Commit Graph

216 Commits

Author SHA1 Message Date
Stephen Gallagher
3d4cbef75d Update to 20.11.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-01-10 10:03:36 -05:00
Jan Staněk
ed578ec737 remove bundled WASM blobs
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-29 15:18:42 -05:00
Stephen Gallagher
4c864a0d68 Update to v20.10.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-27 10:39:23 -05:00
Stephen Gallagher
2ceeb8628f Update to 20.9.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-10-25 14:16:03 -04:00
Stephen Gallagher
8f462ce5d3 Update to 20.8.1
This is a security release.

The following CVEs are fixed in this release:

* [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High)
* [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High)
* [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High)
* [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High)
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552):  Integrity checks according to policies can be circumvented (Medium)
* [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-10-16 11:59:52 -04:00
Stephen Gallagher
29ba6214c9 Update to 20.8.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-29 07:35:38 -04:00
Stephen Gallagher
8f4100250b Update to 20.7.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-20 13:44:46 -04:00
Stephen Gallagher
302a20ab06 Update to 20.6.1
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-15 10:12:29 -04:00
Stephen Gallagher
f57981cf35 Update to 20.6.0
Starting from Node.js v20.6.0, Node.js supports `.env` files for configuring environment variables.

Your configuration file should follow the INI file format, with each line containing a key-value pair for an environment variable.
To initialize your Node.js application with predefined configurations, use the following CLI command: `node --env-file=config.env index.js`.

For example, you can access the following environment variable using `process.env.PASSWORD` when your application is initialized:

```text
PASSWORD=nodejs
```

In addition to environment variables, this change allows you to define your `NODE_OPTIONS` directly in the `.env` file, eliminating the need to include it in your `package.json`.

This feature was contributed by Yagiz Nizipli in [#48890](https://github.com/nodejs/node/pull/48890).

In ES modules, [`import.meta.resolve(specifier)`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/import.meta/resolve) can be used to get an absolute URL string to which `specifier` resolves, similar to `require.resolve` in CommonJS. This aligns Node.js with browsers and other server-side runtimes.

This feature was contributed by Guy Bedford in <https://github.com/nodejs/node/pull/49028>

There is a new API `register` available on `node:module` to specify a file that exports module customization hooks, and pass data to the hooks, and establish communication channels with them. The “define the file with the hooks” part was previously handled by a flag `--experimental-loader`, but when the hooks moved into a dedicated thread in 20.0.0 there was a need to provide a way to communicate between the main (application) thread and the hooks thread. This can now be done by calling `register` from the main thread and passing data, including `MessageChannel` instances.

We encourage users to migrate to an approach that uses [`--import`](https://nodejs.org/api/cli.html#--importmodule) with `register`, such as:

```bash
node --import ./file-that-calls-register.js ./app.js
```

Using `--import` ensures that the customization hooks are registered before any application code runs, even the entry point.

This feature was contributed by Izaak Schroeder in <https://github.com/nodejs/node/pull/48842> and <https://github.com/nodejs/node/pull/48559>

Authors of module customization hooks can how handle both ES module and CommonJS sources in the `load` hook. This works for CommonJS modules referenced via either `import` or `require`, so long as [the main entry point of the application is handled by the ES module loader](https://nodejs.org/api/cli.html#program-entry-point) (such as because the entry point is an ES module file, or if the `--import` flag is passed). This should simplify the customization of the Node.js module loading process, as package authors can customize more of Node.js without relying on deprecated APIs such as `require.extensions`.

This feature was contributed by Antoine du Hamel in <https://github.com/nodejs/node/pull/47999>

Now when Node.js starts up, it makes sure that there is a `v8::CppHeap` attached to the V8 isolate. This enables users to allocate in the `v8::CppHeap` using `<cppgc/*>` headers from V8, which are now also included into the Node.js headers available to addons. Note that since Node.js only bundles the cppgc library coming from V8, [the ABI stability](https://nodejs.org/en/docs/guides/abi-stability#abi-stability-in-nodejs) of cppgc is currently not guaranteed in semver-minor and -patch updates, but we do not expect the ABI to break often, as it has been stable and battle-tested in Chromium for years. We may consider including cppgc into the ABI stability guarantees when it gets enough adoption internally and externally.

To help addon authors create JavaScript-to-C++ references of which V8's garbage collector can be aware, a helper function [`node::SetCppgcReference(isolate, js_object, cppgc_object)`](https://github.com/nodejs/node/blob/v20.6.0/test/addons/cppgc-object/binding.cc) has been added to `node.h`. V8 may provide a native alternative in the future, which could then replace this Node.js-specific helper. In the mean time, users can use this API to avoid having to hard-code the layout of JavaScript wrapper objects. An example of how to create garbage-collected C++ objects in the unified heap and wrap it in a JavaScript object can be found in the [Node.js addon tests](https://github.com/nodejs/node/blob/v20.6.0/test/addons/cppgc-object/binding.cc).

The existing `node::ObjectWrap` helper would continue to work, while cppgc-based object management serves as an alternative with some advantages mentioned in [the V8 blog post about Oilpan](https://v8.dev/blog/oilpan-library).

This feature was contributed by Daryl Haresign and Joyee Cheung in <https://github.com/nodejs/node/pull/48660> and <https://github.com/nodejs/node/pull/45704>.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-05 10:46:54 -04:00
Stephen Gallagher
fd717eb4cc Update to 20.5.1
** 2023-08-09, Version 20.5.1 (Current), @RafaelGSS

This is a security release.

*** Notable Changes

The following CVEs are fixed in this release:

* [CVE-2023-32002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32002):  Policies can be bypassed via Module.\_load (High)
* [CVE-2023-32558](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32558): process.binding() can bypass the permission model through path traversal (High)
* [CVE-2023-32004](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32004): Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High)
* [CVE-2023-32006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32006): Policies can be bypassed by module.constructor.createRequire (Medium)
* [CVE-2023-32559](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32559): Policies can be bypassed via process.binding (Medium)
* [CVE-2023-32005](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32005): fs.statfs can bypass the permission model (Low)
* [CVE-2023-32003](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32003): fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low)
* OpenSSL Security Releases
  * [OpenSSL security advisory 14th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html).
  * [OpenSSL security advisory 19th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html).
  * [OpenSSL security advisory 31st July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html)

More detailed information on each of the vulnerabilities can be found in [August 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/) blog post.

** 2023-07-18, Version 20.5.0 (Current), @juanarbol

*** Notable Changes

* \[[`45be29d89f`](https://github.com/nodejs/node/commit/45be29d89f)] - **doc**: add atlowChemi to collaborators (atlowChemi) [#48757](https://github.com/nodejs/node/pull/48757)
* \[[`a316808136`](https://github.com/nodejs/node/commit/a316808136)] - **(SEMVER-MINOR)** **events**: allow safely adding listener to abortSignal (Chemi Atlow) [#48596](https://github.com/nodejs/node/pull/48596)
* \[[`986b46a567`](https://github.com/nodejs/node/commit/986b46a567)] - **fs**: add a fast-path for readFileSync utf-8 (Yagiz Nizipli) [#48658](https://github.com/nodejs/node/pull/48658)
* \[[`0ef73ff6f0`](https://github.com/nodejs/node/commit/0ef73ff6f0)] - **(SEMVER-MINOR)** **test\_runner**: add shards support (Raz Luvaton) [#48639](https://github.com/nodejs/node/pull/48639)

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-08-09 16:13:26 -04:00
Stephen Gallagher
2dee98da40 Release 20.4.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-07-12 12:50:28 -04:00
Stephen Gallagher
9d9ff2a528 Update to security release 20.3.1
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
- https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.3.1

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-06-22 12:54:46 -04:00
Stephen Gallagher
6fdba8a532
Release Node.js 20.2.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.2.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-05-17 09:23:34 -04:00
Stephen Gallagher
6d822b2572
Update to 20.1.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.1.0

Also drop upstreamed patch

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-05-04 16:16:03 -04:00
Stephen Gallagher
1047bf482c
Update to 20.0.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.0.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-26 12:02:51 -04:00
Stephen Gallagher
4443d6afb2
Update to 19.9.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-11 10:51:53 -04:00
Stephen Gallagher
7136699056
Update to 19.8.1
- Namespace the v8 compatibility libraries

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-16 15:35:05 -04:00
Stephen Gallagher
52e4162484
Update to 19.8.0
- https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V19.md#19.8.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-15 10:51:53 -04:00
Stephen Gallagher
a35607a1c3
Update to 19.7.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-02-21 14:45:36 -05:00
Stephen Gallagher
ce26a524b5
First Node.js 20 prerelease
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-02-21 10:06:35 -05:00
Stephen Gallagher
679308e617
Update to 18.13.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-01-16 11:29:51 -05:00
Jan Staněk
267026f111
Include sources for WASM blobs 2022-12-12 14:42:27 +01:00
Stephen Gallagher
ea87d2c1bc
Update to security release 18.12.1
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.12.1
https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-11-07 08:19:35 -05:00
Stephen Gallagher
33ebc0634d
Update to 18.11.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.11.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-10-19 16:33:20 -04:00
Stephen Gallagher
8d3e75401d
Update to 18.10.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.10.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-10-04 16:29:31 -04:00
Stephen Gallagher
f924bef5fc
Update to 18.9.1
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.9.1

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-09-23 15:32:42 -04:00
Stephen Gallagher
fa95cc99d9
Update to Node.js 18.9.0
- https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.9.0
- https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.8.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-09-14 16:36:15 -04:00
Stephen Gallagher
45296320d1
Update to 18.7.0
Add bcond to disable building the included npm.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-07-27 15:00:23 -04:00
Stephen Gallagher
6ad3fc8fda
Update to 18.6.0
Switch to ninja for faster builds

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-07-14 19:57:13 -04:00
Stephen Gallagher
e0e64a6d19
Update to 18.5.0
Add %autorelease support

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-07-11 09:42:57 -04:00
Stephen Gallagher
50d0647ce7
Update to Node.js 18.4.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V18.md#18.4.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-06-17 09:11:38 -04:00
Stephen Gallagher
40ffbd5092
Update to Node.js 18.3.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V18.md#18.3.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-06-07 13:24:16 -04:00
Jan Staněk
cfd6873493
Patch node.gyp in place of leaving OpenSSL bits in place 2022-05-31 13:30:35 +02:00
Stephen Gallagher
cec740c48c
Update to Node.js 18.2.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V18.md#18.2.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-05-17 16:15:56 -04:00
Stephen Gallagher
475401441a
Update to Node.js 18.1.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V18.md#18.1.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-05-05 15:54:17 -04:00
Stephen Gallagher
6a5af18121
First release of 18.0.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-04-28 14:48:05 -04:00
Stephen Gallagher
f36552580f
Update to Node.js 16.15.0
Stop carrying full ICU sources now that the binary data is available
Properly version the v8 virtual Provides
Bundle nghttp2

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-04-27 19:13:00 -04:00
Stephen Gallagher
37e63a09a3
Update to Node.js 16.14.1
Drop corepack

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-03-17 12:26:51 -04:00
Stephen Gallagher
0ee3e7e83c
Update to Node.js 16.14.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-02-08 15:55:05 -05:00
Stephen Gallagher
b699bdb677
Update npm to 8.3.1 (CVE-2021-43616)
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-02-03 16:25:10 -05:00
Stephen Gallagher
6198b7db15
Bundle zlib on EPEL 7
RHEL 7 has zlib 1.2.7, which is too old for NPM.

RHEL 7 is upgrading from 4.x, so we need to re-add the pretrans
scriptlet for npm.

Also clean up and simplify some of the various version macros.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-01-19 14:13:28 -05:00
Stephen Gallagher
97203e0629
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-01-11 14:24:23 -05:00
Stephen Gallagher
7a3f77a0c3
Update to 16.13.1
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.13.1
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2021-12-02 08:06:21 -05:00
Stephen Gallagher
a2ee1ccfdd
Update to 16.13.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.13.0
Add support for epel8

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2021-11-05 14:56:57 -04:00
Stephen Gallagher
aba90e54b0
Update to 16.12.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.12.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2021-10-25 09:58:28 -04:00
Stephen Gallagher
4c556b450b
Update to 16.11.1
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.11.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.11.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2021-10-13 15:11:35 -04:00
Stephen Gallagher
e13a2ee556
Update to 16.10.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.10.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2021-09-23 16:16:56 -04:00
Stephen Gallagher
97563f52cd
Update to 16.9.1
Add experimental 'corepack' tool
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.9.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.9.1

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2021-09-13 17:05:10 -04:00
Stephen Gallagher
d4c00004d5
Update to 16.8.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.8.0
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.7.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2021-08-31 13:57:07 -04:00
Stephen Gallagher
41ef8447a8
Update to 16.6.2
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.6.2

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2021-08-11 16:36:32 -04:00