018-11-27, Version 10.14.0 'Dubnium' (LTS)
+
+This is a security release. All Node.js users should consult the security
+release summary at:
+
+ https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
+
+for details on patched vulnerabilities.
+
+Fixes for the following CVEs are included in this release:
+
+ * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
+ * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
+ * Node.js: Hostname spoofing in URL parser for javascript protocol
+ (CVE-2018-12123)
+ * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
+ * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
+
+Notable Changes:
+
+* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
+* http:
+ * Headers received by HTTP servers must not exceed 8192 bytes in total to
+ prevent possible Denial of Service attacks. Reported by Trevor Norris.
+ (CVE-2018-12121 / Matteo Collina)
+ * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
+ value can be adjusted with `server.headersTimeout`. Where headers are not
+ completely received within this period, the socket is destroyed on the next
+ received chunk. In conjunction with `server.setTimeout()`, this aids in
+ protecting against excessive resource retention and possible Denial of
+ Service. Reported by Jan Maybach (liebdich.com).
+* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
+ with `url.parse()` with the `'javascript:'` protocol. Reported by
+ Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/155/</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/8b1405ee014033d9a36873f65ca49be11f15a569
+
+
+ url: avoid hostname spoofing w/ javascript protocol
+
+ 2018-11-27T04:11:44Z
+
+
+ mcollina
+ https://github.com/mcollina
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>url: avoid hostname spoofing w/ javascript protocol
+
+CVE-2018-12123
+
+Fixes: https://github.com/nodejs-private/security/issues/205
+PR-URL: https://github.com/nodejs-private/node-private/pull/145
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
+Reviewed-By: Anna Henningsen <anna@addaleax.net></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/eb43bc04b1390ce2506144b46d081e63f7a7d5b7
+
+
+ http,https: protect against slow headers attack
+
+ 2018-11-27T04:11:44Z
+
+
+ mcollina
+ https://github.com/mcollina
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>http,https: protect against slow headers attack
+
+CVE-2018-12122
+
+An attacker can send a char/s within headers and exahust the resources
+(file descriptors) of a system even with a tight max header length
+protection. This PR destroys a socket if it has not received the headers
+in 40s.
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/150
+Ref: https://github.com/nodejs-private/node-private/pull/144
+Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: James M Snell <jasnell@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/a8532d4d23304d8cc28c968e2eda519a546834ca
+
+
+ deps,http: http_parser set max header size to 8KB
+
+ 2018-11-27T04:11:44Z
+
+
+ mcollina
+ https://github.com/mcollina
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps,http: http_parser set max header size to 8KB
+
+CVE-2018-12121
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/143
+Ref: https://github.com/nodejs-private/security/issues/139
+Ref: https://github.com/nodejs-private/http-parser-private/pull/2
+Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org>
+Reviewed-By: Anna Henningsen <anna@addaleax.net></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/38ca8baf81a2caf05253718db6bf56e49543e8ef
+
+
+ deps: update openssl 1.1.0 upgrade docs
+
+ 2018-11-24T10:42:20Z
+
+
+ sam-github
+ https://github.com/sam-github
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: update openssl 1.1.0 upgrade docs
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/241ba81a5b4805324e8acfd1781ed607278784ce
+
+
+ deps: update archs files for OpenSSL-1.1.0
+
+ 2018-11-24T10:42:20Z
+
+
+ sam-github
+ https://github.com/sam-github
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: update archs files for OpenSSL-1.1.0
+
+`cd deps/openssl/config; make` updates all archs dependant files.
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/acc40efa905c73fb7475ca5008d65dbdcd5f4867
+
+
+ deps: add s390 asm rules for OpenSSL-1.1.0
+
+ 2018-11-24T10:42:20Z
+
+
+ shigeki
+ https://github.com/shigeki
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: add s390 asm rules for OpenSSL-1.1.0
+
+This is a floating patch against OpenSSL-1.1.0 to generate asm files
+with Makefile rules and it is to be submitted to the upstream.
+
+Fixes: https://github.com/nodejs/node/issues/4270
+PR-URL: https://github.com/nodejs/node/pull/19794
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org>
+Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/7efd184bb16ecf1b93fe9a5b9300e2353149d330
+
+
+ deps: upgrade openssl sources to 1.1.0j
+
+ 2018-11-24T10:42:20Z
+
+
+ sam-github
+ https://github.com/sam-github
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: upgrade openssl sources to 1.1.0j
+
+This updates all sources in deps/openssl/openssl with openssl-1.1.0j.
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/4febb6c767787dfb8c56d9c80812cd8a4baa53b6
+
+
+ Working on v10.13.1
+
+ 2018-10-30T08:42:12Z
+
+
+ MylesBorins
+ https://github.com/MylesBorins
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>Working on v10.13.1
+
+PR-URL: https://github.com/nodejs/node/pull/23831</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/ab4af087e83d91a46354d765306d3543b1d85423
+
+
+ 2018-10-30 Version 10.13.0 'Dubnium' (LTS)
+
+ 2018-10-30T06:20:26Z
+
+
+ MylesBorins
+ https://github.com/MylesBorins
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>2018-10-30 Version 10.13.0 'Dubnium' (LTS)
+
+This release marks the transition of Node.js 10.x into Long Term
+Support (LTS) with the codename 'Dubnium'. The 10.x release line
+now moves in to "Active LTS" and will remain so until April 2020.
+After that time it will move in to "Maintenance" until end of
+life in April 2021.
+
+Notable Changes:
+
+This release only includes minimal changes necessary to fix known
+regressions prior to LTS.
+
+PR-URL: https://github.com/nodejs/node/pull/23831</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/2ba60100820afe9b01f0d3dcee46453ce26db7e0
+
+
+ buffer: fix crash for invalid index types
+
+ 2018-10-29T19:39:48Z
+
+
+ addaleax
+ https://github.com/addaleax
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>buffer: fix crash for invalid index types
+
+2555cb4a4049dc4c41d8a2f4ce50909cc0a12a4a introduced a crash
+when a non-number value was passed to `ParseArrayIndex()`.
+
+We do not always have JS typechecking for that in place, though.
+This returns back to the previous behavior of coercing values
+to integers, which is certainly questionable.
+
+Refs: https://github.com/nodejs/node/pull/22129
+Fixes: https://github.com/nodejs/node/issues/23668</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/2cd68be69d7a60e8b419085e42a0cf7bfcd6ea2f
+
+
+ build: spawn `make test-ci` with `-j1`
+
+ 2018-10-29T19:39:48Z
+
+
+ refack
+ https://github.com/refack
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>build: spawn `make test-ci` with `-j1`
+
+All the sub targets have internal parallelism, so no performance loss.
+Also `make` doesn't to a good enough job of combining the output
+streams, or eliminate races.
+
+PR-URL: https://github.com/nodejs/node/pull/23733
+Fixes: https://github.com/nodejs/node/issues/22006
+Reviewed-By: Richard Lau <riclau@uk.ibm.com>
+Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
+Reviewed-By: Matheus Marchini <mat@mmarchini.me></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/1003f4c97531cd3e44c635da83d0cbe7be8d6048
+
+
+ deps: fix wrong default for v8 handle zapping
+
+ 2018-10-25T15:53:25Z
+
+
+ refack
+ https://github.com/refack
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: fix wrong default for v8 handle zapping
+
+PR-URL: https://github.com/nodejs/node/pull/23801
+Fixes: https://github.com/nodejs/node/issues/23796
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Michaël Zasso <targos@protonmail.com>
+Reviewed-By: Matheus Marchini <mat@mmarchini.me></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/b66f46cb023a09cc77957c9360ae2cf18c4db188
+
+
+ Working on v10.12.1
+
+ 2018-10-10T21:13:29Z
+
+
+ targos
+ https://github.com/targos
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>Working on v10.12.1
+
+PR-URL: https://github.com/nodejs/node/pull/23313</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/4a276cc2a960b3f9a138ac3a99c9249a63b4d472
+
+
+ 2018-10-10, Version 10.12.0 (Current)
+
+ 2018-10-10T16:10:08Z
+
+
+ targos
+ https://github.com/targos
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>2018-10-10, Version 10.12.0 (Current)
+
+Notable changes:
+
+* assert
+ * The diff output is now a tiny bit improved by sorting object
+ properties when inspecting the values that are compared with each
+ other. https://github.com/nodejs/node/pull/22788
+* cli
+ * The options parser now normalizes `_` to `-` in all multi-word
+ command-line flags, e.g. `--no_warnings` has the same effect as
+ `--no-warnings`. https://github.com/nodejs/node/pull/23020
+ * Added bash completion for the `node` binary. To generate a bash
+ completion script, run `node --completion-bash`. The output can be
+ saved to a file which can be sourced to enable completion.
+ https://github.com/nodejs/node/pull/20713
+* crypto
+ * Added support for PEM-level encryption.
+ https://github.com/nodejs/node/pull/23151
+ * Added an API asymmetric key pair generation. The new methods
+ `crypto.generateKeyPair` and `crypto.generateKeyPairSync` can be
+ used to generate public and private key pairs. The API supports
+ RSA, DSA and EC and a variety of key encodings (both PEM and DER).
+ https://github.com/nodejs/node/pull/22660
+* fs
+ * Added a `recursive` option to `fs.mkdir` and `fs.mkdirSync`. If
+ this option is set to true, non-existing parent folders will be
+ automatically created. https://github.com/nodejs/node/pull/21875
+* http2
+ * Added a `'ping'` event to `Http2Session` that is emitted whenever a
+ non-ack `PING` is received.
+ https://github.com/nodejs/node/pull/23009
+ * Added support for the `ORIGIN` frame.
+ https://github.com/nodejs/node/pull/22956
+ * Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect
+ protocol support to allow use of WebSockets over HTTP/2.
+ https://github.com/nodejs/node/pull/23284
+* module
+ * Added `module.createRequireFromPath(filename)`. This new method can
+ be used to create a custom require function that will resolve
+ modules relative to the filename path.
+ https://github.com/nodejs/node/pull/19360
+* process
+ * Added a `'multipleResolves'` process event that is emitted whenever
+ a `Promise` is attempted to be resolved multiple times, e.g. if the
+ `resolve` and `reject` functions are both called in a `Promise`
+ executor. https://github.com/nodejs/node/pull/22218
+* url
+ * Added `url.fileURLToPath(url)` and `url.pathToFileURL(path)`. These
+ methods can be used to correctly convert between file: URLs and
+ absolute paths. https://github.com/nodejs/node/pull/22506
+* util
+ * Added the `sorted` option to `util.inspect()`. If set to `true`,
+ all properties of an object and Set and Map entries will be sorted
+ in the returned string. If set to a function, it is used as a
+ compare function. https://github.com/nodejs/node/pull/22788
+ * The `util.instpect.custom` symbol is now defined in the global
+ symbol registry as `Symbol.for('nodejs.util.inspect.custom')`.
+ https://github.com/nodejs/node/pull/20857
+ * Added support for `BigInt` numbers in `util.format()`.
+ https://github.com/nodejs/node/pull/22097
+* V8 API
+ * A number of V8 C++ APIs have been marked as deprecated since they
+ have been removed in the upstream repository. Replacement APIs
+ are added where necessary. https://github.com/nodejs/node/pull/23159
+* Windows
+ * The Windows msi installer now provides an option to automatically
+ install the tools required to build native modules.
+ https://github.com/nodejs/node/pull/22645
+* Workers
+ * Debugging support for Workers using the DevTools protocol has been
+ implemented. https://github.com/nodejs/node/pull/21364
+ * The public `inspector` module is now enabled in Workers.
+ https://github.com/nodejs/node/pull/22769
+* Added new collaborators:
+ * digitalinfinity - Hitesh Kanwathirtha
+
+PR-URL: https://github.com/nodejs/node/pull/23313</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/e6484c2c1193d8067e01477497b7dfbb4d8ccab3
+
+
+ build: restore js2c direct dependency on config.gypi
+
+ 2018-10-10T15:40:21Z
+
+
+ refack
+ https://github.com/refack
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>build: restore js2c direct dependency on config.gypi
+
+PR-URL: https://github.com/nodejs/node/pull/23355
+Fixes: https://github.com/nodejs/node/issues/23352
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
+Reviewed-By: Richard Lau <riclau@uk.ibm.com>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/cd69e1b6c3e07946b53548b72228c432e2993a79
+
+
+ src: fix ToObject() usage in node_http_parser.cc
+
+ 2018-10-10T15:40:21Z
+
+
+ cjihrig
+ https://github.com/cjihrig
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>src: fix ToObject() usage in node_http_parser.cc
+
+PR-URL: https://github.com/nodejs/node/pull/23314
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/5228ec4410605651192137890da5c41ac5755bcc
+
+
+ src: fix ToObject() usage in exceptions.cc
+
+ 2018-10-10T15:40:21Z
+
+
+ cjihrig
+ https://github.com/cjihrig
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>src: fix ToObject() usage in exceptions.cc
+
+PR-URL: https://github.com/nodejs/node/pull/23314
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/c4aa0331c108f55c5a56193fac0249a27767de03
+
+
+ build: make configure script verbose by default
+
+ 2018-10-10T15:37:07Z
+
+
+ targos
+ https://github.com/targos
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>build: make configure script verbose by default
+
+The change that added the --verbose flag was supposed to be
+semver-major but already landed in a 10.x release.
+
+Refs: https://github.com/nodejs/node/pull/22450
+
+PR-URL: https://github.com/nodejs/node/pull/23408
+Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
+Reviewed-By: Rich Trott <rtrott@gmail.com>
+Reviewed-By: Refael Ackermann <refack@gmail.com>
+Reviewed-By: Richard Lau <riclau@uk.ibm.com>
+Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/a65bb42551b635b3bb948ab1c9f7064da1b77554
+
+
+ net: use connect() instead of connect.call()
+
+ 2018-10-10T13:42:52Z
+
+
+ JacksonTian
+ https://github.com/JacksonTian
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>net: use connect() instead of connect.call()
+
+Use socket.connect() directly.
+
+PR-URL: https://github.com/nodejs/node/pull/23289
+Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
+Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
+Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
+Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
+Reviewed-By: Thomas Watson <w@tson.dk>
+Reviewed-By: James M Snell <jasnell@gmail.com></pre>
+
+
+
diff --git a/test/fixtures/release-notes/v10.14.1.atom b/test/fixtures/release-notes/v10.14.1.atom
new file mode 100644
index 0000000..7f0b6ad
--- /dev/null
+++ b/test/fixtures/release-notes/v10.14.1.atom
@@ -0,0 +1,608 @@
+
+
+ tag:github.com,2008:/nodejs/node/commits/v10.14.1
+
+
+ Recent Commits to node:v10.14.1
+ 2018-11-29T04:47:06Z
+
+ tag:github.com,2008:Grit::Commit/d3dbe3a8514e47ef820d4768ed74c36a8843b976
+
+
+ 2018-11-29, Version 10.14.1 'Dubnium' (LTS)
+
+ 2018-11-29T04:47:06Z
+
+
+ MylesBorins
+ https://github.com/MylesBorins
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>2018-11-29, Version 10.14.1 'Dubnium' (LTS)
+
+Notable Changes:
+
+* **win/msi**: Revert changes to installer causing issues on Windows systems.
+
+PR-URL: https://github.com/nodejs/node/pull/24711</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/9e293c13288a0fa3da20b7ccf4421a6d0b413bb2
+
+
+ Revert "win,msi: install tools for native modules"
+
+ 2018-11-29T04:39:31Z
+
+
+ refack
+ https://github.com/refack
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>Revert "win,msi: install tools for native modules"
+
+This reverts:
+ Revision: 257a5e9c389b648aca08b02aae9e19f142ce0493
+ win: add prompt to tools installation script
+
+ Revision: e9a291582d145a00df27aaaa54b66e42c725d89e
+ win: clarify Boxstarter behavior on install tools
+
+ Revision: 3b895d12584a91acf3866a728ed490841490dc95
+ win,msi: display license notes before installing tools
+
+ Revision: cf284c80a9c82d4baebf095c356179c753da493c
+ win,msi: install Boxstarter from elevated shell
+
+ Revision: 2b7e18dec5ccb51270df7c8bd554ffdf2e28e603
+ win,msi: highlight installation of 3rd-party tools
+
+ Revision: ebf36cd18018faab5427327c3469a71dd1d35129
+ win,msi: install tools for native modules
+
+PR-URL: https://github.com/nodejs/node/pull/24344
+Refs: https://github.com/nodejs/node/pull/22645
+Refs: https://github.com/nodejs/node/pull/23987
+Refs: https://github.com/nodejs/Release/issues/369
+Refs: https://github.com/nodejs/node/issues/23838
+Refs: https://github.com/nodejs/security-wg/issues/439
+Reviewed-By: João Reis <reis@janeasystems.com>
+Reviewed-By: Richard Lau <riclau@uk.ibm.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/5d17bf1e1386b17d81efc3e9e14f185e8d442b4a
+
+
+ win: add prompt to tools installation script
+
+ 2018-11-29T04:39:26Z
+
+
+ joaocgreis
+ https://github.com/joaocgreis
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>win: add prompt to tools installation script
+
+Fixes: https://github.com/nodejs/Release/issues/369
+
+PR-URL: https://github.com/nodejs/node/pull/23987
+Reviewed-By: John-David Dalton <john.david.dalton@gmail.com>
+Reviewed-By: Refael Ackermann <refack@gmail.com>
+Reviewed-By: Richard Lau <riclau@uk.ibm.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/589f0d2192210eb1a455d7cdbe7d1a668d1f8843
+
+
+ win: clarify Boxstarter behavior on install tools
+
+ 2018-11-29T04:39:20Z
+
+
+ ferventcoder
+ https://github.com/ferventcoder
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>win: clarify Boxstarter behavior on install tools
+
+Clarify the behavior of what Boxstarter may do when it runs on a box
+to install all the necessary tools so that there are no surprises to
+the end user when the script is run.
+
+Currently there is no interface that warns the user that Boxstarter
+will reboot the machine possibly multiple times depending on how many
+dependencies need to be installed and doesn't mention a need to disable
+UAC. For folks who see what may look like a reboot loop, we feel it is
+necessary to make them aware that UAC will be disabled and they will
+need to take action to re-enable UAC manually if they interfere/stop
+the script from finishing.
+
+PR-URL: https://github.com/nodejs/node/pull/23987
+Fixes: https://github.com/nodejs/Release/issues/369
+Reviewed-By: John-David Dalton <john.david.dalton@gmail.com>
+Reviewed-By: Refael Ackermann <refack@gmail.com>
+Reviewed-By: Richard Lau <riclau@uk.ibm.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/183e3bf1b0ddc0c0072bb1bc63ec06b77bd4aa07
+
+
+ Working on v10.14.1
+
+ 2018-11-28T00:14:05Z
+
+
+ rvagg
+ https://github.com/rvagg
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>Working on v10.14.1
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/155/</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/b7103135bc7987dee97e8795b0b38293d05fd842
+
+
+ 2018-11-27, Version 10.14.0 'Dubnium' (LTS)
+
+ 2018-11-27T22:17:04Z
+
+
+ rvagg
+ https://github.com/rvagg
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>2018-11-27, Version 10.14.0 'Dubnium' (LTS)
+
+This is a security release. All Node.js users should consult the security
+release summary at:
+
+ https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
+
+for details on patched vulnerabilities.
+
+Fixes for the following CVEs are included in this release:
+
+ * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
+ * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
+ * Node.js: Hostname spoofing in URL parser for javascript protocol
+ (CVE-2018-12123)
+ * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
+ * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
+
+Notable Changes:
+
+* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
+* http:
+ * Headers received by HTTP servers must not exceed 8192 bytes in total to
+ prevent possible Denial of Service attacks. Reported by Trevor Norris.
+ (CVE-2018-12121 / Matteo Collina)
+ * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
+ value can be adjusted with `server.headersTimeout`. Where headers are not
+ completely received within this period, the socket is destroyed on the next
+ received chunk. In conjunction with `server.setTimeout()`, this aids in
+ protecting against excessive resource retention and possible Denial of
+ Service. Reported by Jan Maybach (liebdich.com).
+* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
+ with `url.parse()` with the `'javascript:'` protocol. Reported by
+ Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/155/</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/8b1405ee014033d9a36873f65ca49be11f15a569
+
+
+ url: avoid hostname spoofing w/ javascript protocol
+
+ 2018-11-27T04:11:44Z
+
+
+ mcollina
+ https://github.com/mcollina
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>url: avoid hostname spoofing w/ javascript protocol
+
+CVE-2018-12123
+
+Fixes: https://github.com/nodejs-private/security/issues/205
+PR-URL: https://github.com/nodejs-private/node-private/pull/145
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
+Reviewed-By: Anna Henningsen <anna@addaleax.net></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/eb43bc04b1390ce2506144b46d081e63f7a7d5b7
+
+
+ http,https: protect against slow headers attack
+
+ 2018-11-27T04:11:44Z
+
+
+ mcollina
+ https://github.com/mcollina
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>http,https: protect against slow headers attack
+
+CVE-2018-12122
+
+An attacker can send a char/s within headers and exahust the resources
+(file descriptors) of a system even with a tight max header length
+protection. This PR destroys a socket if it has not received the headers
+in 40s.
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/150
+Ref: https://github.com/nodejs-private/node-private/pull/144
+Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: James M Snell <jasnell@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/a8532d4d23304d8cc28c968e2eda519a546834ca
+
+
+ deps,http: http_parser set max header size to 8KB
+
+ 2018-11-27T04:11:44Z
+
+
+ mcollina
+ https://github.com/mcollina
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps,http: http_parser set max header size to 8KB
+
+CVE-2018-12121
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/143
+Ref: https://github.com/nodejs-private/security/issues/139
+Ref: https://github.com/nodejs-private/http-parser-private/pull/2
+Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org>
+Reviewed-By: Anna Henningsen <anna@addaleax.net></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/38ca8baf81a2caf05253718db6bf56e49543e8ef
+
+
+ deps: update openssl 1.1.0 upgrade docs
+
+ 2018-11-24T10:42:20Z
+
+
+ sam-github
+ https://github.com/sam-github
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: update openssl 1.1.0 upgrade docs
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/241ba81a5b4805324e8acfd1781ed607278784ce
+
+
+ deps: update archs files for OpenSSL-1.1.0
+
+ 2018-11-24T10:42:20Z
+
+
+ sam-github
+ https://github.com/sam-github
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: update archs files for OpenSSL-1.1.0
+
+`cd deps/openssl/config; make` updates all archs dependant files.
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/acc40efa905c73fb7475ca5008d65dbdcd5f4867
+
+
+ deps: add s390 asm rules for OpenSSL-1.1.0
+
+ 2018-11-24T10:42:20Z
+
+
+ shigeki
+ https://github.com/shigeki
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: add s390 asm rules for OpenSSL-1.1.0
+
+This is a floating patch against OpenSSL-1.1.0 to generate asm files
+with Makefile rules and it is to be submitted to the upstream.
+
+Fixes: https://github.com/nodejs/node/issues/4270
+PR-URL: https://github.com/nodejs/node/pull/19794
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org>
+Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/7efd184bb16ecf1b93fe9a5b9300e2353149d330
+
+
+ deps: upgrade openssl sources to 1.1.0j
+
+ 2018-11-24T10:42:20Z
+
+
+ sam-github
+ https://github.com/sam-github
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: upgrade openssl sources to 1.1.0j
+
+This updates all sources in deps/openssl/openssl with openssl-1.1.0j.
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/4febb6c767787dfb8c56d9c80812cd8a4baa53b6
+
+
+ Working on v10.13.1
+
+ 2018-10-30T08:42:12Z
+
+
+ MylesBorins
+ https://github.com/MylesBorins
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>Working on v10.13.1
+
+PR-URL: https://github.com/nodejs/node/pull/23831</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/ab4af087e83d91a46354d765306d3543b1d85423
+
+
+ 2018-10-30 Version 10.13.0 'Dubnium' (LTS)
+
+ 2018-10-30T06:20:26Z
+
+
+ MylesBorins
+ https://github.com/MylesBorins
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>2018-10-30 Version 10.13.0 'Dubnium' (LTS)
+
+This release marks the transition of Node.js 10.x into Long Term
+Support (LTS) with the codename 'Dubnium'. The 10.x release line
+now moves in to "Active LTS" and will remain so until April 2020.
+After that time it will move in to "Maintenance" until end of
+life in April 2021.
+
+Notable Changes:
+
+This release only includes minimal changes necessary to fix known
+regressions prior to LTS.
+
+PR-URL: https://github.com/nodejs/node/pull/23831</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/2ba60100820afe9b01f0d3dcee46453ce26db7e0
+
+
+ buffer: fix crash for invalid index types
+
+ 2018-10-29T19:39:48Z
+
+
+ addaleax
+ https://github.com/addaleax
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>buffer: fix crash for invalid index types
+
+2555cb4a4049dc4c41d8a2f4ce50909cc0a12a4a introduced a crash
+when a non-number value was passed to `ParseArrayIndex()`.
+
+We do not always have JS typechecking for that in place, though.
+This returns back to the previous behavior of coercing values
+to integers, which is certainly questionable.
+
+Refs: https://github.com/nodejs/node/pull/22129
+Fixes: https://github.com/nodejs/node/issues/23668</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/2cd68be69d7a60e8b419085e42a0cf7bfcd6ea2f
+
+
+ build: spawn `make test-ci` with `-j1`
+
+ 2018-10-29T19:39:48Z
+
+
+ refack
+ https://github.com/refack
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>build: spawn `make test-ci` with `-j1`
+
+All the sub targets have internal parallelism, so no performance loss.
+Also `make` doesn't to a good enough job of combining the output
+streams, or eliminate races.
+
+PR-URL: https://github.com/nodejs/node/pull/23733
+Fixes: https://github.com/nodejs/node/issues/22006
+Reviewed-By: Richard Lau <riclau@uk.ibm.com>
+Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
+Reviewed-By: Matheus Marchini <mat@mmarchini.me></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/1003f4c97531cd3e44c635da83d0cbe7be8d6048
+
+
+ deps: fix wrong default for v8 handle zapping
+
+ 2018-10-25T15:53:25Z
+
+
+ refack
+ https://github.com/refack
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: fix wrong default for v8 handle zapping
+
+PR-URL: https://github.com/nodejs/node/pull/23801
+Fixes: https://github.com/nodejs/node/issues/23796
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Michaël Zasso <targos@protonmail.com>
+Reviewed-By: Matheus Marchini <mat@mmarchini.me></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/b66f46cb023a09cc77957c9360ae2cf18c4db188
+
+
+ Working on v10.12.1
+
+ 2018-10-10T21:13:29Z
+
+
+ targos
+ https://github.com/targos
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>Working on v10.12.1
+
+PR-URL: https://github.com/nodejs/node/pull/23313</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/4a276cc2a960b3f9a138ac3a99c9249a63b4d472
+
+
+ 2018-10-10, Version 10.12.0 (Current)
+
+ 2018-10-10T16:10:08Z
+
+
+ targos
+ https://github.com/targos
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>2018-10-10, Version 10.12.0 (Current)
+
+Notable changes:
+
+* assert
+ * The diff output is now a tiny bit improved by sorting object
+ properties when inspecting the values that are compared with each
+ other. https://github.com/nodejs/node/pull/22788
+* cli
+ * The options parser now normalizes `_` to `-` in all multi-word
+ command-line flags, e.g. `--no_warnings` has the same effect as
+ `--no-warnings`. https://github.com/nodejs/node/pull/23020
+ * Added bash completion for the `node` binary. To generate a bash
+ completion script, run `node --completion-bash`. The output can be
+ saved to a file which can be sourced to enable completion.
+ https://github.com/nodejs/node/pull/20713
+* crypto
+ * Added support for PEM-level encryption.
+ https://github.com/nodejs/node/pull/23151
+ * Added an API asymmetric key pair generation. The new methods
+ `crypto.generateKeyPair` and `crypto.generateKeyPairSync` can be
+ used to generate public and private key pairs. The API supports
+ RSA, DSA and EC and a variety of key encodings (both PEM and DER).
+ https://github.com/nodejs/node/pull/22660
+* fs
+ * Added a `recursive` option to `fs.mkdir` and `fs.mkdirSync`. If
+ this option is set to true, non-existing parent folders will be
+ automatically created. https://github.com/nodejs/node/pull/21875
+* http2
+ * Added a `'ping'` event to `Http2Session` that is emitted whenever a
+ non-ack `PING` is received.
+ https://github.com/nodejs/node/pull/23009
+ * Added support for the `ORIGIN` frame.
+ https://github.com/nodejs/node/pull/22956
+ * Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect
+ protocol support to allow use of WebSockets over HTTP/2.
+ https://github.com/nodejs/node/pull/23284
+* module
+ * Added `module.createRequireFromPath(filename)`. This new method can
+ be used to create a custom require function that will resolve
+ modules relative to the filename path.
+ https://github.com/nodejs/node/pull/19360
+* process
+ * Added a `'multipleResolves'` process event that is emitted whenever
+ a `Promise` is attempted to be resolved multiple times, e.g. if the
+ `resolve` and `reject` functions are both called in a `Promise`
+ executor. https://github.com/nodejs/node/pull/22218
+* url
+ * Added `url.fileURLToPath(url)` and `url.pathToFileURL(path)`. These
+ methods can be used to correctly convert between file: URLs and
+ absolute paths. https://github.com/nodejs/node/pull/22506
+* util
+ * Added the `sorted` option to `util.inspect()`. If set to `true`,
+ all properties of an object and Set and Map entries will be sorted
+ in the returned string. If set to a function, it is used as a
+ compare function. https://github.com/nodejs/node/pull/22788
+ * The `util.instpect.custom` symbol is now defined in the global
+ symbol registry as `Symbol.for('nodejs.util.inspect.custom')`.
+ https://github.com/nodejs/node/pull/20857
+ * Added support for `BigInt` numbers in `util.format()`.
+ https://github.com/nodejs/node/pull/22097
+* V8 API
+ * A number of V8 C++ APIs have been marked as deprecated since they
+ have been removed in the upstream repository. Replacement APIs
+ are added where necessary. https://github.com/nodejs/node/pull/23159
+* Windows
+ * The Windows msi installer now provides an option to automatically
+ install the tools required to build native modules.
+ https://github.com/nodejs/node/pull/22645
+* Workers
+ * Debugging support for Workers using the DevTools protocol has been
+ implemented. https://github.com/nodejs/node/pull/21364
+ * The public `inspector` module is now enabled in Workers.
+ https://github.com/nodejs/node/pull/22769
+* Added new collaborators:
+ * digitalinfinity - Hitesh Kanwathirtha
+
+PR-URL: https://github.com/nodejs/node/pull/23313</pre>
+
+
+
diff --git a/test/fixtures/release-notes/v11.3.0.atom b/test/fixtures/release-notes/v11.3.0.atom
new file mode 100644
index 0000000..e27554a
--- /dev/null
+++ b/test/fixtures/release-notes/v11.3.0.atom
@@ -0,0 +1,544 @@
+
+
+ tag:github.com,2008:/nodejs/node/commits/v11.3.0
+
+
+ Recent Commits to node:v11.3.0
+ 2018-11-27T04:36:42Z
+
+ tag:github.com,2008:Grit::Commit/00fb73a72eff0e90d0f85b95dbcfc3c21f89cff9
+
+
+ 2018-11-27, Version 11.3.0 (Current)
+
+ 2018-11-27T04:36:42Z
+
+
+ rvagg
+ https://github.com/rvagg
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>2018-11-27, Version 11.3.0 (Current)
+
+This is a security release. All Node.js users should consult the security
+release summary at:
+
+https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
+
+for details on patched vulnerabilities.
+
+Fixes for the following CVEs are included in this release:
+
+ * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
+ * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
+ * Node.js: Hostname spoofing in URL parser for javascript protocol
+ (CVE-2018-12123)
+ * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
+ * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
+
+Notable Changes:
+
+* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
+* http:
+ * Headers received by HTTP servers must not exceed 8192 bytes in total to
+ prevent possible Denial of Service attacks. Reported by Trevor Norris.
+ (CVE-2018-12121 / Matteo Collina)
+ * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
+ value can be adjusted with `server.headersTimeout`. Where headers are not
+ completely received within this period, the socket is destroyed on the next
+ received chunk. In conjunction with `server.setTimeout()`, this aids in
+ protecting against excessive resource retention and possible Denial of
+ Service. Reported by Jan Maybach (liebdich.com).
+* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
+ with `url.parse()` with the `'javascript:'` protocol. Reported by
+ Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/156/</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/d7504324e1dfc0ac3c6849c2913ee58faca6386a
+
+
+ url: avoid hostname spoofing w/ javascript protocol
+
+ 2018-11-27T04:30:17Z
+
+
+ mcollina
+ https://github.com/mcollina
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>url: avoid hostname spoofing w/ javascript protocol
+
+CVE-2018-12123
+
+Fixes: https://github.com/nodejs-private/security/issues/205
+PR-URL: https://github.com/nodejs-private/node-private/pull/145
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
+Reviewed-By: Anna Henningsen <anna@addaleax.net></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/315ee2e626f6134f372d8034d9b94b73717705c7
+
+
+ http,https: protect against slow headers attack
+
+ 2018-11-27T04:30:17Z
+
+
+ mcollina
+ https://github.com/mcollina
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>http,https: protect against slow headers attack
+
+CVE-2018-12122
+
+An attacker can send a char/s within headers and exahust the resources
+(file descriptors) of a system even with a tight max header length
+protection. This PR destroys a socket if it has not received the headers
+in 40s.
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/144
+Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: James M Snell <jasnell@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/4ecbd3bdaad94c33a03bf390462706ce1952c2c7
+
+
+ http: reset headers_nread_ on llhttp parser reuse
+
+ 2018-11-27T04:29:40Z
+
+
+ rvagg
+ https://github.com/rvagg
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>http: reset headers_nread_ on llhttp parser reuse
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/149
+Reviewed-By: Fedor Indutny <fedor@indutny.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/04e0620597c30d19a0b4fd4ed04337619d49fb43
+
+
+ http: fix header limit errors and test for llhttp
+
+ 2018-11-27T04:24:30Z
+
+
+ indutny
+ https://github.com/indutny
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>http: fix header limit errors and test for llhttp
+
+Ref: https://github.com/nodejs-private/node-private/pull/143
+PR-URL: https://github.com/nodejs-private/node-private/pull/149
+Reviewed-By: Rod Vagg <rod@vagg.org></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/a2b8aba23cffe392495736da373baf506f88da52
+
+
+ deps,http: llhttp set max header size to 8KB
+
+ 2018-11-27T04:24:30Z
+
+
+ rvagg
+ https://github.com/rvagg
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps,http: llhttp set max header size to 8KB
+
+CVE-2018-12121
+
+As per nodejs-private/node-private#149 for http_parse but for llhttp
+
+Ref: https://github.com/nodejs-private/node-private/pull/143
+PR-URL: https://github.com/nodejs-private/node-private/pull/149
+Reviewed-By: Matteo Collina <hello@matteocollina.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/74e01d0020ec255673e17353a1004a8ea375fff4
+
+
+ deps,http: http_parser set max header size to 8KB
+
+ 2018-11-27T04:24:30Z
+
+
+ mcollina
+ https://github.com/mcollina
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps,http: http_parser set max header size to 8KB
+
+CVE-2018-12121
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/143
+Ref: https://github.com/nodejs-private/security/issues/139
+Ref: https://github.com/nodejs-private/http-parser-private/pull/2
+Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org>
+Reviewed-By: Anna Henningsen <anna@addaleax.net></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/8f191f37596333ce4e7f9de8a8d839a576c9ca9f
+
+
+ deps: update openssl 1.1.0 upgrade docs
+
+ 2018-11-25T09:49:51Z
+
+
+ sam-github
+ https://github.com/sam-github
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: update openssl 1.1.0 upgrade docs
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/f20ac47d7a5738a43aa0726c1cd8d2873cfc7423
+
+
+ deps: update archs files for OpenSSL-1.1.0
+
+ 2018-11-25T09:49:51Z
+
+
+ sam-github
+ https://github.com/sam-github
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: update archs files for OpenSSL-1.1.0
+
+`cd deps/openssl/config; make` updates all archs dependant files.
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/8248d227b76fc3c4bdf0abf91446b375202dc745
+
+
+ deps: add s390 asm rules for OpenSSL-1.1.0
+
+ 2018-11-25T09:49:51Z
+
+
+ shigeki
+ https://github.com/shigeki
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: add s390 asm rules for OpenSSL-1.1.0
+
+This is a floating patch against OpenSSL-1.1.0 to generate asm files
+with Makefile rules and it is to be submitted to the upstream.
+
+Fixes: https://github.com/nodejs/node/issues/4270
+PR-URL: https://github.com/nodejs/node/pull/19794
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org>
+Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/65d03f018008d28279c85e5a78712ad35930368a
+
+
+ deps: upgrade openssl sources to 1.1.0j
+
+ 2018-11-25T09:49:51Z
+
+
+ sam-github
+ https://github.com/sam-github
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>deps: upgrade openssl sources to 1.1.0j
+
+This updates all sources in deps/openssl/openssl with openssl-1.1.0j.
+
+PR-URL: https://github.com/nodejs/node/pull/24523
+Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Reviewed-By: Rod Vagg <rod@vagg.org></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/fbe63ab15b68f3ebf07891e3014f7a0138bd323e
+
+
+ Working on v11.2.1
+
+ 2018-11-15T21:13:13Z
+
+
+ targos
+ https://github.com/targos
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>Working on v11.2.1
+
+PR-URL: https://github.com/nodejs/node/pull/24350</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/a19e1aba38d4bd761b892b7384c457c6377e942c
+
+
+ 2018-11-15, Version 11.2.0 (Current)
+
+ 2018-11-15T19:20:37Z
+
+
+ BridgeAR
+ https://github.com/BridgeAR
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>2018-11-15, Version 11.2.0 (Current)
+
+Notable changes:
+
+* deps:
+ * A new experimental HTTP parser (`llhttp`) is now supported.
+ https://github.com/nodejs/node/pull/24059
+* timers:
+ * Fixed an issue that could cause setTimeout to stop working as
+ expected. https://github.com/nodejs/node/pull/24322
+* Windows
+ * A crashing process will now show the names of stack frames if the
+ node.pdb file is available.
+ https://github.com/nodejs/node/pull/23822
+ * Continued effort to improve the installer's new stage that installs
+ native build tools.
+ https://github.com/nodejs/node/pull/23987,
+ https://github.com/nodejs/node/pull/24348
+ * child_process:
+ * On Windows the `windowsHide` option default was restored to
+ `false`. This means `detached` child processes and GUI apps will
+ once again start in a new window.
+ https://github.com/nodejs/node/pull/24034
+* Added new collaborators:
+ * [oyyd](https://github.com/oyyd) - Ouyang Yadong.
+ https://github.com/nodejs/node/pull/24300
+ * [psmarshall](https://github.com/psmarshall) - Peter Marshall.
+ https://github.com/nodejs/node/pull/24170
+ * [shisama](https://github.com/shisama) - Masashi Hirano.
+ https://github.com/nodejs/node/pull/24136</pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/10edc4f186f7b837708df1e805071fd923c382f0
+
+
+ net: always invoke after-write callback
+
+ 2018-11-15T17:56:05Z
+
+
+ addaleax
+ https://github.com/addaleax
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>net: always invoke after-write callback
+
+This is part of the streams API contract, and aligns
+network sockets with other streams in this respect.
+
+PR-URL: https://github.com/nodejs/node/pull/24291
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
+Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
+Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
+Reviewed-By: Weijia Wang <starkwang@126.com>
+Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
+Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/eeb5cc63052c762b3058594d1ba29f739d35986f
+
+
+ test: add typeerror for vm/compileFunction params
+
+ 2018-11-15T17:56:05Z
+
+
+ dYale
+ https://github.com/dYale
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>test: add typeerror for vm/compileFunction params
+
+PR-URL: https://github.com/nodejs/node/pull/24179
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
+Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
+Reviewed-By: James M Snell <jasnell@gmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/5ca0cf7ae6477eb207998083b90f74d7469c7d5d
+
+
+ lib: improved conditional check in zlib
+
+ 2018-11-15T17:56:04Z
+
+
+ dYale
+ https://github.com/dYale
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>lib: improved conditional check in zlib
+
+PR-URL: https://github.com/nodejs/node/pull/24190
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/5b9ef11e35e551a101d970dbdbb45618267da77c
+
+
+ timers: fix priority queue removeAt
+
+ 2018-11-15T17:56:04Z
+
+
+ apapirovski
+ https://github.com/apapirovski
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>timers: fix priority queue removeAt
+
+PR-URL: https://github.com/nodejs/node/pull/24322
+Fixes: https://github.com/nodejs/node/issues/24320
+Fixes: https://github.com/nodejs/node/issues/24362
+Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
+Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
+Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
+Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
+Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
+Reviewed-By: Weijia Wang <starkwang@126.com>
+Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/dc26247e69d1ebc61c86b42c027f70da917202ce
+
+
+ test: deep object to table not covered
+
+ 2018-11-15T15:12:26Z
+
+
+ ovhemert
+ https://github.com/ovhemert
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>test: deep object to table not covered
+
+PR-URL: https://github.com/nodejs/node/pull/24257
+Reviewed-By: Weijia Wang <starkwang@126.com>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
+Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/b7aded3300269bc36d1a14b474c4a85e185189d4
+
+
+ src: compile native modules and their code cache in C++
+
+ 2018-11-15T15:12:26Z
+
+
+ joyeecheung
+ https://github.com/joyeecheung
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>src: compile native modules and their code cache in C++
+
+This patch refactors out a part of NativeModule.prototype.compile
+(in JS land) into a C++ NativeModule class, this enables a
+couple of possibilities:
+
+1. By moving the code to the C++ land, we have more opportunity
+ to specialize the compilation process of the native modules
+ (e.g. compilation options, code cache) that is orthogonal to
+ how user land modules are compiled
+2. We can reuse the code to compile bootstrappers and context
+ fixers and enable them to be compiled with the code cache later,
+ since they are not loaded by NativeModule in the JS land their
+ caching must be done in C++.
+3. Since there is no need to pass the static data to JS for
+ compilation anymore, this enables us to use
+ (std::map<std::string, const char*>) in the generated
+ node_code_cache.cc and node_javascript.cc later, and scope
+ every actual access to the source of native modules to a
+ std::map lookup instead of a lookup on a v8::Object in
+ dictionary mode.
+
+This patch also refactor the code cache generator and tests
+a bit and trace the `withCodeCache` and `withoutCodeCache`
+in a Set instead of an Array, and makes sure that all the cachable
+builtins are tested.
+
+PR-URL: https://github.com/nodejs/node/pull/24221
+Reviewed-By: Refael Ackermann <refack@gmail.com>
+Reviewed-By: Anna Henningsen <anna@addaleax.net></pre>
+
+
+
+ tag:github.com,2008:Grit::Commit/4709fe676d6c49b075de9368d3180a6e5104aee3
+
+
+ win: add customization warning to tools script
+
+ 2018-11-15T15:12:26Z
+
+
+ joaocgreis
+ https://github.com/joaocgreis
+
+
+ <pre style='white-space:pre-wrap;width:81ex'>win: add customization warning to tools script
+
+PR-URL: https://github.com/nodejs/node/pull/24348
+Reviewed-By: Refael Ackermann <refack@gmail.com>
+Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com></pre>
+
+
+