This is a security release.
Notable changes:
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
PR-URL: https://github.com/nodejs/node/pull/39500
This modifies 40df0dc so that the changes it applies are only used
if ICU 67 or greater is used, and restores the previous code path for
versions of ICU below 67.
The minimum ICU version was bumped to 67 in Node.js 14.6.0 by
https://github.com/nodejs/node/pull/34356 but the referenced V8
commit[1] isn't on `v14.x-staging` and appears to have been reverted
on V8 8.4[2] so this PR also restores the minimum ICU version to 65.
[1] 611e412768
[2] eeccedee18
PR-URL: https://github.com/nodejs/node/pull/39068
Backport-PR-URL: https://github.com/nodejs/node/pull/39451
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Original commit message:
[Intl] call new ListFormatter::createInstance
The one we currently using is now marked as internal and to be removed
for 68. Migrating to the style which already avaiable in ICU 67-1.
Bug: v8:11031
Change-Id: I668382a2e1b8602ddca02bf231c5008a6c92bf2d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2477751
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70638}
Refs: 035c305ce7
PR-URL: https://github.com/nodejs/node/pull/38497
Backport-PR-URL: https://github.com/nodejs/node/pull/39451
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
`CHECK(it->second)` asserts that we have `PerIsolatePlatformData`
in the `per_isolate_` map, and not just a key with empty value. When
`it == per_isolate_.end()`, however, it means that we don't have the
isolate and the `CHECK(it->second)` is guaranteed to fail then!
PR-URL: https://github.com/nodejs/node/pull/38010
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Move the `#define`s back into `cares_wrap.cc`, as they are part of
the implementation, not the declarations used in `cares_wrap.h`,
and apply the suggestion from
https://github.com/nodejs/node/pull/38572#discussion_r627809407
to make the defines a bit more generic and not check for OpenBSD
specifically.
Refs: https://github.com/nodejs/node/pull/38572
PR-URL: https://github.com/nodejs/node/pull/38670
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Original commit message:
Fix implicit conversion loses integer precision warning
The type of m is long in 64 bits build, and results implicit conversion
loses integer precision, which was found by improved clang warning
(-Wshorten-64-to-32)
Bug: chromium:1124085
Change-Id: Ic9f22508bd817a06d5c90162b1ac3554a7171529
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2391323
Commit-Queue: Zequan Wu <zequanwu@google.com>
Auto-Submit: Zequan Wu <zequanwu@google.com>
Reviewed-by: Nico Weber <thakis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69686}
Refs: 0b3a4ecf70
PR-URL: https://github.com/nodejs/node/pull/39245
Refs: https://github.com/nodejs/build/issues/2696
Reviewed-By: Richard Lau <rlau@redhat.com>
Original commit message:
Fix visiblity rules for configs enforced by the latest GN version.
Prior versions of GN had a bug (gn:22) where visibility rules
for configs weren't being enforced properly.
This CL tweaks the visibility settings of some configs to
conform to the latest version.
Change-Id: Ic5d827a1f2774278d3894f67fe52bfca836c0409
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2360909
Commit-Queue: Dirk Pranke <dpranke@google.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69463}
Refs: 7c182bd65f
PR-URL: https://github.com/nodejs/node/pull/39245
Refs: https://github.com/nodejs/build/issues/2696
Reviewed-By: Richard Lau <rlau@redhat.com>
Original commit message:
[build] Move split_static_library.gni from Chromium repo
We'll remove the file from Chromium in a follow up after V8 has rolled
+ 2 days.
Bug: v8:9911
Change-Id: I69fe56855f1ba83bec0d39e0fb6acb7e4182c6b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1897826
Reviewed-by: Nico Weber <thakis@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64742}
Refs: 7b33328442
PR-URL: https://github.com/nodejs/node/pull/39245
Refs: https://github.com/nodejs/build/issues/2696
Reviewed-By: Richard Lau <rlau@redhat.com>
Original commit message:
build: Remove no-op calls to set_sources_assignment_filter
Chromiun no longer use set_sources_assignment_filter() anywhere in the
build, so these are no longer needed.
Bug: chromium:1018739
Change-Id: I7b33612d925563ebca0d93a7d3c9183d7305b7b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2456988
Reviewed-by: Nico Weber <thakis@chromium.org>
Commit-Queue: Nico Weber <thakis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70405}
Refs: 92e6d33170
PR-URL: https://github.com/nodejs/node/pull/39245
Refs: https://github.com/nodejs/build/issues/2696
Reviewed-By: Richard Lau <rlau@redhat.com>
Original commit message:
tracing: Update proto library build rule and roll Perfetto
This patch removes use of the deprecated sources_assignment_filter GN
feature from gni/proto_library.gni, since the extra descriptor files are
no longer being generated.
We also roll Perfetto to match the version used in Chrome and update
test expectations accordingly.
Bug: v8:10995
Change-Id: I65cb3b79feb6e5a7e5c8d99fdb8bf999a6048539
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2454079
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Auto-Submit: Sami Kyöstilä <skyostil@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70381}
Refs: 1b1eda0876
PR-URL: https://github.com/nodejs/node/pull/39245
Refs: https://github.com/nodejs/build/issues/2696
Reviewed-By: Richard Lau <rlau@redhat.com>
Original commit message:
```
PPC: Add Power10 to the supported list and enable related features
This CL adds Power10 recognition to Linux, AIX as well as IBMi.
Enabled features include:
MODULO
FPR_GPR_MOV
SIMD
LWSYNC
ISELECT
VSX
Change-Id: Ifc337e6497a3efe9697bcf03063a2b94471f96e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2855041
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Reviewed-by: Vasili Skurydzin <vasili.skurydzin@ibm.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#74279}
```
Refs: 530080c44a
PR-URL: https://github.com/nodejs/node/pull/38509
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Ash Cripps <acripps@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
PR-URL: https://github.com/nodejs/node/pull/38399
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Main goal of using a GitHub Action for labelling PRs has been to move
the mapping between files changed -> label into a configuration file
local to the nodejs/node repository.
Previously any changes to that mapping meant having to grasp the
nodejs/github-bot project, open a PR with the neccessary changes, get
approval from its maintainers before those changes finally got pushed
to production.
The logic involved in using the file paths / label configuration and
resolving the labels to be applied, has been moved into a custom GitHub
Action project: nodejs/node-pr-labeler.
Aside from removing the external dependency the nodejs-github-bot is in
practise, it also reduces the bar for contributors since the resulting
project is a lot smaller and less complex than nodejs/github-bot.
PR-URL: https://github.com/nodejs/node/pull/38301
Fixes: https://github.com/nodejs/github-bot/issues/294
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Notable changes:
Node.js 12.22.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
PR-URL: https://github.com/nodejs/node/pull/39268
Original commit message:
idna: fix OOB read in punycode decoder
Reported by Eric Sesterhenn in collaboration with
Cure53 and ExpressVPN.
Reported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
PR-URL: https://github.com/libuv/libuv-private/pull/1
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
CVE-ID: CVE-2021-22918
Refs: https://hackerone.com/reports/1209681
PR-URL: https://github.com/nodejs-private/node-private/pull/267
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Notable changes
The legacy HTTP parser is runtime deprecated:
- The legacy HTTP parser, selected by the `--http-parser=legacy` command line
option, is deprecated with the pending End-of-Life of Node.js 10.x (where it
is the only HTTP parser implementation provided) at the end of April 2021. It
will now warn on use but otherwise continue to function and may be removed in
a future Node.js 12.x release.
- The default HTTP parser based on llhttp is not affected. By default it is
stricter than the now deprecated legacy HTTP parser. If interoperability with
HTTP implementations that send invalid HTTP headers is required, the HTTP
parser can be started in a less secure mode with the `--insecure-http-parser`
command line option.
ES Modules:
- ES Modules are now considered stable.
node-api:
- Updated to node-api version 8 and added an experimental API to allow
retrieval of the add-on file name.
New API's to control code coverage data collection:
- `v8.stopCoverage()` and `v8.takeCoverage()` have been added.
New API to monitor event loop utilization by Worker threads
- `worker.performance.eventLoopUtilization()` has been added.
PR-URL: https://github.com/nodejs/node/pull/37797
Fix two races in test-performance-eventlooputil resulting in a flaky
test.
elu1 was capture after start time t from spin look. If OS descides to
reschedule the process after capturing t but before getting elu for
>=50ms the spin loop is actually a nop. elu1 doesn't show this and as
a result elut3 = eventLoopUtilization(elu1) results in
elu3.active === 0.
Moving capturing of t after capturing t, just before the spin look
avoids this.
Similar if OS decides to shedule a different process between getting
the total elu from start and the diff elu showing the spin loop the
check to verify that total active time is long then the spin loop
fails.
Exchanging these statements avoids this race.
PR-URL: https://github.com/nodejs/node/pull/36028
Fixes: https://github.com/nodejs/node/issues/35309
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Unlike JS-only modules, native add-ons are always associated with a
dynamic shared object from which they are loaded. Being able to
retrieve its absolute path is important to native-only add-ons, i.e.
add-ons that are not themselves being loaded from a JS-only module
located in the same package as the native add-on itself.
Currently, the file name is obtained at environment construction time
from the JS `module.filename`. Nevertheless, the presence of `module`
is not required, because the file name could also be passed in via a
private property added onto `exports` from the `process.dlopen`
binding.
As an attempt at future-proofing, the file name is provided as a URL,
i.e. prefixed with the `file://` protocol.
Fixes: https://github.com/nodejs/node-addon-api/issues/449
PR-URL: https://github.com/nodejs/node/pull/37195
Backport-PR-URL: https://github.com/nodejs/node/pull/37328
Co-authored-by: Michael Dawson <mdawson@devrus.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Add a v8.stopCoverage() API to stop the coverage collection
started by NODE_V8_COVERAGE - this would be useful in
conjunction with v8.takeCoverage() if the user don't want
to emit the coverage at the process exit but still want
to collect it on demand at some point.
PR-URL: https://github.com/nodejs/node/pull/33807
Backport-PR-URL: https://github.com/nodejs/node/pull/36352
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ben Coe <bencoe@gmail.com>
Add an v8.takeCoverage() API that allows the user to write the
coverage started by NODE_V8_COVERAGE to disk on demand.
The coverage can be written multiple times during the lifetime
of the process, each time the execution counter will be reset.
When the process is about to exit, one last coverage will
still be written to disk.
Also refactors the internal profiler connection code
so that we use the inspector response id to identify
the profile response instead of using an ad-hoc flag in C++.
PR-URL: https://github.com/nodejs/node/pull/33807
Backport-PR-URL: https://github.com/nodejs/node/pull/36352
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ben Coe <bencoe@gmail.com>
Allow calling eventLoopUtilization() directly on a worker thread:
const worker = new Worker('./foo.js');
const elu = worker.performance.eventLoopUtilization();
setTimeout(() => {
worker.performance.eventLoopUtilization(elu);
}, 10);
Add a new performance object on the Worker instance that will hopefully
one day hold all the other performance metrics, such as nodeTiming.
Include benchmarks and tests.
PR-URL: https://github.com/nodejs/node/pull/35664
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Backport-PR-URL: https://github.com/nodejs/node/pull/37165
