From 3fea07fd82530007e20974d2f3bd98cb47200b43 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Fri, 10 May 2019 11:34:41 -0400 Subject: [PATCH] add security release column to index Parse the release notes for a release to determine if it is a security release. Refs: https://github.com/nodejs/Release/issues/437 --- dist-indexer.js | 35 +- is-security-release.js | 34 ++ test/fixtures/release-notes/v10.14.0.atom | 588 +++++++++++++++++++++ test/fixtures/release-notes/v10.14.1.atom | 608 ++++++++++++++++++++++ test/fixtures/release-notes/v11.3.0.atom | 544 +++++++++++++++++++ 5 files changed, 1807 insertions(+), 2 deletions(-) create mode 100644 is-security-release.js create mode 100644 test/fixtures/release-notes/v10.14.0.atom create mode 100644 test/fixtures/release-notes/v10.14.1.atom create mode 100644 test/fixtures/release-notes/v11.3.0.atom diff --git a/dist-indexer.js b/dist-indexer.js index 0600c8f..e2c44cf 100755 --- a/dist-indexer.js +++ b/dist-indexer.js @@ -13,6 +13,7 @@ const fs = require('fs') , transformFilename = require('./transform-filename') , decodeRef = require('./decode-ref') + , isSecurityRelease = require('./is-security-release') , versionCachePath = path.join(process.env.HOME, '.dist-indexer-version-cache') @@ -39,6 +40,7 @@ const fs = require('fs') , `${githubContentUrl}/src/node.h` ] , ltsVersionUrl = `${githubContentUrl}/src/node_version.h` + , isSecurityUrl = 'https://github.com/nodejs/{repo}/commits/{gitref}.atom' , githubOptions = { headers: { 'accept': 'text/plain,application/vnd.github.v3.raw' } } @@ -339,6 +341,23 @@ function fetchLtsVersion (gitref, callback) { } +function fetchSecurity (gitref, callback) { + var security = cacheGet(gitref, 'security') + + if (security || security === false) + return setImmediate(callback.bind(null, null, security)) + + fetch(isSecurityUrl, gitref, function (err, rawData) { + if (err) + return callback(err) + + security = isSecurityRelease(rawData) + cachePut(gitref, 'security', security) + callback(null, security) + }) +} + + function dirDate (dir, callback) { fs.readdir(path.join(argv.dist, dir), function (err, files) { if (err) @@ -392,6 +411,7 @@ function inspectDir (dir, callback) { , zlibVersion , modVersion , ltsVersion + , securityRelease , date if (!gitref) { @@ -412,7 +432,7 @@ function inspectDir (dir, callback) { files = _files - var done = after(8, afterAll) + var done = after(9, afterAll) dirDate(dir, function (err, _date) { if (err) @@ -484,6 +504,15 @@ function inspectDir (dir, callback) { ltsVersion = version done() }) + + fetchSecurity(gitref, function (err, security) { + if (err) { + console.error(err) + console.error('(ignoring error fetching security release for %s)', gitref) + } + securityRelease = security + done() + }) }) function afterAll (err) { @@ -504,6 +533,7 @@ function inspectDir (dir, callback) { , openssl : sslVersion , modules : modVersion , lts : ltsVersion + , security : securityRelease }) } } @@ -533,7 +563,7 @@ function afterMap (err, dirs) { } jsonOut.write('[\n') - tabWrite('version', 'date', 'files', 'npm', 'v8', 'uv', 'zlib', 'openssl', 'modules', 'lts') + tabWrite('version', 'date', 'files', 'npm', 'v8', 'uv', 'zlib', 'openssl', 'modules', 'lts', 'security') dirs.forEach(function (dir, i) { jsonOut.write(JSON.stringify(dir) + (i != dirs.length - 1 ? ',\n' : '\n')) @@ -548,6 +578,7 @@ function afterMap (err, dirs) { , dir.openssl , dir.modules , dir.lts + , dir.security ) }) diff --git a/is-security-release.js b/is-security-release.js new file mode 100644 index 0000000..a656621 --- /dev/null +++ b/is-security-release.js @@ -0,0 +1,34 @@ +const notesre = /Version \d+\.\d+\.\d+.*\n(?!\w+<\/title>)\n(.*)\n/m + , securityre = /This is a security release\./ + + +function isSecurityRelease (notes) { + const m = notes.match(notesre) + if (m && securityre.test(m[1])) + return true + + return false +} + + +module.exports = isSecurityRelease + + +if (module === require.main) { + const assert = require('assert') + const fs = require('fs') + const path = require('path') + const fixturespath = path.join(__dirname, 'test', 'fixtures', 'release-notes') + const tests = [ + { fixture: 'v10.14.0.atom', expected: true } + , { fixture: 'v10.14.1.atom', expected: false } + , { fixture: 'v11.3.0.atom' , expected: true } + ] + + tests.forEach(function (test) { + console.log(`testing ${test.fixture} -> ${test.expected}`) + const fixture = path.join(fixturespath, test.fixture) + const notes = fs.readFileSync(fixture, { encoding: 'utf8' }) + assert.equal(isSecurityRelease(notes), test.expected) + }) +} diff --git a/test/fixtures/release-notes/v10.14.0.atom b/test/fixtures/release-notes/v10.14.0.atom new file mode 100644 index 0000000..e82db56 --- /dev/null +++ b/test/fixtures/release-notes/v10.14.0.atom @@ -0,0 +1,588 @@ + + + tag:github.com,2008:/nodejs/node/commits/v10.14.0 + + + Recent Commits to node:v10.14.0 + 2018-11-27T22:17:04Z + + tag:github.com,2008:Grit::Commit/b7103135bc7987dee97e8795b0b38293d05fd842 + + + 2018-11-27, Version 10.14.0 'Dubnium' (LTS) + + 2018-11-27T22:17:04Z + + + rvagg + https://github.com/rvagg + + + <pre style='white-space:pre-wrap;width:81ex'>2018-11-27, Version 10.14.0 &#39;Dubnium&#39; (LTS) + +This is a security release. All Node.js users should consult the security +release summary at: + + https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ + +for details on patched vulnerabilities. + +Fixes for the following CVEs are included in this release: + + * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121) + * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js) + * Node.js: Hostname spoofing in URL parser for javascript protocol + (CVE-2018-12123) + * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734) + * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735) + +Notable Changes: + +* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735 +* http: + * Headers received by HTTP servers must not exceed 8192 bytes in total to + prevent possible Denial of Service attacks. Reported by Trevor Norris. + (CVE-2018-12121 / Matteo Collina) + * A timeout of 40 seconds now applies to servers receiving HTTP headers. This + value can be adjusted with `server.headersTimeout`. Where headers are not + completely received within this period, the socket is destroyed on the next + received chunk. In conjunction with `server.setTimeout()`, this aids in + protecting against excessive resource retention and possible Denial of + Service. Reported by Jan Maybach (liebdich.com). +* url: Fix a bug that would allow a hostname being spoofed when parsing URLs + with `url.parse()` with the `&#39;javascript:&#39;` protocol. Reported by + Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina) + +PR-URL: https://github.com/nodejs-private/node-private/pull/155/</pre> + + + + tag:github.com,2008:Grit::Commit/8b1405ee014033d9a36873f65ca49be11f15a569 + + + url: avoid hostname spoofing w/ javascript protocol + + 2018-11-27T04:11:44Z + + + mcollina + https://github.com/mcollina + + + <pre style='white-space:pre-wrap;width:81ex'>url: avoid hostname spoofing w/ javascript protocol + +CVE-2018-12123 + +Fixes: https://github.com/nodejs-private/security/issues/205 +PR-URL: https://github.com/nodejs-private/node-private/pull/145 +Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; +Reviewed-By: Michael Dawson &lt;michael_dawson@ca.ibm.com&gt; +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/eb43bc04b1390ce2506144b46d081e63f7a7d5b7 + + + http,https: protect against slow headers attack + + 2018-11-27T04:11:44Z + + + mcollina + https://github.com/mcollina + + + <pre style='white-space:pre-wrap;width:81ex'>http,https: protect against slow headers attack + +CVE-2018-12122 + +An attacker can send a char/s within headers and exahust the resources +(file descriptors) of a system even with a tight max header length +protection. This PR destroys a socket if it has not received the headers +in 40s. + +PR-URL: https://github.com/nodejs-private/node-private/pull/150 +Ref: https://github.com/nodejs-private/node-private/pull/144 +Reviewed-By: Sam Roberts &lt;vieuxtech@gmail.com&gt; +Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/a8532d4d23304d8cc28c968e2eda519a546834ca + + + deps,http: http_parser set max header size to 8KB + + 2018-11-27T04:11:44Z + + + mcollina + https://github.com/mcollina + + + <pre style='white-space:pre-wrap;width:81ex'>deps,http: http_parser set max header size to 8KB + +CVE-2018-12121 + +PR-URL: https://github.com/nodejs-private/node-private/pull/143 +Ref: https://github.com/nodejs-private/security/issues/139 +Ref: https://github.com/nodejs-private/http-parser-private/pull/2 +Reviewed-By: Anatoli Papirovski &lt;apapirovski@mac.com&gt; +Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt; +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/38ca8baf81a2caf05253718db6bf56e49543e8ef + + + deps: update openssl 1.1.0 upgrade docs + + 2018-11-24T10:42:20Z + + + sam-github + https://github.com/sam-github + + + <pre style='white-space:pre-wrap;width:81ex'>deps: update openssl 1.1.0 upgrade docs + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/241ba81a5b4805324e8acfd1781ed607278784ce + + + deps: update archs files for OpenSSL-1.1.0 + + 2018-11-24T10:42:20Z + + + sam-github + https://github.com/sam-github + + + <pre style='white-space:pre-wrap;width:81ex'>deps: update archs files for OpenSSL-1.1.0 + +`cd deps/openssl/config; make` updates all archs dependant files. + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/acc40efa905c73fb7475ca5008d65dbdcd5f4867 + + + deps: add s390 asm rules for OpenSSL-1.1.0 + + 2018-11-24T10:42:20Z + + + shigeki + https://github.com/shigeki + + + <pre style='white-space:pre-wrap;width:81ex'>deps: add s390 asm rules for OpenSSL-1.1.0 + +This is a floating patch against OpenSSL-1.1.0 to generate asm files +with Makefile rules and it is to be submitted to the upstream. + +Fixes: https://github.com/nodejs/node/issues/4270 +PR-URL: https://github.com/nodejs/node/pull/19794 +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt; +Reviewed-By: Michael Dawson &lt;michael_dawson@ca.ibm.com&gt; + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/7efd184bb16ecf1b93fe9a5b9300e2353149d330 + + + deps: upgrade openssl sources to 1.1.0j + + 2018-11-24T10:42:20Z + + + sam-github + https://github.com/sam-github + + + <pre style='white-space:pre-wrap;width:81ex'>deps: upgrade openssl sources to 1.1.0j + +This updates all sources in deps/openssl/openssl with openssl-1.1.0j. + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/4febb6c767787dfb8c56d9c80812cd8a4baa53b6 + + + Working on v10.13.1 + + 2018-10-30T08:42:12Z + + + MylesBorins + https://github.com/MylesBorins + + + <pre style='white-space:pre-wrap;width:81ex'>Working on v10.13.1 + +PR-URL: https://github.com/nodejs/node/pull/23831</pre> + + + + tag:github.com,2008:Grit::Commit/ab4af087e83d91a46354d765306d3543b1d85423 + + + 2018-10-30 Version 10.13.0 'Dubnium' (LTS) + + 2018-10-30T06:20:26Z + + + MylesBorins + https://github.com/MylesBorins + + + <pre style='white-space:pre-wrap;width:81ex'>2018-10-30 Version 10.13.0 &#39;Dubnium&#39; (LTS) + +This release marks the transition of Node.js 10.x into Long Term +Support (LTS) with the codename &#39;Dubnium&#39;. The 10.x release line +now moves in to &quot;Active LTS&quot; and will remain so until April 2020. +After that time it will move in to &quot;Maintenance&quot; until end of +life in April 2021. + +Notable Changes: + +This release only includes minimal changes necessary to fix known +regressions prior to LTS. + +PR-URL: https://github.com/nodejs/node/pull/23831</pre> + + + + tag:github.com,2008:Grit::Commit/2ba60100820afe9b01f0d3dcee46453ce26db7e0 + + + buffer: fix crash for invalid index types + + 2018-10-29T19:39:48Z + + + addaleax + https://github.com/addaleax + + + <pre style='white-space:pre-wrap;width:81ex'>buffer: fix crash for invalid index types + +2555cb4a4049dc4c41d8a2f4ce50909cc0a12a4a introduced a crash +when a non-number value was passed to `ParseArrayIndex()`. + +We do not always have JS typechecking for that in place, though. +This returns back to the previous behavior of coercing values +to integers, which is certainly questionable. + +Refs: https://github.com/nodejs/node/pull/22129 +Fixes: https://github.com/nodejs/node/issues/23668</pre> + + + + tag:github.com,2008:Grit::Commit/2cd68be69d7a60e8b419085e42a0cf7bfcd6ea2f + + + build: spawn `make test-ci` with `-j1` + + 2018-10-29T19:39:48Z + + + refack + https://github.com/refack + + + <pre style='white-space:pre-wrap;width:81ex'>build: spawn `make test-ci` with `-j1` + +All the sub targets have internal parallelism, so no performance loss. +Also `make` doesn&#39;t to a good enough job of combining the output +streams, or eliminate races. + +PR-URL: https://github.com/nodejs/node/pull/23733 +Fixes: https://github.com/nodejs/node/issues/22006 +Reviewed-By: Richard Lau &lt;riclau@uk.ibm.com&gt; +Reviewed-By: Joyee Cheung &lt;joyeec9h3@gmail.com&gt; +Reviewed-By: Matheus Marchini &lt;mat@mmarchini.me&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/1003f4c97531cd3e44c635da83d0cbe7be8d6048 + + + deps: fix wrong default for v8 handle zapping + + 2018-10-25T15:53:25Z + + + refack + https://github.com/refack + + + <pre style='white-space:pre-wrap;width:81ex'>deps: fix wrong default for v8 handle zapping + +PR-URL: https://github.com/nodejs/node/pull/23801 +Fixes: https://github.com/nodejs/node/issues/23796 +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt; +Reviewed-By: Michaël Zasso &lt;targos@protonmail.com&gt; +Reviewed-By: Matheus Marchini &lt;mat@mmarchini.me&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/b66f46cb023a09cc77957c9360ae2cf18c4db188 + + + Working on v10.12.1 + + 2018-10-10T21:13:29Z + + + targos + https://github.com/targos + + + <pre style='white-space:pre-wrap;width:81ex'>Working on v10.12.1 + +PR-URL: https://github.com/nodejs/node/pull/23313</pre> + + + + tag:github.com,2008:Grit::Commit/4a276cc2a960b3f9a138ac3a99c9249a63b4d472 + + + 2018-10-10, Version 10.12.0 (Current) + + 2018-10-10T16:10:08Z + + + targos + https://github.com/targos + + + <pre style='white-space:pre-wrap;width:81ex'>2018-10-10, Version 10.12.0 (Current) + +Notable changes: + +* assert + * The diff output is now a tiny bit improved by sorting object + properties when inspecting the values that are compared with each + other. https://github.com/nodejs/node/pull/22788 +* cli + * The options parser now normalizes `_` to `-` in all multi-word + command-line flags, e.g. `--no_warnings` has the same effect as + `--no-warnings`. https://github.com/nodejs/node/pull/23020 + * Added bash completion for the `node` binary. To generate a bash + completion script, run `node --completion-bash`. The output can be + saved to a file which can be sourced to enable completion. + https://github.com/nodejs/node/pull/20713 +* crypto + * Added support for PEM-level encryption. + https://github.com/nodejs/node/pull/23151 + * Added an API asymmetric key pair generation. The new methods + `crypto.generateKeyPair` and `crypto.generateKeyPairSync` can be + used to generate public and private key pairs. The API supports + RSA, DSA and EC and a variety of key encodings (both PEM and DER). + https://github.com/nodejs/node/pull/22660 +* fs + * Added a `recursive` option to `fs.mkdir` and `fs.mkdirSync`. If + this option is set to true, non-existing parent folders will be + automatically created. https://github.com/nodejs/node/pull/21875 +* http2 + * Added a `&#39;ping&#39;` event to `Http2Session` that is emitted whenever a + non-ack `PING` is received. + https://github.com/nodejs/node/pull/23009 + * Added support for the `ORIGIN` frame. + https://github.com/nodejs/node/pull/22956 + * Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect + protocol support to allow use of WebSockets over HTTP/2. + https://github.com/nodejs/node/pull/23284 +* module + * Added `module.createRequireFromPath(filename)`. This new method can + be used to create a custom require function that will resolve + modules relative to the filename path. + https://github.com/nodejs/node/pull/19360 +* process + * Added a `&#39;multipleResolves&#39;` process event that is emitted whenever + a `Promise` is attempted to be resolved multiple times, e.g. if the + `resolve` and `reject` functions are both called in a `Promise` + executor. https://github.com/nodejs/node/pull/22218 +* url + * Added `url.fileURLToPath(url)` and `url.pathToFileURL(path)`. These + methods can be used to correctly convert between file: URLs and + absolute paths. https://github.com/nodejs/node/pull/22506 +* util + * Added the `sorted` option to `util.inspect()`. If set to `true`, + all properties of an object and Set and Map entries will be sorted + in the returned string. If set to a function, it is used as a + compare function. https://github.com/nodejs/node/pull/22788 + * The `util.instpect.custom` symbol is now defined in the global + symbol registry as `Symbol.for(&#39;nodejs.util.inspect.custom&#39;)`. + https://github.com/nodejs/node/pull/20857 + * Added support for `BigInt` numbers in `util.format()`. + https://github.com/nodejs/node/pull/22097 +* V8 API + * A number of V8 C++ APIs have been marked as deprecated since they + have been removed in the upstream repository. Replacement APIs + are added where necessary. https://github.com/nodejs/node/pull/23159 +* Windows + * The Windows msi installer now provides an option to automatically + install the tools required to build native modules. + https://github.com/nodejs/node/pull/22645 +* Workers + * Debugging support for Workers using the DevTools protocol has been + implemented. https://github.com/nodejs/node/pull/21364 + * The public `inspector` module is now enabled in Workers. + https://github.com/nodejs/node/pull/22769 +* Added new collaborators: + * digitalinfinity - Hitesh Kanwathirtha + +PR-URL: https://github.com/nodejs/node/pull/23313</pre> + + + + tag:github.com,2008:Grit::Commit/e6484c2c1193d8067e01477497b7dfbb4d8ccab3 + + + build: restore js2c direct dependency on config.gypi + + 2018-10-10T15:40:21Z + + + refack + https://github.com/refack + + + <pre style='white-space:pre-wrap;width:81ex'>build: restore js2c direct dependency on config.gypi + +PR-URL: https://github.com/nodejs/node/pull/23355 +Fixes: https://github.com/nodejs/node/issues/23352 +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt; +Reviewed-By: Joyee Cheung &lt;joyeec9h3@gmail.com&gt; +Reviewed-By: Richard Lau &lt;riclau@uk.ibm.com&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/cd69e1b6c3e07946b53548b72228c432e2993a79 + + + src: fix ToObject() usage in node_http_parser.cc + + 2018-10-10T15:40:21Z + + + cjihrig + https://github.com/cjihrig + + + <pre style='white-space:pre-wrap;width:81ex'>src: fix ToObject() usage in node_http_parser.cc + +PR-URL: https://github.com/nodejs/node/pull/23314 +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; +Reviewed-By: Sakthipriyan Vairamani &lt;thechargingvolcano@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/5228ec4410605651192137890da5c41ac5755bcc + + + src: fix ToObject() usage in exceptions.cc + + 2018-10-10T15:40:21Z + + + cjihrig + https://github.com/cjihrig + + + <pre style='white-space:pre-wrap;width:81ex'>src: fix ToObject() usage in exceptions.cc + +PR-URL: https://github.com/nodejs/node/pull/23314 +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; +Reviewed-By: Sakthipriyan Vairamani &lt;thechargingvolcano@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/c4aa0331c108f55c5a56193fac0249a27767de03 + + + build: make configure script verbose by default + + 2018-10-10T15:37:07Z + + + targos + https://github.com/targos + + + <pre style='white-space:pre-wrap;width:81ex'>build: make configure script verbose by default + +The change that added the --verbose flag was supposed to be +semver-major but already landed in a 10.x release. + +Refs: https://github.com/nodejs/node/pull/22450 + +PR-URL: https://github.com/nodejs/node/pull/23408 +Reviewed-By: Colin Ihrig &lt;cjihrig@gmail.com&gt; +Reviewed-By: Rich Trott &lt;rtrott@gmail.com&gt; +Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; +Reviewed-By: Richard Lau &lt;riclau@uk.ibm.com&gt; +Reviewed-By: Sakthipriyan Vairamani &lt;thechargingvolcano@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/a65bb42551b635b3bb948ab1c9f7064da1b77554 + + + net: use connect() instead of connect.call() + + 2018-10-10T13:42:52Z + + + JacksonTian + https://github.com/JacksonTian + + + <pre style='white-space:pre-wrap;width:81ex'>net: use connect() instead of connect.call() + +Use socket.connect() directly. + +PR-URL: https://github.com/nodejs/node/pull/23289 +Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; +Reviewed-By: Sakthipriyan Vairamani &lt;thechargingvolcano@gmail.com&gt; +Reviewed-By: Trivikram Kamat &lt;trivikr.dev@gmail.com&gt; +Reviewed-By: Colin Ihrig &lt;cjihrig@gmail.com&gt; +Reviewed-By: Thomas Watson &lt;w@tson.dk&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;</pre> + + + diff --git a/test/fixtures/release-notes/v10.14.1.atom b/test/fixtures/release-notes/v10.14.1.atom new file mode 100644 index 0000000..7f0b6ad --- /dev/null +++ b/test/fixtures/release-notes/v10.14.1.atom @@ -0,0 +1,608 @@ + + + tag:github.com,2008:/nodejs/node/commits/v10.14.1 + + + Recent Commits to node:v10.14.1 + 2018-11-29T04:47:06Z + + tag:github.com,2008:Grit::Commit/d3dbe3a8514e47ef820d4768ed74c36a8843b976 + + + 2018-11-29, Version 10.14.1 'Dubnium' (LTS) + + 2018-11-29T04:47:06Z + + + MylesBorins + https://github.com/MylesBorins + + + <pre style='white-space:pre-wrap;width:81ex'>2018-11-29, Version 10.14.1 &#39;Dubnium&#39; (LTS) + +Notable Changes: + +* **win/msi**: Revert changes to installer causing issues on Windows systems. + +PR-URL: https://github.com/nodejs/node/pull/24711</pre> + + + + tag:github.com,2008:Grit::Commit/9e293c13288a0fa3da20b7ccf4421a6d0b413bb2 + + + Revert "win,msi: install tools for native modules" + + 2018-11-29T04:39:31Z + + + refack + https://github.com/refack + + + <pre style='white-space:pre-wrap;width:81ex'>Revert &quot;win,msi: install tools for native modules&quot; + +This reverts: + Revision: 257a5e9c389b648aca08b02aae9e19f142ce0493 + win: add prompt to tools installation script + + Revision: e9a291582d145a00df27aaaa54b66e42c725d89e + win: clarify Boxstarter behavior on install tools + + Revision: 3b895d12584a91acf3866a728ed490841490dc95 + win,msi: display license notes before installing tools + + Revision: cf284c80a9c82d4baebf095c356179c753da493c + win,msi: install Boxstarter from elevated shell + + Revision: 2b7e18dec5ccb51270df7c8bd554ffdf2e28e603 + win,msi: highlight installation of 3rd-party tools + + Revision: ebf36cd18018faab5427327c3469a71dd1d35129 + win,msi: install tools for native modules + +PR-URL: https://github.com/nodejs/node/pull/24344 +Refs: https://github.com/nodejs/node/pull/22645 +Refs: https://github.com/nodejs/node/pull/23987 +Refs: https://github.com/nodejs/Release/issues/369 +Refs: https://github.com/nodejs/node/issues/23838 +Refs: https://github.com/nodejs/security-wg/issues/439 +Reviewed-By: João Reis &lt;reis@janeasystems.com&gt; +Reviewed-By: Richard Lau &lt;riclau@uk.ibm.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/5d17bf1e1386b17d81efc3e9e14f185e8d442b4a + + + win: add prompt to tools installation script + + 2018-11-29T04:39:26Z + + + joaocgreis + https://github.com/joaocgreis + + + <pre style='white-space:pre-wrap;width:81ex'>win: add prompt to tools installation script + +Fixes: https://github.com/nodejs/Release/issues/369 + +PR-URL: https://github.com/nodejs/node/pull/23987 +Reviewed-By: John-David Dalton &lt;john.david.dalton@gmail.com&gt; +Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; +Reviewed-By: Richard Lau &lt;riclau@uk.ibm.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/589f0d2192210eb1a455d7cdbe7d1a668d1f8843 + + + win: clarify Boxstarter behavior on install tools + + 2018-11-29T04:39:20Z + + + ferventcoder + https://github.com/ferventcoder + + + <pre style='white-space:pre-wrap;width:81ex'>win: clarify Boxstarter behavior on install tools + +Clarify the behavior of what Boxstarter may do when it runs on a box +to install all the necessary tools so that there are no surprises to +the end user when the script is run. + +Currently there is no interface that warns the user that Boxstarter +will reboot the machine possibly multiple times depending on how many +dependencies need to be installed and doesn&#39;t mention a need to disable +UAC. For folks who see what may look like a reboot loop, we feel it is +necessary to make them aware that UAC will be disabled and they will +need to take action to re-enable UAC manually if they interfere/stop +the script from finishing. + +PR-URL: https://github.com/nodejs/node/pull/23987 +Fixes: https://github.com/nodejs/Release/issues/369 +Reviewed-By: John-David Dalton &lt;john.david.dalton@gmail.com&gt; +Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; +Reviewed-By: Richard Lau &lt;riclau@uk.ibm.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/183e3bf1b0ddc0c0072bb1bc63ec06b77bd4aa07 + + + Working on v10.14.1 + + 2018-11-28T00:14:05Z + + + rvagg + https://github.com/rvagg + + + <pre style='white-space:pre-wrap;width:81ex'>Working on v10.14.1 + +PR-URL: https://github.com/nodejs-private/node-private/pull/155/</pre> + + + + tag:github.com,2008:Grit::Commit/b7103135bc7987dee97e8795b0b38293d05fd842 + + + 2018-11-27, Version 10.14.0 'Dubnium' (LTS) + + 2018-11-27T22:17:04Z + + + rvagg + https://github.com/rvagg + + + <pre style='white-space:pre-wrap;width:81ex'>2018-11-27, Version 10.14.0 &#39;Dubnium&#39; (LTS) + +This is a security release. All Node.js users should consult the security +release summary at: + + https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ + +for details on patched vulnerabilities. + +Fixes for the following CVEs are included in this release: + + * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121) + * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js) + * Node.js: Hostname spoofing in URL parser for javascript protocol + (CVE-2018-12123) + * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734) + * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735) + +Notable Changes: + +* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735 +* http: + * Headers received by HTTP servers must not exceed 8192 bytes in total to + prevent possible Denial of Service attacks. Reported by Trevor Norris. + (CVE-2018-12121 / Matteo Collina) + * A timeout of 40 seconds now applies to servers receiving HTTP headers. This + value can be adjusted with `server.headersTimeout`. Where headers are not + completely received within this period, the socket is destroyed on the next + received chunk. In conjunction with `server.setTimeout()`, this aids in + protecting against excessive resource retention and possible Denial of + Service. Reported by Jan Maybach (liebdich.com). +* url: Fix a bug that would allow a hostname being spoofed when parsing URLs + with `url.parse()` with the `&#39;javascript:&#39;` protocol. Reported by + Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina) + +PR-URL: https://github.com/nodejs-private/node-private/pull/155/</pre> + + + + tag:github.com,2008:Grit::Commit/8b1405ee014033d9a36873f65ca49be11f15a569 + + + url: avoid hostname spoofing w/ javascript protocol + + 2018-11-27T04:11:44Z + + + mcollina + https://github.com/mcollina + + + <pre style='white-space:pre-wrap;width:81ex'>url: avoid hostname spoofing w/ javascript protocol + +CVE-2018-12123 + +Fixes: https://github.com/nodejs-private/security/issues/205 +PR-URL: https://github.com/nodejs-private/node-private/pull/145 +Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; +Reviewed-By: Michael Dawson &lt;michael_dawson@ca.ibm.com&gt; +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/eb43bc04b1390ce2506144b46d081e63f7a7d5b7 + + + http,https: protect against slow headers attack + + 2018-11-27T04:11:44Z + + + mcollina + https://github.com/mcollina + + + <pre style='white-space:pre-wrap;width:81ex'>http,https: protect against slow headers attack + +CVE-2018-12122 + +An attacker can send a char/s within headers and exahust the resources +(file descriptors) of a system even with a tight max header length +protection. This PR destroys a socket if it has not received the headers +in 40s. + +PR-URL: https://github.com/nodejs-private/node-private/pull/150 +Ref: https://github.com/nodejs-private/node-private/pull/144 +Reviewed-By: Sam Roberts &lt;vieuxtech@gmail.com&gt; +Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/a8532d4d23304d8cc28c968e2eda519a546834ca + + + deps,http: http_parser set max header size to 8KB + + 2018-11-27T04:11:44Z + + + mcollina + https://github.com/mcollina + + + <pre style='white-space:pre-wrap;width:81ex'>deps,http: http_parser set max header size to 8KB + +CVE-2018-12121 + +PR-URL: https://github.com/nodejs-private/node-private/pull/143 +Ref: https://github.com/nodejs-private/security/issues/139 +Ref: https://github.com/nodejs-private/http-parser-private/pull/2 +Reviewed-By: Anatoli Papirovski &lt;apapirovski@mac.com&gt; +Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt; +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/38ca8baf81a2caf05253718db6bf56e49543e8ef + + + deps: update openssl 1.1.0 upgrade docs + + 2018-11-24T10:42:20Z + + + sam-github + https://github.com/sam-github + + + <pre style='white-space:pre-wrap;width:81ex'>deps: update openssl 1.1.0 upgrade docs + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/241ba81a5b4805324e8acfd1781ed607278784ce + + + deps: update archs files for OpenSSL-1.1.0 + + 2018-11-24T10:42:20Z + + + sam-github + https://github.com/sam-github + + + <pre style='white-space:pre-wrap;width:81ex'>deps: update archs files for OpenSSL-1.1.0 + +`cd deps/openssl/config; make` updates all archs dependant files. + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/acc40efa905c73fb7475ca5008d65dbdcd5f4867 + + + deps: add s390 asm rules for OpenSSL-1.1.0 + + 2018-11-24T10:42:20Z + + + shigeki + https://github.com/shigeki + + + <pre style='white-space:pre-wrap;width:81ex'>deps: add s390 asm rules for OpenSSL-1.1.0 + +This is a floating patch against OpenSSL-1.1.0 to generate asm files +with Makefile rules and it is to be submitted to the upstream. + +Fixes: https://github.com/nodejs/node/issues/4270 +PR-URL: https://github.com/nodejs/node/pull/19794 +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt; +Reviewed-By: Michael Dawson &lt;michael_dawson@ca.ibm.com&gt; + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/7efd184bb16ecf1b93fe9a5b9300e2353149d330 + + + deps: upgrade openssl sources to 1.1.0j + + 2018-11-24T10:42:20Z + + + sam-github + https://github.com/sam-github + + + <pre style='white-space:pre-wrap;width:81ex'>deps: upgrade openssl sources to 1.1.0j + +This updates all sources in deps/openssl/openssl with openssl-1.1.0j. + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/4febb6c767787dfb8c56d9c80812cd8a4baa53b6 + + + Working on v10.13.1 + + 2018-10-30T08:42:12Z + + + MylesBorins + https://github.com/MylesBorins + + + <pre style='white-space:pre-wrap;width:81ex'>Working on v10.13.1 + +PR-URL: https://github.com/nodejs/node/pull/23831</pre> + + + + tag:github.com,2008:Grit::Commit/ab4af087e83d91a46354d765306d3543b1d85423 + + + 2018-10-30 Version 10.13.0 'Dubnium' (LTS) + + 2018-10-30T06:20:26Z + + + MylesBorins + https://github.com/MylesBorins + + + <pre style='white-space:pre-wrap;width:81ex'>2018-10-30 Version 10.13.0 &#39;Dubnium&#39; (LTS) + +This release marks the transition of Node.js 10.x into Long Term +Support (LTS) with the codename &#39;Dubnium&#39;. The 10.x release line +now moves in to &quot;Active LTS&quot; and will remain so until April 2020. +After that time it will move in to &quot;Maintenance&quot; until end of +life in April 2021. + +Notable Changes: + +This release only includes minimal changes necessary to fix known +regressions prior to LTS. + +PR-URL: https://github.com/nodejs/node/pull/23831</pre> + + + + tag:github.com,2008:Grit::Commit/2ba60100820afe9b01f0d3dcee46453ce26db7e0 + + + buffer: fix crash for invalid index types + + 2018-10-29T19:39:48Z + + + addaleax + https://github.com/addaleax + + + <pre style='white-space:pre-wrap;width:81ex'>buffer: fix crash for invalid index types + +2555cb4a4049dc4c41d8a2f4ce50909cc0a12a4a introduced a crash +when a non-number value was passed to `ParseArrayIndex()`. + +We do not always have JS typechecking for that in place, though. +This returns back to the previous behavior of coercing values +to integers, which is certainly questionable. + +Refs: https://github.com/nodejs/node/pull/22129 +Fixes: https://github.com/nodejs/node/issues/23668</pre> + + + + tag:github.com,2008:Grit::Commit/2cd68be69d7a60e8b419085e42a0cf7bfcd6ea2f + + + build: spawn `make test-ci` with `-j1` + + 2018-10-29T19:39:48Z + + + refack + https://github.com/refack + + + <pre style='white-space:pre-wrap;width:81ex'>build: spawn `make test-ci` with `-j1` + +All the sub targets have internal parallelism, so no performance loss. +Also `make` doesn&#39;t to a good enough job of combining the output +streams, or eliminate races. + +PR-URL: https://github.com/nodejs/node/pull/23733 +Fixes: https://github.com/nodejs/node/issues/22006 +Reviewed-By: Richard Lau &lt;riclau@uk.ibm.com&gt; +Reviewed-By: Joyee Cheung &lt;joyeec9h3@gmail.com&gt; +Reviewed-By: Matheus Marchini &lt;mat@mmarchini.me&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/1003f4c97531cd3e44c635da83d0cbe7be8d6048 + + + deps: fix wrong default for v8 handle zapping + + 2018-10-25T15:53:25Z + + + refack + https://github.com/refack + + + <pre style='white-space:pre-wrap;width:81ex'>deps: fix wrong default for v8 handle zapping + +PR-URL: https://github.com/nodejs/node/pull/23801 +Fixes: https://github.com/nodejs/node/issues/23796 +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt; +Reviewed-By: Michaël Zasso &lt;targos@protonmail.com&gt; +Reviewed-By: Matheus Marchini &lt;mat@mmarchini.me&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/b66f46cb023a09cc77957c9360ae2cf18c4db188 + + + Working on v10.12.1 + + 2018-10-10T21:13:29Z + + + targos + https://github.com/targos + + + <pre style='white-space:pre-wrap;width:81ex'>Working on v10.12.1 + +PR-URL: https://github.com/nodejs/node/pull/23313</pre> + + + + tag:github.com,2008:Grit::Commit/4a276cc2a960b3f9a138ac3a99c9249a63b4d472 + + + 2018-10-10, Version 10.12.0 (Current) + + 2018-10-10T16:10:08Z + + + targos + https://github.com/targos + + + <pre style='white-space:pre-wrap;width:81ex'>2018-10-10, Version 10.12.0 (Current) + +Notable changes: + +* assert + * The diff output is now a tiny bit improved by sorting object + properties when inspecting the values that are compared with each + other. https://github.com/nodejs/node/pull/22788 +* cli + * The options parser now normalizes `_` to `-` in all multi-word + command-line flags, e.g. `--no_warnings` has the same effect as + `--no-warnings`. https://github.com/nodejs/node/pull/23020 + * Added bash completion for the `node` binary. To generate a bash + completion script, run `node --completion-bash`. The output can be + saved to a file which can be sourced to enable completion. + https://github.com/nodejs/node/pull/20713 +* crypto + * Added support for PEM-level encryption. + https://github.com/nodejs/node/pull/23151 + * Added an API asymmetric key pair generation. The new methods + `crypto.generateKeyPair` and `crypto.generateKeyPairSync` can be + used to generate public and private key pairs. The API supports + RSA, DSA and EC and a variety of key encodings (both PEM and DER). + https://github.com/nodejs/node/pull/22660 +* fs + * Added a `recursive` option to `fs.mkdir` and `fs.mkdirSync`. If + this option is set to true, non-existing parent folders will be + automatically created. https://github.com/nodejs/node/pull/21875 +* http2 + * Added a `&#39;ping&#39;` event to `Http2Session` that is emitted whenever a + non-ack `PING` is received. + https://github.com/nodejs/node/pull/23009 + * Added support for the `ORIGIN` frame. + https://github.com/nodejs/node/pull/22956 + * Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect + protocol support to allow use of WebSockets over HTTP/2. + https://github.com/nodejs/node/pull/23284 +* module + * Added `module.createRequireFromPath(filename)`. This new method can + be used to create a custom require function that will resolve + modules relative to the filename path. + https://github.com/nodejs/node/pull/19360 +* process + * Added a `&#39;multipleResolves&#39;` process event that is emitted whenever + a `Promise` is attempted to be resolved multiple times, e.g. if the + `resolve` and `reject` functions are both called in a `Promise` + executor. https://github.com/nodejs/node/pull/22218 +* url + * Added `url.fileURLToPath(url)` and `url.pathToFileURL(path)`. These + methods can be used to correctly convert between file: URLs and + absolute paths. https://github.com/nodejs/node/pull/22506 +* util + * Added the `sorted` option to `util.inspect()`. If set to `true`, + all properties of an object and Set and Map entries will be sorted + in the returned string. If set to a function, it is used as a + compare function. https://github.com/nodejs/node/pull/22788 + * The `util.instpect.custom` symbol is now defined in the global + symbol registry as `Symbol.for(&#39;nodejs.util.inspect.custom&#39;)`. + https://github.com/nodejs/node/pull/20857 + * Added support for `BigInt` numbers in `util.format()`. + https://github.com/nodejs/node/pull/22097 +* V8 API + * A number of V8 C++ APIs have been marked as deprecated since they + have been removed in the upstream repository. Replacement APIs + are added where necessary. https://github.com/nodejs/node/pull/23159 +* Windows + * The Windows msi installer now provides an option to automatically + install the tools required to build native modules. + https://github.com/nodejs/node/pull/22645 +* Workers + * Debugging support for Workers using the DevTools protocol has been + implemented. https://github.com/nodejs/node/pull/21364 + * The public `inspector` module is now enabled in Workers. + https://github.com/nodejs/node/pull/22769 +* Added new collaborators: + * digitalinfinity - Hitesh Kanwathirtha + +PR-URL: https://github.com/nodejs/node/pull/23313</pre> + + + diff --git a/test/fixtures/release-notes/v11.3.0.atom b/test/fixtures/release-notes/v11.3.0.atom new file mode 100644 index 0000000..e27554a --- /dev/null +++ b/test/fixtures/release-notes/v11.3.0.atom @@ -0,0 +1,544 @@ + + + tag:github.com,2008:/nodejs/node/commits/v11.3.0 + + + Recent Commits to node:v11.3.0 + 2018-11-27T04:36:42Z + + tag:github.com,2008:Grit::Commit/00fb73a72eff0e90d0f85b95dbcfc3c21f89cff9 + + + 2018-11-27, Version 11.3.0 (Current) + + 2018-11-27T04:36:42Z + + + rvagg + https://github.com/rvagg + + + <pre style='white-space:pre-wrap;width:81ex'>2018-11-27, Version 11.3.0 (Current) + +This is a security release. All Node.js users should consult the security +release summary at: + +https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ + +for details on patched vulnerabilities. + +Fixes for the following CVEs are included in this release: + + * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121) + * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js) + * Node.js: Hostname spoofing in URL parser for javascript protocol + (CVE-2018-12123) + * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734) + * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735) + +Notable Changes: + +* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735 +* http: + * Headers received by HTTP servers must not exceed 8192 bytes in total to + prevent possible Denial of Service attacks. Reported by Trevor Norris. + (CVE-2018-12121 / Matteo Collina) + * A timeout of 40 seconds now applies to servers receiving HTTP headers. This + value can be adjusted with `server.headersTimeout`. Where headers are not + completely received within this period, the socket is destroyed on the next + received chunk. In conjunction with `server.setTimeout()`, this aids in + protecting against excessive resource retention and possible Denial of + Service. Reported by Jan Maybach (liebdich.com). +* url: Fix a bug that would allow a hostname being spoofed when parsing URLs + with `url.parse()` with the `&#39;javascript:&#39;` protocol. Reported by + Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina) + +PR-URL: https://github.com/nodejs-private/node-private/pull/156/</pre> + + + + tag:github.com,2008:Grit::Commit/d7504324e1dfc0ac3c6849c2913ee58faca6386a + + + url: avoid hostname spoofing w/ javascript protocol + + 2018-11-27T04:30:17Z + + + mcollina + https://github.com/mcollina + + + <pre style='white-space:pre-wrap;width:81ex'>url: avoid hostname spoofing w/ javascript protocol + +CVE-2018-12123 + +Fixes: https://github.com/nodejs-private/security/issues/205 +PR-URL: https://github.com/nodejs-private/node-private/pull/145 +Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; +Reviewed-By: Michael Dawson &lt;michael_dawson@ca.ibm.com&gt; +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/315ee2e626f6134f372d8034d9b94b73717705c7 + + + http,https: protect against slow headers attack + + 2018-11-27T04:30:17Z + + + mcollina + https://github.com/mcollina + + + <pre style='white-space:pre-wrap;width:81ex'>http,https: protect against slow headers attack + +CVE-2018-12122 + +An attacker can send a char/s within headers and exahust the resources +(file descriptors) of a system even with a tight max header length +protection. This PR destroys a socket if it has not received the headers +in 40s. + +PR-URL: https://github.com/nodejs-private/node-private/pull/144 +Reviewed-By: Sam Roberts &lt;vieuxtech@gmail.com&gt; +Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/4ecbd3bdaad94c33a03bf390462706ce1952c2c7 + + + http: reset headers_nread_ on llhttp parser reuse + + 2018-11-27T04:29:40Z + + + rvagg + https://github.com/rvagg + + + <pre style='white-space:pre-wrap;width:81ex'>http: reset headers_nread_ on llhttp parser reuse + +PR-URL: https://github.com/nodejs-private/node-private/pull/149 +Reviewed-By: Fedor Indutny &lt;fedor@indutny.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/04e0620597c30d19a0b4fd4ed04337619d49fb43 + + + http: fix header limit errors and test for llhttp + + 2018-11-27T04:24:30Z + + + indutny + https://github.com/indutny + + + <pre style='white-space:pre-wrap;width:81ex'>http: fix header limit errors and test for llhttp + +Ref: https://github.com/nodejs-private/node-private/pull/143 +PR-URL: https://github.com/nodejs-private/node-private/pull/149 +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/a2b8aba23cffe392495736da373baf506f88da52 + + + deps,http: llhttp set max header size to 8KB + + 2018-11-27T04:24:30Z + + + rvagg + https://github.com/rvagg + + + <pre style='white-space:pre-wrap;width:81ex'>deps,http: llhttp set max header size to 8KB + +CVE-2018-12121 + +As per nodejs-private/node-private#149 for http_parse but for llhttp + +Ref: https://github.com/nodejs-private/node-private/pull/143 +PR-URL: https://github.com/nodejs-private/node-private/pull/149 +Reviewed-By: Matteo Collina &lt;hello@matteocollina.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/74e01d0020ec255673e17353a1004a8ea375fff4 + + + deps,http: http_parser set max header size to 8KB + + 2018-11-27T04:24:30Z + + + mcollina + https://github.com/mcollina + + + <pre style='white-space:pre-wrap;width:81ex'>deps,http: http_parser set max header size to 8KB + +CVE-2018-12121 + +PR-URL: https://github.com/nodejs-private/node-private/pull/143 +Ref: https://github.com/nodejs-private/security/issues/139 +Ref: https://github.com/nodejs-private/http-parser-private/pull/2 +Reviewed-By: Anatoli Papirovski &lt;apapirovski@mac.com&gt; +Reviewed-By: Ben Noordhuis &lt;info@bnoordhuis.nl&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt; +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/8f191f37596333ce4e7f9de8a8d839a576c9ca9f + + + deps: update openssl 1.1.0 upgrade docs + + 2018-11-25T09:49:51Z + + + sam-github + https://github.com/sam-github + + + <pre style='white-space:pre-wrap;width:81ex'>deps: update openssl 1.1.0 upgrade docs + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/f20ac47d7a5738a43aa0726c1cd8d2873cfc7423 + + + deps: update archs files for OpenSSL-1.1.0 + + 2018-11-25T09:49:51Z + + + sam-github + https://github.com/sam-github + + + <pre style='white-space:pre-wrap;width:81ex'>deps: update archs files for OpenSSL-1.1.0 + +`cd deps/openssl/config; make` updates all archs dependant files. + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/8248d227b76fc3c4bdf0abf91446b375202dc745 + + + deps: add s390 asm rules for OpenSSL-1.1.0 + + 2018-11-25T09:49:51Z + + + shigeki + https://github.com/shigeki + + + <pre style='white-space:pre-wrap;width:81ex'>deps: add s390 asm rules for OpenSSL-1.1.0 + +This is a floating patch against OpenSSL-1.1.0 to generate asm files +with Makefile rules and it is to be submitted to the upstream. + +Fixes: https://github.com/nodejs/node/issues/4270 +PR-URL: https://github.com/nodejs/node/pull/19794 +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt; +Reviewed-By: Michael Dawson &lt;michael_dawson@ca.ibm.com&gt; + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/65d03f018008d28279c85e5a78712ad35930368a + + + deps: upgrade openssl sources to 1.1.0j + + 2018-11-25T09:49:51Z + + + sam-github + https://github.com/sam-github + + + <pre style='white-space:pre-wrap;width:81ex'>deps: upgrade openssl sources to 1.1.0j + +This updates all sources in deps/openssl/openssl with openssl-1.1.0j. + +PR-URL: https://github.com/nodejs/node/pull/24523 +Reviewed-By: Shigeki Ohtsu &lt;ohtsu@ohtsu.org&gt; +Reviewed-By: Daniel Bevenius &lt;daniel.bevenius@gmail.com&gt; +Reviewed-By: Rod Vagg &lt;rod@vagg.org&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/fbe63ab15b68f3ebf07891e3014f7a0138bd323e + + + Working on v11.2.1 + + 2018-11-15T21:13:13Z + + + targos + https://github.com/targos + + + <pre style='white-space:pre-wrap;width:81ex'>Working on v11.2.1 + +PR-URL: https://github.com/nodejs/node/pull/24350</pre> + + + + tag:github.com,2008:Grit::Commit/a19e1aba38d4bd761b892b7384c457c6377e942c + + + 2018-11-15, Version 11.2.0 (Current) + + 2018-11-15T19:20:37Z + + + BridgeAR + https://github.com/BridgeAR + + + <pre style='white-space:pre-wrap;width:81ex'>2018-11-15, Version 11.2.0 (Current) + +Notable changes: + +* deps: + * A new experimental HTTP parser (`llhttp`) is now supported. + https://github.com/nodejs/node/pull/24059 +* timers: + * Fixed an issue that could cause setTimeout to stop working as + expected. https://github.com/nodejs/node/pull/24322 +* Windows + * A crashing process will now show the names of stack frames if the + node.pdb file is available. + https://github.com/nodejs/node/pull/23822 + * Continued effort to improve the installer&#39;s new stage that installs + native build tools. + https://github.com/nodejs/node/pull/23987, + https://github.com/nodejs/node/pull/24348 + * child_process: + * On Windows the `windowsHide` option default was restored to + `false`. This means `detached` child processes and GUI apps will + once again start in a new window. + https://github.com/nodejs/node/pull/24034 +* Added new collaborators: + * [oyyd](https://github.com/oyyd) - Ouyang Yadong. + https://github.com/nodejs/node/pull/24300 + * [psmarshall](https://github.com/psmarshall) - Peter Marshall. + https://github.com/nodejs/node/pull/24170 + * [shisama](https://github.com/shisama) - Masashi Hirano. + https://github.com/nodejs/node/pull/24136</pre> + + + + tag:github.com,2008:Grit::Commit/10edc4f186f7b837708df1e805071fd923c382f0 + + + net: always invoke after-write callback + + 2018-11-15T17:56:05Z + + + addaleax + https://github.com/addaleax + + + <pre style='white-space:pre-wrap;width:81ex'>net: always invoke after-write callback + +This is part of the streams API contract, and aligns +network sockets with other streams in this respect. + +PR-URL: https://github.com/nodejs/node/pull/24291 +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; +Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; +Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; +Reviewed-By: Colin Ihrig &lt;cjihrig@gmail.com&gt; +Reviewed-By: Weijia Wang &lt;starkwang@126.com&gt; +Reviewed-By: Matteo Collina &lt;matteo.collina@gmail.com&gt; +Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/eeb5cc63052c762b3058594d1ba29f739d35986f + + + test: add typeerror for vm/compileFunction params + + 2018-11-15T17:56:05Z + + + dYale + https://github.com/dYale + + + <pre style='white-space:pre-wrap;width:81ex'>test: add typeerror for vm/compileFunction params + +PR-URL: https://github.com/nodejs/node/pull/24179 +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt; +Reviewed-By: Joyee Cheung &lt;joyeec9h3@gmail.com&gt; +Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/5ca0cf7ae6477eb207998083b90f74d7469c7d5d + + + lib: improved conditional check in zlib + + 2018-11-15T17:56:04Z + + + dYale + https://github.com/dYale + + + <pre style='white-space:pre-wrap;width:81ex'>lib: improved conditional check in zlib + +PR-URL: https://github.com/nodejs/node/pull/24190 +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt; +Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/5b9ef11e35e551a101d970dbdbb45618267da77c + + + timers: fix priority queue removeAt + + 2018-11-15T17:56:04Z + + + apapirovski + https://github.com/apapirovski + + + <pre style='white-space:pre-wrap;width:81ex'>timers: fix priority queue removeAt + +PR-URL: https://github.com/nodejs/node/pull/24322 +Fixes: https://github.com/nodejs/node/issues/24320 +Fixes: https://github.com/nodejs/node/issues/24362 +Reviewed-By: Colin Ihrig &lt;cjihrig@gmail.com&gt; +Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt; +Reviewed-By: Matteo Collina &lt;matteo.collina@gmail.com&gt; +Reviewed-By: Franziska Hinkelmann &lt;franziska.hinkelmann@gmail.com&gt; +Reviewed-By: Benjamin Gruenbaum &lt;benjamingr@gmail.com&gt; +Reviewed-By: Weijia Wang &lt;starkwang@126.com&gt; +Reviewed-By: Jeremiah Senkpiel &lt;fishrock123@rocketmail.com&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/dc26247e69d1ebc61c86b42c027f70da917202ce + + + test: deep object to table not covered + + 2018-11-15T15:12:26Z + + + ovhemert + https://github.com/ovhemert + + + <pre style='white-space:pre-wrap;width:81ex'>test: deep object to table not covered + +PR-URL: https://github.com/nodejs/node/pull/24257 +Reviewed-By: Weijia Wang &lt;starkwang@126.com&gt; +Reviewed-By: James M Snell &lt;jasnell@gmail.com&gt; +Reviewed-By: Luigi Pinca &lt;luigipinca@gmail.com&gt; +Reviewed-By: Ruben Bridgewater &lt;ruben@bridgewater.de&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/b7aded3300269bc36d1a14b474c4a85e185189d4 + + + src: compile native modules and their code cache in C++ + + 2018-11-15T15:12:26Z + + + joyeecheung + https://github.com/joyeecheung + + + <pre style='white-space:pre-wrap;width:81ex'>src: compile native modules and their code cache in C++ + +This patch refactors out a part of NativeModule.prototype.compile +(in JS land) into a C++ NativeModule class, this enables a +couple of possibilities: + +1. By moving the code to the C++ land, we have more opportunity + to specialize the compilation process of the native modules + (e.g. compilation options, code cache) that is orthogonal to + how user land modules are compiled +2. We can reuse the code to compile bootstrappers and context + fixers and enable them to be compiled with the code cache later, + since they are not loaded by NativeModule in the JS land their + caching must be done in C++. +3. Since there is no need to pass the static data to JS for + compilation anymore, this enables us to use + (std::map&lt;std::string, const char*&gt;) in the generated + node_code_cache.cc and node_javascript.cc later, and scope + every actual access to the source of native modules to a + std::map lookup instead of a lookup on a v8::Object in + dictionary mode. + +This patch also refactor the code cache generator and tests +a bit and trace the `withCodeCache` and `withoutCodeCache` +in a Set instead of an Array, and makes sure that all the cachable +builtins are tested. + +PR-URL: https://github.com/nodejs/node/pull/24221 +Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; +Reviewed-By: Anna Henningsen &lt;anna@addaleax.net&gt;</pre> + + + + tag:github.com,2008:Grit::Commit/4709fe676d6c49b075de9368d3180a6e5104aee3 + + + win: add customization warning to tools script + + 2018-11-15T15:12:26Z + + + joaocgreis + https://github.com/joaocgreis + + + <pre style='white-space:pre-wrap;width:81ex'>win: add customization warning to tools script + +PR-URL: https://github.com/nodejs/node/pull/24348 +Reviewed-By: Refael Ackermann &lt;refack@gmail.com&gt; +Reviewed-By: Vse Mozhet Byt &lt;vsemozhetbyt@gmail.com&gt;</pre> + + +