Skip to content

Releases: nodejs/node

2024-07-08, Version 22.4.1 (Current), @RafaelGSS

08 Jul 18:28
v22.4.1
Compare
Choose a tag to compare

This is a security release.

Notable Changes

  • CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
  • CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
  • CVE-2024-22018 - fs.lstat bypasses permission model (Low)
  • CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
  • CVE-2024-37372 - Permission model improperly processes UNC paths (Low)

Commits

2024-07-08, Version 20.15.1 'Iron' (LTS), @RafaelGSS

08 Jul 18:27
v20.15.1
Compare
Choose a tag to compare

This is a security release.

Notable Changes

  • CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
  • CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
  • CVE-2024-22018 - fs.lstat bypasses permission model (Low)
  • CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
  • CVE-2024-37372 - Permission model improperly processes UNC paths (Low)

Commits

2024-07-08, Version 18.20.4 'Hydrogen' (LTS), @RafaelGSS

08 Jul 18:26
v18.20.4
Compare
Choose a tag to compare

This is a security release.

Notable Changes

Commits

2024-07-02, Version 22.4.0 (Current), @targos

02 Jul 09:10
v22.4.0
7e13cc5
Compare
Choose a tag to compare

Notable Changes

Experimental Web Storage API

  • [9e30724b53] - (SEMVER-MINOR) deps,lib,src: add experimental web storage (Colin Ihrig) #52435

API stability updates

Other Notable Changes

  • [df4762722c] - doc: doc-only deprecate OpenSSL engine-based APIs (Richard Lau) #53329
  • [ad5282e196] - inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth (Joyee Cheung) #53473
  • [e95af740fc] - (SEMVER-MINOR) lib: add diagnostics_channel events to module loading (RafaelGSS) #44340
  • [50733a1abe] - (SEMVER-MINOR) util: support --no- for argument with boolean type for parseArgs (Zhenwei Jin) #53107

Commits

  • [9f32002397] - assert,util: correct comparison when both contain same reference (Daniel Lemire) #53431
  • [dfdc062111] - buffer: make indexOf(byte) faster (Tobias Nießen) #53455
  • [1de437527e] - build: configure with shared sqlite3 (Chengzhong Wu) #53519
  • [c7d44ba1f3] - build: find version of Clang installed on Windows (Stefan Stojanovic) #53228
  • [36aad8b204] - build: fix spacing before NINJA_ARGS (jakecastelli) #53181
  • [82092cdaa3] - crypto: improve GetECGroupBits signature (Tobias Nießen) #53364
  • [073c231607] - deps: update c-ares to v1.31.0 (Node.js GitHub Bot) #53554
  • [977beab729] - (SEMVER-MINOR) deps: sqlite: fix Windows compilation (Colin Ihrig) #52435
  • [e69b8d202c] - deps: update undici to 6.19.2 (Node.js GitHub Bot) #53468
  • [c4a7e051c8] - deps: update undici to 6.19.1 (Node.js GitHub Bot) #53468
  • [fa34f8fcf0] - deps: update undici to 6.19.1 (Node.js GitHub Bot) #53468
  • [0b40bfad43] - deps: update undici to 6.19.0 (Node.js GitHub Bot) #53468
  • [1877f22a79] - deps: update simdjson to 3.9.4 (Node.js GitHub Bot) #53467
  • [1b84964b8d] - deps: patch V8 to 12.4.254.21 (Node.js GitHub Bot) #53470
  • [6acadeb59b] - deps: update acorn-walk to 8.3.3 (Node.js GitHub Bot) #53466
  • [7a7f438841] - deps: update zlib to 1.3.0.1-motley-209717d (Node.js GitHub Bot) #53156
  • [bf891bf64c] - deps: update c-ares to v1.30.0 (Node.js GitHub Bot) #53416
  • [bd68888261] - deps: V8: cherry-pick a3cc8522a4c8 (kxxt) #53412
  • [2defaaf771] - deps: V8: cherry-pick 6ea594ff7132 (kxxt) #53412
  • [9e30724b53] - (SEMVER-MINOR) deps,lib,src: add experimental web storage (Colin Ihrig) #52435
  • [608cc05de1] - doc: recommend not using libuv node-api function (Michael Dawson) #53521
  • [30858eca59] - doc: add additional guidance for PRs to deps (Michael Dawson) #53499
  • [a5852cc710] - doc: only apply content-visibility on all.html (Filip Skokan) #53510
  • [befabe5c58] - doc: update the description of the return type for options.filter (Zhenwei Jin) #52742
  • [5ed1a036ba] - doc: remove first timer badge (Aviv Keller) #53338
  • [201266706b] - doc: move node --run stability to rc (Yagiz Nizipli) #53433
  • [46a7681cc4] - doc: add Buffer.from(string) to functions that use buffer pool (Christian Bates-White) #52801
  • [ec5364f6de] - doc: add initial text for ambassadors program (Michael Dawson) #52857
  • [fa113b8fc7] - doc: fix typo (EhsanKhaki) #53397
  • [d9182d0086] - doc: define more cases for stream event emissions (Aviv Keller) #53317
  • [923d24b6f2] - doc: remove mentions of policy model from security info (Aviv Keller) #53249
  • [48f78cd31b] - doc: fix mistakes in the module load hook api (István Donkó) #53349
  • [16c0884d48] - doc: mark WebSocket as stable (Matthew Aitken) #53352
  • [df4762722c] - doc: doc-only deprecate OpenSSL engine-based APIs (Richard Lau) #53329
  • [cf375e73c1] - doc: mark --heap-prof and related flags stable (Joyee Cheung) #53343
  • [0160745057] - doc: mark --cpu-prof and related flags stable (Joyee Cheung) #53343
  • [6e12d9f049] - doc: remove IRC from man page (Tobias Nießen) #53344
  • [24c7a9415b] - doc, http: add rejectNonStandardBodyWrites option, clear its behaviour (jakecastelli) #53396
  • [ec38f3dc6a] - doc, meta: organize contributing to Node-API guide (Aviv Keller) #53243
  • [cf5a973c42] - doc, meta: use markdown rather than HTML in CONTRIBUTING.md (Aviv Keller) #53235
  • [105b006fd2] - fs: move ToNamespacedPath to c++ (Yagiz Nizipli) #52135
  • [568377f7f0] - fs: do not crash if the watched file is removed while setting up watch (Matteo Collina) #53452
  • [fad179307c] - fs: add fast api for InternalModuleStat (Yagiz ...
Read more

2024-06-20, Version 20.15.0 'Iron' (LTS), @marco-ippolito

20 Jun 16:03
v20.15.0
0bf200b
Compare
Choose a tag to compare

test_runner: support test plans

It is now possible to count the number of assertions and subtests that are expected to run within a test. If the number of assertions and subtests that run does not match the expected count, the test will fail.

test('top level test', (t) => {
  t.plan(2);
  t.assert.ok('some relevant assertion here');
  t.subtest('subtest', () => {});
});

Contributed by Colin Ihrig in #52860

inspector: introduce the --inspect-wait flag

This release introduces the --inspect-wait flag, which allows debugger to wait for attachement. This flag is useful when you want to debug the code from the beginning. Unlike --inspect-brk, which breaks on the first line, this flag waits for debugger to be connected and then runs the code as soon as a session is established.

Contributed by Kohei Ueno in #52734

zlib: expose zlib.crc32()

This release exposes the crc32() function from zlib to user-land.

It computes a 32-bit Cyclic Redundancy Check checksum of data. If
value is specified, it is used as the starting value of the checksum,
otherwise, 0 is used as the starting value.

The CRC algorithm is designed to compute checksums and to detect error
in data transmission. It's not suitable for cryptographic authentication.

const zlib = require('node:zlib');
const { Buffer } = require('node:buffer');

let crc = zlib.crc32('hello');  // 907060870
crc = zlib.crc32('world', crc);  // 4192936109

crc = zlib.crc32(Buffer.from('hello', 'utf16le'));  // 1427272415
crc = zlib.crc32(Buffer.from('world', 'utf16le'), crc);  // 4150509955

Contributed by Joyee Cheung in #52692

cli: allow running wasm in limited vmem with --disable-wasm-trap-handler

By default, Node.js enables trap-handler-based WebAssembly bound
checks. As a result, V8 does not need to insert inline bound checks
int the code compiled from WebAssembly which may speedup WebAssembly
execution significantly, but this optimization requires allocating
a big virtual memory cage (currently 10GB). If the Node.js process
does not have access to a large enough virtual memory address space
due to system configurations or hardware limitations, users won't
be able to run any WebAssembly that involves allocation in this
virtual memory cage and will see an out-of-memory error.

$ ulimit -v 5000000
$ node -p "new WebAssembly.Memory({ initial: 10, maximum: 100 });"
[eval]:1
new WebAssembly.Memory({ initial: 10, maximum: 100 });
^

RangeError: WebAssembly.Memory(): could not allocate memory
    at [eval]:1:1
    at runScriptInThisContext (node:internal/vm:209:10)
    at node:internal/process/execution:118:14
    at [eval]-wrapper:6:24
    at runScript (node:internal/process/execution:101:62)
    at evalScript (node:internal/process/execution:136:3)
    at node:internal/main/eval_string:49:3

--disable-wasm-trap-handler disables this optimization so that
users can at least run WebAssembly (with a less optimial performance)
when the virtual memory address space available to their Node.js
process is lower than what the V8 WebAssembly memory cage needs.

Contributed by Joyee Cheung in #52766

Other Notable Changes

  • [12512c3d0e] - doc: add pimterry to collaborators (Tim Perry) #52874
  • [9d485b40bb] - (SEMVER-MINOR) tools: fix get_asan_state() in tools/test.py (Joyee Cheung) #52766
  • [e98c305f52] - (SEMVER-MINOR) tools: support max_virtual_memory test configuration (Joyee Cheung) #52766
  • [dce0300896] - (SEMVER-MINOR) tools: support != in test status files (Joyee Cheung) #52766

Commits

  • [227093bfec] - assert: add deep equal check for more Error type (Zhenwei Jin) #51805
  • [184cfe5a71] - benchmark: filter non-present deps from start-cli-version (Adam Majer) #51746
  • [8b3e83bb53] - buffer: even faster atob (Daniel Lemire) #52443
  • [8d628c3255] - buffer: use size_t instead of uint32_t to avoid segmentation fault (Xavier Stouder) #48033
  • [16ae2b2933] - buffer: remove lines setting indexes to integer value (Zhenwei Jin) #52588
  • [48c15d0dcd] - build: remove deprecated calls for argument groups (Mohammed Keyvanzadeh) #52913
  • [1be8232d17] - build: drop base64 dep in GN build (Cheng) #52856
  • [918962d6e7] - build: make simdjson a public dep in GN build (Cheng) #52755
  • [5215b6fd8e] - build, tools: copy release assets to staging R2 bucket once built (flakey5) #51394
  • [473fa73857] - (SEMVER-MINOR) cli: allow running wasm in limited vmem with --disable-wasm-trap-handler (Joyee Cheung) #52766
  • [954d2aded4] - cluster: replace forEach with for-of loop (Jérôme Benoit) #50317
  • [794e450ea7] - console: colorize console error and warn (Jithil P Ponnan) #51629
  • [0fb7c18f10] - crypto: fix duplicated switch-case return values (Mustafa Ateş UZUN) #49030
  • [cd1415c8b2] - Revert "crypto: make timingSafeEqual faster for Uint8Array" (Tobias Nießen) #53390
  • [b774544bb1] - deps: enable unbundling of simdjson, simdutf, ada (Daniel Lemire) #52924
  • [da4dbfc5fd] - doc: remove reference to AUTHORS file (Marco Ippolito) #52960
  • [2f3f2ff8af] - doc: update hljs with the latest styles (Aviv Keller) #52911
  • [3a1d17a9b1] - doc: mention quicker way to build docs (Alex Crawford) #52937
  • [be309bd19d] - doc: mention push.followTags config (Rafael Gonzaga) #52906
  • [e62c6e2684] - doc: document pipeline with end option (Alois Klink) #48970
  • [af27225cf6] - doc: add example for execFileSync method and ref to stdio (Evan Shortiss) #39412
  • [086626f9b1] - doc: add examples and notes to http server.close et al (mary marchini) #49091
  • [3aa3337a00] - doc: fix dns.lookup family 0 and all descriptions (Adam Jones) #51653
  • [585f2a2e7f] - doc: update fs.realpath documentation (sinkhaha) #48170
  • [4bf3d44e1d] - doc: update fs read documentation for clarity (Mert Can Altin) #52453
  • [ae5d47dde3] - doc: watermark string behavior (Benjamin Gruenbaum) #52842
  • [1e429d10d3] - doc: exclude commits with baking-for-lts (Marco Ippolito) #52896
  • [3df3e37cdb] - doc: add names next to release key bash commands (Aviv Keller) #52878
  • [12512c3d0e] - doc: add pimterry to collaborators (Tim Perry) #52874
  • [97e0fef019] - doc: add more definitions to GLOSSARY.md (Aviv Keller) [#52798](https://gith...
Read more

2024-06-11, Version 22.3.0 (Current), @RafaelGSS

11 Jun 19:05
v22.3.0
Compare
Choose a tag to compare

Notable Changes

  • [5a41bcf9ca] - (SEMVER-MINOR) src: traverse parent folders while running --run (Yagiz Nizipli) #53154
  • [1d5934524b] - (SEMVER-MINOR) buffer: add .bytes() method to Blob (Matthew Aitken) #53221
  • [75e5612fae] - (SEMVER-MINOR) src,permission: --allow-wasi & prevent WASI exec (Rafael Gonzaga) #53124
  • [b5c30e2f5e] - (SEMVER-MINOR) module: print amount of load time of a cjs module (Vinicius Lourenço) #52213
  • [8c6dffc269] - (SEMVER-MINOR) test_runner: add snapshot testing (Colin Ihrig) #53169
  • [048478d351] - (SEMVER-MINOR) doc: add context.assert docs (Colin Ihrig) #53169
  • [f6d2af8ee7] - (SEMVER-MINOR) test_runner: add context.fullName (Colin Ihrig) #53169
  • [a0766bdf0e] - (SEMVER-MINOR) net: add new net.server.listen tracing channel (Paolo Insogna) #53136
  • [374743cd4e] - (SEMVER-MINOR) process: add process.getBuiltinModule(id) (Joyee Cheung) #52762
  • [1eb55f3550] - (SEMVER-MINOR) doc: improve explanation about built-in modules (Joyee Cheung) #52762
  • [6165894774] - fs: mark recursive cp methods as stable (Théo LUDWIG) #53127
  • [db5dd0c6df] - doc: add StefanStojanovic to collaborators (StefanStojanovic) #53118
  • [cfcde78513] - (SEMVER-MINOR) cli: add NODE_RUN_PACKAGE_JSON_PATH env (Yagiz Nizipli) #53058
  • [7a67ecf161] - (SEMVER-MINOR) test_runner: support module mocking (Colin Ihrig) #52848
  • [ee56aecced] - (SEMVER-MINOR) lib: add EventSource Client (Aras Abbasi) #51575
  • [6413769bc7] - (SEMVER-MINOR) lib: replace MessageEvent with undici's (Matthew Aitken) #52370
  • [c70b2f7a76] - (SEMVER-MINOR) cli: add NODE_RUN_SCRIPT_NAME env to node --run (Yagiz Nizipli) #53032
  • [badec0c38b] - doc: add Marco Ippolito to TSC (Rafael Gonzaga) #53008

Commits

Read more

2024-05-28, Version 20.14.0 'Iron' (LTS), @marco-ippolito

28 May 16:55
v20.14.0
Compare
Choose a tag to compare

Notable Changes

  • [28d2baa17c] - src,permission: throw async errors on async APIs (Rafael Gonzaga) #52730
  • [77e2bf029a] - (SEMVER-MINOR) test_runner: support forced exit (Colin Ihrig) #52038

Commits

2024-05-21, Version 18.20.3 'Hydrogen' (LTS), @richardlau

21 May 12:18
v18.20.3
64903b1
Compare
Choose a tag to compare

Notable Changes

This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.

A fix has also been included for compiling Node.js from source with newer versions of Clang.

The list of keys used to sign releases has been synchronized with the current list from the main branch.

Updated dependencies

  • acorn updated to 8.11.3.
  • acorn-walk updated to 8.3.2.
  • ada updated to 2.7.8.
  • c-ares updated to 1.28.1.
  • corepack updated to 0.28.0.
  • nghttp2 updated to 1.61.0.
  • ngtcp2 updated to 1.3.0.
  • npm updated to 10.7.0. Includes a fix from [email protected] to limit the number of open connections npm/cli#7324.
  • simdutf updated to 5.2.4.
  • zlib updated to 1.3.0.1-motley-7d77fb7.

Commits

2024-05-15, Version 22.2.0 (Current), @targos

15 May 19:28
v22.2.0
d57af10
Compare
Choose a tag to compare

Notable Changes

  • [fb85d38e80] - (SEMVER-MINOR) cli: allow running wasm in limited vmem with --disable-wasm-trap-handler (Joyee Cheung) #52766
  • [23a0d3339f] - doc: add pimterry to collaborators (Tim Perry) #52874
  • [7d7a762156] - (SEMVER-MINOR) fs: allow 'withFileTypes' to be used with globs (Aviv Keller) #52837
  • [8748dd6477] - (SEMVER-MINOR) inspector: introduce the --inspect-wait flag (Kohei Ueno) #52734
  • [9a7ae9b6c4] - lib,src: remove --experimental-policy (Rafael Gonzaga) #52583
  • [1f7c2a93fc] - (SEMVER-MINOR) perf_hooks: add deliveryType and responseStatus fields (Matthew Aitken) #51589
  • [2f59529dc5] - (SEMVER-MINOR) test_runner: support test plans (Colin Ihrig) #52860
  • [6b4dac3eb5] - (SEMVER-MINOR) zlib: expose zlib.crc32() (Joyee Cheung) #52692

Commits

Read more

2024-05-09, Version 20.13.1 'Iron' (LTS), @marco-ippolito

09 May 10:45
v20.13.1
Compare
Choose a tag to compare

2024-05-09, Version 20.13.1 'Iron' (LTS), @marco-ippolito

Revert "tools: install npm PowerShell scripts on Windows"

Due to a regression in the npm installation on Windows, this commit reverts the change that installed npm PowerShell scripts on Windows.

Commits

  • [b7d80802cc] - Revert "tools: install npm PowerShell scripts on Windows" (marco-ippolito) #52897