v0.11.1

Compare Source

v0.11.0

Compare Source

v0.10.2

Compare Source

v0.10.1

Compare Source

v0.10.0

Compare Source

v0.9.0

Compare Source

v2.15.3

Compare Source

v2.15.2

Compare Source

v2.15.1

Compare Source

v3.1.2

Compare Source

v3.1.1

Compare Source

v3.1.0

Compare Source

v3.0.8

Compare Source

v3.0.7

Compare Source

v3.0.6

Compare Source

v3.0.5

Compare Source

v8.17.0: 2019-12-17, Version 8.17.0 'Carbon' (LTS), @​MylesBorins

Compare Source

This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable changes

• deps: update npm to 6.13.4#​30904

Commits

• [208b813e49] -build,win: add test-ci-native and test-ci-js (João Reis)#​30724
• [369a23a670] -deps: update npm to 6.13.4 (Audrey Eschright)#​30904

v8.16.2: 2019-10-09, Version 8.16.2 'Carbon' (LTS), @​BethGriggs

Compare Source

Node.js 8 is due to go End-of-Life on 31st December 2019.

Notable changes

• deps: upgrade openssl sources to 1.0.2s (Sam Roberts)#​28230

Commits

• [cc9d005628] -crypto: update root certificates (Sam Roberts)#​28808
• [347fcd35e3] -crypto: update root certificates (Sam Roberts)#​27374
• [b2a6b3254d] -crypto: update root certificates (Sam Roberts)#​25113
• [5682e50325] -deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu)nodejs/io.js#1836
• [9663ae3546] -deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu)iojs/io.js#1389
• [87eee99466] -deps: fix openssl assembly error on ia32 win32 (Fedor Indutny)iojs/io.js#1389
• [da99d3f972] -deps: copy all openssl header files to include dir (Sam Roberts)#​28230
• [dc9d645ac4] -deps: upgrade openssl sources to 1.0.2s (Sam Roberts)#​28230
• [37e24b19a0] -deps: V8: backportd520ebb (Michaël Zasso)#​27358
• [1a5dc6a3e7] -http: check for existance in resetHeadersTimeoutOnReqEnd (Matteo Collina)#​26402
• [e45b6a3b98] -http2: do not start reading after write if new write is on wire (Anna Henningsen)#​29399
• [559a8e342b] -http2: do not crash on stream listener removal w/ destroyed session (Anna Henningsen)#​29459
• [dd285968c4] -openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu)iojs/io.js#1389
• [3ee076f03d] -stream: ensure writable.destroy() emits error once (Luigi Pinca)#​26057
• [a7e5fe1f06] -test: unskip tests that now pass on AIX (Sam Roberts)#​29054
• [65e9b0f5a2] -test: specialize OOM check for AIX (Sam Roberts)#​28857
• [7aca9cb09b] -test: fix pty test hangs on aix (Ben Noordhuis)#​28600
• [588b761fca] -test: skip stringbytes-external-exceed-max on AIX (Sam Roberts)#​28516
• [930647d0fe] -test: skip tests related to CI failures on AIX (Sam Roberts)#​28469
• [92a2f8bbe3] -test,win: cleanup exec-timeout processes (João Reis)#​28723
• [d57f79726d] -tls: partially backport pull request#​26415 (Ben Noordhuis)#​26415
• [c582fef5cc] -tools: update certdata.txt (Sam Roberts)#​28808
• [4fbadf6a9e] -tools: update certdata.txt (Sam Roberts)#​27374
• [529b2ad25f] -tools: update certdata.txt (Sam Roberts)#​25113

v8.16.1: 2019-08-15, Version 8.16.1 'Carbon' (LTS), @​BethGriggs

Compare Source

Notable changes

This is a security release.

Node.js, as well as many other implementations of HTTP/2, have been found
vulnerable to Denial of Service attacks.
Seehttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

• CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
• CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
• CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
• CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
• CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)

Commits

• [6d427378c0] -deps: update nghttp2 to 1.39.2 (Anna Henningsen)#​29122
• [33d4d916d5] -deps: update nghttp2 to 1.39.1 (gengjiawen)#​28448
• [17fad97113] -deps: update nghttp2 to 1.38.0 (gengjiawen)#​27295
• [0b44733695] -deps: update nghttp2 to 1.37.0 (gengjiawen)#​26990
• [5afc77b044] -deps: update nghttp2 to 1.34.0 (James M Snell)#​23284
• [073108c855] -http2: allow security revert for Ping/Settings Flood (Anna Henningsen)#​29122
• [6d687f7af8] -http2: pause input processing if sending output (Anna Henningsen)#​29122
• [854dba649e] -http2: stop reading from socket if writes are in progress (Anna Henningsen)#​29122
• [a3191689dd] -http2: consider 0-length non-end DATA frames an error (Anna Henningsen)#​29122
• [156f2f35df] -http2: shrink defaultvector::reserve() allocations (Anna Henningsen)#​29122
• [10f05b65c4] -http2: handle 0-length headers better (Anna Henningsen)#​29122
• [ac28a628a5] -http2: limit number of invalid incoming frames (Anna Henningsen)#​29122
• [11b4e2c0db] -http2: limit number of rejected stream openings (Anna Henningsen)#​29122
• [7de642b6f9] -http2: do not create ArrayBuffers when no DATA received (Anna Henningsen)#​29122
• [dd60d3561a] -http2: only call into JS when necessary for session events (Anna Henningsen)#​29122
• [00f6846b73] -http2: improve JS-side debug logging (Anna Henningsen)#​29122
• [b095e35f1f] -http2: improve http2 code a bit (James M Snell)#​23984
• [cc282239c1] -test: apply test-http2-max-session-memory-leak from v12.x (Anna Henningsen)#​29122

v8.16.0: 2019-04-16, Version 8.16.0 'Carbon' (LTS), @​MylesBorins

Compare Source

Notable Changes

• n-api:
  • add API for asynchronous functions (Gabriel Schulhof)#​17887
  • mark thread-safe function as stable (Gabriel Schulhof)#​25556

Commits

• [705935d620] -assert: fix backport regression (Ruben Bridgewater)#​27202
• [c07ba9681f] -build: skip cctest on Windows shared lib build (Yihong Wang)#​21228
• [63522886ea] -build: add loader path to rpath for cctest (Sam Ruby)#​23168
• [e9369073d9] -build: set-blibpath: for AIX (Richard Lau)#​25447
• [97cc0fc51d] -deps: V8: cherry-pick3cc6919 (Farazmand)#​25874
• [a1aff28fba] -deps: cherry-pick525b396 from V8 upstream (Peter Marshall)#​25041
• [6b7cccc88a] -doc: fix optional parameters in n-api.md (Lars-Magnus Skog)#​22998
• [b17819db3d] -doc: update the http.request.setTimeout docs to be accurate (James Bunton)#​25123
• [ac9b8f7645] -http: fix error check inExecute() (Brian White)#​24738
• [1d862610f8] -http: attach reused parser to correct domain (Julien Gilli)#​25459
• [d3de1ed653] -n-api: improve performance creating strings (Anthony Tuininga)#​26439
• [2b2ad96ef2] -n-api: finalize during second-pass callback (Gabriel Schulhof)#​25992
• [d6ffabc37f] -(SEMVER-MINOR)n-api: mark thread-safe function as stable (Gabriel Schulhof)#​25556
• [44609d1274] -n-api: restrict exports by version (Kyle Farnung)#​19962
• [fe4328252a] -n-api: add missing handle scopes (Daniel Bevenius)#​24011
• [902b07959f] -n-api: clean up thread-safe function (Gabriel Schulhof)#​22259
• [09b88aabb3] -n-api: remove idle_running from TsFn (Lars-Magnus Skog)#​22520
• [367505940a] -n-api: guard against cond null dereference (Gabriel Schulhof)#​21871
• [c5a11dc58e] -n-api: fix compiler warning (cjihrig)#​21597
• [759a0180b5] -(SEMVER-MINOR)n-api: add API for asynchronous functions (Gabriel Schulhof)#​17887
• [ea5628e77a] -process: allow reading from stdout/stderr sockets (Anna Henningsen)#​23053
• [67b6e0d19c] -src: fix may be uninitialized warning in n-api (Michael Dawson)#​21898
• [eaf474cc5d] -test: shared lib build doesn't handle SIGPIPE (Yihong Wang)#​19211
• [3128cb7da6] -test: avoid running fsync on directory on AIX (John Barboza)#​21298
• [b4c5435a46] -test: add process.stdin.end() TTY regression test (Matteo Collina)#​23051
• [c56f3edb10] -test: add stdin writable regression test (Anna Henningsen)#​23053
• [f6ff8c51bc] -test: fix module loading error for AIX 7.1 (Richard Lau)#​25418
• [d4b6643ac3] -test: mark test-cli-node-options flaky on arm (Rich Trott)#​25032
• [60db455961] -test: mark test_threadsafe_function/test as flaky (Gireesh Punathil)#​24714
• [fbafe8d311] -test: fix test-repl-envvars (Anna Henningsen)#​25226
• [7573b55a15] -tls: fix legacy SecurePair clienthello race window (Ben Noordhuis)#​26452
• [91620b8bd6] -tls: fix legacy SecurePair session resumption (Ben Noordhuis)#​26452
• [1a9582b7a6] -tools: allow input for TTY tests (Anna Henningsen)#​23053

v8.15.1

Compare Source

v8.15.0: 2018-12-26, Version 8.15.0 'Carbon' (LTS), @​MylesBorins

Compare Source

The 8.14.0 security release introduced some unexpected breakages on the 8.x release line.
This is a special release to fix a regression in the HTTP binary upgrade response body and add
a missing CLI flag to adjust the max header size of the http parser.

Notable Changes

• cli:
  • add --max-http-header-size flag (cjihrig)#​24811
• http:
  • add maxHeaderSize property (cjihrig)#​24860

Commits

• [693e362175] -(SEMVER-MINOR)cli: add --max-http-header-size flag (cjihrig)#​24811
• [4fb5a1be2f] -(SEMVER-MINOR)deps: cherry-pick http_parser_set_max_header_size (cjihrig)#​24811
• [446f8b54e5] -(SEMVER-MINOR)http: add maxHeaderSize property (cjihrig)#​24860
• [215ecfe4de] -http: fix regression of binary upgrade response body (Matteo Collina)#​25037
• [e1fbc26c6a] -test: move test-benchmark-path to sequential (Rich Trott)#​21393
• [aef71c05a2] -test: mark test-http2-settings-flood as flaky on Windows (Rich Trott)#​25048

v8.14.1: 2018-12-18, Version 8.14.1 'Carbon' (LTS), @​MylesBorins prepared by @​BethGriggs

Compare Source

Notable changes

• assert:
  • revert breaking change (Ruben Bridgewater)#​24786
• http2:
  • fix sequence of error/close events (Gerhard Stoebich)#​24789

Commits

• [62fb5dbec5] -assert: revert breaking change (Ruben Bridgewater)#​24786
• [a8402fe1c8] -build: only check REPLACEME & DEP...X for releases (Rod Vagg)#​24575
• [26743369d3] -build: improve Travis CI settings (Timothy Gu)#​21459
• [1da04c208d] -build: install markdown linter for travis (Richard Lau)#​21215
• [7612024939] -build: initial .travis.yml implementation (Anna Henningsen)#​21059
• [f70e79a7b2] -build: allow for overwriting of use_openssl_def (Shelley Vohr)#​23763
• [15d1f67c60] -build,doc: remove outdatedlint-md-build (Michaël Zasso)#​22991
• [85a6daeaef] -build,meta: switch to gcc-4.9 on travis (Refael Ackermann)#​23778
• [313ef6fa73] -build,tools: tweak the travis config (Refael Ackermann)#​22417
• [22b41495ea] -child_process: handle undefined/null for fork() args (Shobhit Chittora)#​22416
• [499605618b] -crypto: add SET_INTEGER_CONSANT macro (Daniel Bevenius)#​23687
• [34d91296df] -deps: icu: apply workaround patch (Steven R. Loomis)#​23764
• [50347297a1] -deps: cherry-pickd2e0166 from V8 upstream (Vasili Skurydzin)#​23958
• [9bedae5266] -deps: cherry-pick6bc4bfe from V8 upstream (Vasili Skurydzin)#​23958
• [4f3c9e6aab] -deps,v8: fix gyp build on Aix platform (Vasili Skurydzin)#​23958
• [74c1074d53] -doc: add description for inspector-only console methods. (Benjamin Zaslavsky)#​17004
• [692223182c] -doc: fix api documentation of http.createServer (Ari Autio)#​24869
• [6d8c65e574] -doc: update to adding listens on SIGUSR1 (willhayslett)#​19709
• [33b7c50036] -doc: remove "if provided" for optional arguments (Rich Trott)#​19690
• [216e7da8c5] -doc: do not identify string as "JavaScript string" (Rich Trott)#​19689
• [17e84217c7] -doc: fix grammar error in process.md (Kenji Okamoto)#​19641
• [06daf5276f] -doc: remove use of "random port" re dgram send (Thomas Hunter II)#​19620
• [bf95392e86] -doc: improve assert legacy text (Rich Trott)#​19622
• [e48cc3c403] -doc: remove confusing note about child process stdio (Anna Henningsen)#​19552
• [9d249bf6d5] -doc: add BethGriggs to collaborators (Beth Griggs)#​19610
• [c3ecf05b01] -doc: documentmake docopen (Ayush Gupta)#​19321
• [8338700d05] -doc: add directory structure in writing-tests.md (juggernaut451)#​18802
• [63d8632611] -doc: add types for someprocess properties (Vse Mozhet Byt)#​19571
• [b2fc3b556c] -doc: fix n-api example string (Steven R. Loomis)#​19205
• [d79e7d6e89] -doc: minor improvements to buffer.md (Rich Trott)#​19547
• [06491482f8] -doc: update child_process.md (Ari Leo Frankel)#​19075
• [4db289ca17] -doc: move StackOverflow to unofficial section (josephleon)#​19416
• [f5683a9a6d] -doc: correct async_hooks resource names (Gerhard Stoebich)#​24684
• [ffe1f8033c] -doc: sort bottom-of-file markdown links (Sam Roberts)#​24682
• [78d9a5e6e4] -doc: address bits of proof reading work (Jagannath Bhat)#​23978
• [d1eebb2e43] -doc: revise COLLABORATOR_GUIDE.md (Rich Trott)#​23990
• [003eb0c8e1] -doc: simplify CODE_OF_CONDUCT.md (Rich Trott)#​23989
• [c1723c8bca] -doc: add branding to style guide (Rich Trott)#​23967
• [8bb67a1fb9] -doc: use Node.js instead of Node (Rich Trott)#​23967
• [73e0bb1f52] -doc: fix typographical issues (Denis McDonald)#​23970
• [6d76f852a9] -doc: add documentation for http.IncomingMessage$complete (James M Snell)#​23914
• [3025f351db] -doc: remove mailing list (Rich Trott)#​23932
• [2459e150bb] -doc: add note about ABI compatibility (Myles Borins)#​22237
• [27b35833bd] -doc: make example more clarified in cluster.md (ZYSzys)#​23931
• [0d4de59967] -doc: simplify valid security issue descriptions (Rich Trott)#​23881
• [9afdc09f98] -doc: simplify path.basename() on POSIX and Windows (ZYSzys)#​23864
• [3f2a01688d] -doc: add review suggestions to require() (erickwendel)#​23605
• [f037942fe7] -doc: move@​phillipj to emeriti (Phillip Johnsen)#​23790
• [e5f75cf82e] -doc: add note about removeListener order (James M Snell)#​23762
• [0ff88a3510] -doc: document ACL limitation for fs.access on Windows (James M Snell)#​23772
• [32ae851710] -doc: document that addMembership must be called once in a cluster (James M Snell)#​23746
• [e2d2ce6706] -doc: remove reference to sslv3 in tls.md (James M Snell)#​23745
• [4c24a82a65] -http2: fix sequence of error/close events (Gerhard Stoebich)#​24789
• [8afbd5ce41] -lib: fix a typo in lib/timers "read through" (wangzengdi)#​19666
• [fa12532000] -lib: remove useless cwd in posix.resolve (ZYSzys)#​23902
• [e8dbd09414] -src: use "constants" string instead of creating new one (Ouyang Yadong)#​23894
• [394cb42962] -test: verify order of error in h2 server stream (Myles Borins)#​24685
• [5e09a3d4ed] -test: test process.setuid for bad argument types (Divyanshu Singh)#​19703
• [970164f3a8] -test: improve assert message (fatahn)#​19629
• [086570e4e1] -test: remove third argument from call to assert.strictEqual() (Forrest Wolf)#​19659
• [a7b3274af4] -test: fix flaky test-cluster-send-handle-twice (Rich Trott)#​19700
• [1bda58289a] -test: rename regression tests more expressively (Ujjwal Sharma)#​19668
• [bd9cc92e8d] -test: remove 3rd argument from assert.strictEqual (Arian Santrach)#​19707
• [3ca10faf00] -test: use createReadStream instead of ReadStream (Daniel Bevenius)#​19636
• [8a546e822d] -test: removed default message from assert.strictEqual (jaspal-yupana)#​19660
• [a62df1b379] -test: refactor test-net-dns-error (Luigi Pinca)#​19640
• [8a0ecf4360] -test: refactor test-http-expect-continue (Rich Trott)#​19625
• [0cbe813e90] -test: update link according to NIST bibliography (Tobias Nießen)#​19593
• [ea1fda6228] -test: remove third param from assert.strictEqual (davis.okoth@kemsa.co.ke)#​19536
• [18c4e5e886] -test: remove message from assert.strictEqual() (willhayslett)#​19525
• [146c488bf5] -test: refactor parallel/test-tls-ca-concat.js (juggernaut451)#​19092
• [8fa5bd3761] -test: rename regression tests file names (Ujjwal Sharma)#​19332
• [d34ade8755] -test: fix strictEqual arguments order (Esteban Sotillo)#​23956
• [6ae07a9248] -test: add property for RangeError in test-buffer-copy (mritunjaygoutam12)#​23968
• [b1e6de80c1] -test: fix regression when compiled with FIPS (Adam Majer)#​23871
• [d0368b8245] -test: fix strictEqual() argument order (Loic)#​23829
• [3a864d716e] -test: fix strictEqual() arguments order (Nolan Rigo)#​23800
• [e7a573a9e2] -test: fix test-require-symlink on Windows (Bartosz Sosnowski)#​23691
• [ac91346776] -test: fix strictEqual() argument order (Romain Lanz)#​23768
• [0f98c4926a] -test: fix strictEqual() arguments order (Thomas GENTILHOMME)#​23771
• [73d19b1516] -test: ensure openssl version prints correctly (Sam Roberts)#​23678
• [544e64d68d] -test: fix assertion arguments order (Elian Gutierrez)#​23787
• [e84c01d1f3] -tools: update alternative docs versions (Richard Lau)#​23980
• [02209c5fa7] -tools: clarify commit message linting (Rich Trott)#​23742
• [22043ccb84] -tools: do not lint commit message if var undefined (Rich Trott)#​23725
• [2a8a28c436] -tools: make Travis commit linting more robust (Rich Trott)#​23397
• [c15d236545] -tools: apply linting to first commit in PRs (Rich Trott)#​22452

v8.14.0: 2018-11-27, Version 8.14.0 'Carbon' (LTS), @​rvagg

Compare Source

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

• Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
• Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
• Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
• Node.js: HTTP request splitting (CVE-2018-12116)
• OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
• OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)

Notable Changes

• deps: Upgrade to OpenSSL 1.0.2q, fixingCVE-2018-0734 andCVE-2018-5407
• http:
  • Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
  • A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted withserver.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction withserver.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)
  • Two-byte characters are now strictly disallowed for thepath option in HTTP client requests. Paths containing characters outside of the range\u0021 -\u00ff will now be rejected with aTypeError. This behavior can be reverted if necessary by supplying the--security-revert=CVE-2018-12116 command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 byArkadiy Tetelman (Lob), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)
• url: Fix a bug that would allow a hostname being spoofed when parsing URLs withurl.parse() with the'#"https://twitter.com/_bayotop" rel="nofollow">Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)

Commits

• [add20f373c] -deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu)nodejs/node#1836
• [c4e382cce3] -deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu)nodejs/node#1389
• [f1d1f12519] -deps: fix openssl assembly error on ia32 win32 (Fedor Indutny)nodejs/node#1389
• [69037ad5c4] -deps: copy all openssl header files to include dir (Sam Roberts)#​24530
• [f5b34336bb] -deps: upgrade openssl sources to 1.0.2q (Sam Roberts)#​24530
• [93dba83fb0] -deps,http: http_parser set max header size to 8KB (Matteo Collina)nodejs-private/node-private#143
• [576038fb61] -(SEMVER-MINOR)http: add --security-revert forCVE-2018-12116 (Matteo Collina)nodejs-private/node-private#146
• [513e9747a2] -(SEMVER-MINOR)http: disallow two-byte characters in URL path (Benno Fünfstück)nodejs-private/node-private#146
• [696f063c5e] -(SEMVER-MINOR)http,https: protect against slow headers attack (Matteo Collina)nodejs-private/node-private#151
• [7f362a11ee] -openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu)nodejs/node#1389
• [53a6e4eb20] -url: avoid hostname spoofing w/ javascript protocol (Matteo Collina)nodejs-private/node-private#145

v8.13.0: 2018-11-20, Version 8.13.0 'Carbon' (LTS), @​MylesBorins prepared by @​BethGriggs

Compare Source

Notable changes

• assert:
  • backport some assert commits (Ruben Bridgewater)#​23223
• deps:
  • upgrade to libuv 1.23.2 (cjihrig)#​23336
  • V8: cherry-pick 64-bit hash seed commits (Yang Guo)#​23274
• http:
  • added aborted property to request (Robert Nagy)#​20094
• http2:
  • graduate from experimental (James M Snell)#​22466

Commits

• [0d241ba385] -assert: ensure .rejects() disallows sync throws (Teddy Katz)#​19650
• [3babc5bb53] -(SEMVER-MINOR)assert: add rejects() and doesNotReject() (feugy)#​18023
• [18071db274] -assert: fix throws trace (Ruben Bridgewater)#​18595
• [562787efb2] -assert: fix strict regression (Ruben Bridgewater)#​17903
• [f2af930ebb] -(SEMVER-MINOR)assert: .throws accept objects (Ruben Bridgewater)#​17584
• [147aeedc8d] -(SEMVER-MINOR)assert: improve assert.throws (Ruben Bridgewater)#​17585
• [[c9d84b6d4f