Update Node.js to v17 #45
Loading…
Reference in New Issue
No description provided.
Delete Branch "renovate/node-17.x"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
10.24.1-buster
->17.0.0-buster
Release Notes
nodejs/node
v17.0.0
Compare Source
Notable Changes
Deprecations and Removals
OpenSSL 3.0
Node.js now includes OpenSSL 3.0, specifically quictls/openssl which provides QUIC support. With OpenSSL 3.0 FIPS support is again available using the new FIPS module. For details about how to build Node.js with FIPS support please see BUILDING.md.
While OpenSSL 3.0 APIs should be mostly compatible with those provided by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to tightened restrictions on the allowed algorithms and key sizes.
If you hit an
ERR_OSSL_EVP_UNSUPPORTED
error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A command-line option,--openssl-legacy-provider
, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions.For details about all the features in OpenSSL 3.0 please see the OpenSSL 3.0 release blog.
Contributed in https://github.com/nodejs/node/pull/38512, https://github.com/nodejs/node/pull/40478
V8 9.5
The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the
Intl.DisplayNames
API and ExtendedtimeZoneName
options in theIntl.DateTimeFormat
API.You can read more details in the V8 9.5 release post - https://v8.dev/blog/v8-release-95.
Contributed by Michaël Zasso - https://github.com/nodejs/node/pull/40178
Readline Promise API
The
readline
module provides an interface for reading data from a Readablestream (such as
process.stdin
) one line at a time.The following simple example illustrates the basic use of the
readline
module:Contributed by Antoine du Hamel - https://github.com/nodejs/node/pull/37947
Other Notable Changes
Semver-Major Commits
Semver-Minor Commits
Semver-Patch Commits
v16.11.1
Compare Source
This is a security release.
Notable changes
Commits
v16.11.0
Compare Source
Notable Changes
nghttp2
to v1.45.1 (thunder-coding) #40206Commits
v16.10.0
Compare Source
Notable Changes
Commits
v16.9.1
Compare Source
Notable Changes
This release fixes a regression introduced by the V8 9.3 update in Node.js 16.9.0.
Commits
v16.9.0
Compare Source
Notable Changes
Corepack
Node.js now includes Corepack, a script that acts as a bridge between Node.js projects and the package managers they are intended to be used with during development.
In practical terms, Corepack will let you use Yarn and pnpm without having to install them - just like what currently happens with npm, which is shipped in Node.js by default.
Please head over to the Corepack documentation page for more information on how to use it.
Contributed by Maël Nison - #39608
V8 9.3
V8 is updated to version 9.3, which includes performance improvements and new JavaScript features.
Object.hasOwn
Object.hasOwn
is a static alias forObject.prototype.hasOwnProperty.call
:Error cause
Errors can now be optionally constructed with a
cause
option, pointing to another error.This adds a
cause
property on the new error:Contributed by Michaël Zasso - #39947
Other Notable Changes
Commits
v16.8.0
Compare Source
Notable Changes
Commits
v16.7.0
Compare Source
Notable Changes
Commits
v16.6.2
Compare Source
This is a security release.
Notable Changes
Commits
v16.6.1
Compare Source
Notable Changes
Commits
v16.6.0
Compare Source
This is a security release.
Notable Changes
Say hello to V8 9.2
The V8 engine is updated to version 9.2.230.21.
It notably introduces the new
Array.prototype.at
method (also on Typed Arrays and strings):Contributed by Michaël Zasso - #39470
Other notable changes
Commits
v16.5.0
Compare Source
Notable Changes
Experimental Web Streams API
Node.js now exposes an experimental implementation of the
Web Streams API.
While it is experimental, the API is not exposed on the global object and is only
accessible using the new
stream/web
core module:Importing the module will emit a single experimental warning per process.
The raw API is implemented and we are now working on its integration with
various existing core APIs.
Contributed by James M Snell - #39062
Other notable changes
Commits
v16.4.2
Compare Source
Notable Changes
Node.js 16.4.1 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
Commits
v16.4.1
Compare Source
This is a security release.
Notable Changes
Vulnerabilities fixed:
Commits
v16.4.0
Compare Source
Notable changes
--dns-result-order
to change default dns verbatim (Ouyang Yadong) #38099Commits
v16.3.0
Compare Source
Notable Changes
Commits
v16.2.0
Compare Source
Notable Changes
Commits
v16.1.0
Compare Source
Notable Changes
Commits
v16.0.0
Compare Source
Notable Changes
Deprecations and Removals
Stable Timers Promises API
The Timers Promises API provides an alternative set of timer functions that return Promise objects. Added in Node.js v15.0.0, in this release they graduate from experimental status to stable.
Contributed by James Snell - #38112
Toolchain and Compiler Upgrades
Node.js v16.0.0 will be the first release where we ship prebuilt binaries for Apple Silicon. While we’ll be providing separate tarballs for the Intel (
darwin-x64
) and ARM (darwin-arm64
) architectures the macOS installer (.pkg
) will be shipped as a ‘fat’ (multi-architecture) binary.V8 9.0
The V8 JavaScript engine is updated to V8 9.0, including performance tweaks and improvements.
This update also brings the ECMAScript RegExp Match Indices, which provide the start and end indices of the captured string. The indices array is available via the
.indices
property on match objects when the regular expression has the/d
flag.Contributed by Michaël Zasso - #37587
Other Notable Changes
node:
‑prefixedrequire(…)
calls (ExE Boss) #37246node:
‑prefixedrequire(…)
calls (ExE Boss) #37246Semver-Major Commits
Semver-Minor Commits
Semver-Patch Commits
v15.14.0
Compare Source
This is a security release.
Notable Changes
Vulnerabilties Fixed:
Other Notable Changes:
Commits
v15.13.0
Compare Source
Notable Changes
npm run
andnpm exec
Commits
v15.12.0
Compare Source
Notable Changes
Commits
v15.11.0
Compare Source
Notable Changes
Commits
v15.10.0
Compare Source
This is a security release.
Notable changes
Vulnerabilities fixed:
https://www.openssl.org/news/secadv/20210216.txt
Commits
v15.9.0
Compare Source
Notable Changes
Commits
v15.8.0
Compare Source
Notable Changes
Commits
v15.7.0
Compare Source
Notable changes
position
parameter to be aBigInt
in read and readSync (raisinten) #36190Commits
v15.6.0
Compare Source
Notable Changes
serdes
constructors (ExE Boss) #36549Commits
v15.5.1
Compare Source
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2020-8265: use-after-free in TLSWrap (High)
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits.
CVE-2020-8287: HTTP Request Smuggling in nodejs (Low)
a http request. For example, two Transfer-Encoding header fields. In
this case Node.js identifies the first header field and ignores the
second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
Commits
v15.5.0
Compare Source
Notable Changes
Extended support for
AbortSignal
in child_process and streamThe following APIs now support an
AbortSignal
in their options object:child_process.spawn()
Calling
.abort()
on the correspondingAbortController
is similar to calling.kill()
on the child process except the error passed to the callback will be anAbortError
:new stream.Writable()
andnew stream.Readable()
Calling
.abort()
on the correspondingAbortController
will behave the same way as calling.destroy(new AbortError())
on the stream:Contributed by Benjamin Gruenbaum #36431, #36432.
BigInt support in
querystring.stringify()
If
querystring.stringify()
is called with an object that containsBigInt
values, they will now be serialized to their decimal representation instead of the empty string:Contributed by Darshan Sen #36499.
Additions to the C++ embedder APIs
A new
IsolateSettingsFlag
is available for those callingSetIsolateUpForNode()
:SHOULD_NOT_SET_PREPARE_STACK_TRACE_CALLBACK
can be used to prevent Node.js from setting a custom callback to prepare stack traces.Contributed by Shelley Vohr #36447.
Added
node::GetEnvironmentIsolateData()
andnode::GetArrayBufferAllocator()
to respectively get the currentIsolateData*
and, from it, the current Node.jsArrayBufferAllocator
if there is one.Contributed by Anna Henningsen #36441.
New core collaborator
With this release, we welcome a new Node.js core collaborator:
Commits
Semver-minor commits
Semver-patch commits
Documentation commits
Other commits
v15.4.0
Compare Source
Notable Changes
Commits
v15.3.0
Compare Source
Notable Changes
Commits
v15.2.1
Compare Source
Notable changes
This is a security release.
Vulnerabilities fixed:
Commits
v15.2.0
Compare Source
Notable changes
Commits
v15.1.0
Compare Source
Notable Changes
Diagnostics channel (experimental module)
diagnostics_channel
is a new experimental module that provides an API to create named channels to report arbitrary message data for diagnostics purposes.With
diagnostics_channel
, Node.js core and module authors can publish contextual data about what they are doing at a given time. This could be the hostname and query string of a mysql query, for example. Just create a named channel withdc.channel(name)
and callchannel.publish(data)
to send the data to any listeners to that channel.Channels are like one big global event emitter but are split into separate objects to ensure they get the best performance. If nothing is listening to the channel, the publishing overhead should be as close to zero as possible. Consuming channel data is as easy as using
channel.subscribe(listener)
to run a function whenever a message is published to that channel.The data captured can be used to provide context for what an app is doing at a given time. This can be used for things like augmenting tracing data, tracking network and filesystem activity, logging queries, and many other things. It's also a very useful data source for diagnostics tools to provide a clearer picture of exactly what the application is doing at a given point in the data they are presenting.
Contributed by Stephen Belanger #34895.
New child process
'spawn'
eventInstances of
ChildProcess
now emit a new'spawn'
event once the child process has spawned successfully.If emitted, the
'spawn'
event comes before all other events and before any data is received viastdout
orstderr
.The
'spawn'
event will fire regardless of whether an error occurs within the spawned process.For example, if
bash some-command
spawns successfully, the'spawn'
event will fire, thoughbash
may fail to spawnsome-command
.This caveat also applies when using
{ shell: true }
.Contributed by Matthew Francis Brunetti #35369.
Set the local address for DNS resolution
It is now possible to set the local IP address used by a
Resolver
instance to send its requests.This allows programs to specify outbound interfaces when used on multi-homed
systems.
The resolver will use the v4 local address when making requests to IPv4 DNS servers, and the v6 local address when making requests to IPv6 DNS servers.
Contributed by Josh Dague #34824.
Control V8 coverage at runtime
The
v8
module includes two new methods to control the V8 coverage started by theNODE_V8_COVERAGE
environment variable.With
v8.takeCoverage()
, it is possible to write a coverage report to disk on demand. This can be done multiple times during the lifetime of the process, and the execution counter will be reset on each call.When the process is about to exit, one last coverage will still be written to disk, unless
v8.stopCoverage()
was invoked before.The
v8.stopCoverage()
method allows to stop the coverage collection, so that V8 can release the execution counters and optimize code.Contributed by Joyee Cheung #33807.
Analyze Worker's event loop utilization
Worker
instances now have aperformance
property, with a singleeventLoopUtilization
method that can be used to gather information about the worker's event loop utilization between the'online'
and'exit'
events.The method works the same way as
perf_hooks
eventLoopUtilization()
.Contributed by Trevor Norris #35664.
Take a V8 heap snapshot just before running out of memory (experimental)
With the new
--heapsnapshot-near-heap-limit=max_count
experimental command line flag, it is now possible to automatically generate a heap snapshot when the V8 heap usage is approaching the heap limit.count
should be a non-negative integer (in which case Node.js will write no more thanmax_count
snapshots to disk).When generating snapshots, garbage collection may be triggered and bring the heap usage down, therefore multiple snapshots may be written to disk before the Node.js instance finally runs out of memory. These heap snapshots can be compared to determine what objects are being allocated during the time consecutive snapshots are taken.
Generating V8 snapshots takes time and memory (both memory managed by the V8 heap and native memory outside the V8 heap). The bigger the heap is, the more resources it needs. Node.js will adjust the V8 heap to accommondate the additional V8 heap memory overhead, and try its best to avoid using up all the memory avialable to the process.
Contributed by Joyee Cheung #33010.
Commits
Semver-minor commits
Semver-patch commits
Documentation commits
Other commits
v15.0.1
Compare Source
Notable changes
Commits
v15.0.0
Compare Source
Notable Changes
Deprecations and Removals
npm 7 - #35631
Node.js 15 comes with a new major release of npm, npm 7. npm 7 comes with many new features - including npm workspaces and a new package-lock.json format. npm 7 also includes yarn.lock file support. One of the big changes in npm 7 is that peer dependencies are now installed by default.
Throw On Unhandled Rejections - #33021
As of Node.js 15, the default mode for
unhandledRejection
is changed tothrow
(fromwarn
). Inthrow
mode, if anunhandledRejection
hook is not set, theunhandledRejection
is raised as an uncaught exception. Users that have anunhandledRejection
hook should see no change in behavior, and it’s still possible to switch modes using the--unhandled-rejections=mode
process flag.QUIC - #32379
Node.js 15 comes with experimental support QUIC, which can be enabled by compiling Node.js with the
--experimental-quic
configuration flag. The Node.js QUIC implementation is exposed by the corenet
module.V8 8.6 - #35415
The V8 JavaScript engine has been updated to V8 8.6 (V8 8.4 is the latest available in Node.js 14). Along with performance tweaks and improvements the V8 update also brings the following language features:
Promise.any()
(from V8 8.5)AggregateError
(from V8 8.5)String.prototype.replaceAll()
(from V8 8.5)&&=
,||=
, and??=
(from V8 8.5)Other Notable Changes
Semver-Major Commits
Semver-Minor Commits
Semver-Patch Commits
v14.18.1
Compare Source
This is a security release.
Notable changes
Commits
v14.18.0
Compare Source
Notable Changes
Commits
Semver-minor commits
Semver-patch commits
Documentation commits
Other commits
v14.17.6
Compare Source
This is a security release.
Notable Changes
These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803
and CVE-2021-32804.
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.
You can read more about it in:
Commits
v14.17.5
Compare Source
This is a security release.
Notable Changes
Commits
v14.17.4
Compare Source
This is a security release.
Notable Changes
This releases also fixes some regressions with internationalization introduced by the ICU updates in Node.js 14.17.0 and 14.17.1.
Commits
v14.17.3
Compare Source
Notable Changes
Node.js 14.17.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
Commits
v14.17.2
Compare Source
This is a security release.
Notable Changes
Vulnerabilities fixed:
Commits
v14.17.1
Compare Source
Notable Changes
Commits
v14.17.0
Compare Source
Notable Changes
Diagnostics channel (experimental module)
diagnostics_channel
is a new experimental module that provides an API to create named channels to report arbitrary message data for diagnostics purposes.The module was initially introduced in Node.js v15.1.0 and is backported to v14.17.0
to enable testing it at a larger scale.
With
diagnostics_channel
, Node.js core and module authors can publish contextual data about what they are doing at a given time. This could be the hostname and query string of a mysql query, for example. Just create a named channel withdc.channel(name)
and callchannel.publish(data)
to send the data to any listeners to that channel.Channels are like one big global event emitter but are split into separate objects to ensure they get the best performance. If nothing is listening to the channel, the publishing overhead should be as close to zero as possible. Consuming channel data is as easy as using
channel.subscribe(listener)
to run a function whenever a message is published to that channel.The data captured can be used to provide context for what an app is doing at a given time. This can be used for things like augmenting tracing data, tracking network and filesystem activity, logging queries, and many other things. It's also a very useful data source for diagnostics tools to provide a clearer picture of exactly what the application is doing at a given point in the data they are presenting.
Contributed by Stephen Belanger #34895.
UUID support in the crypto module
The new
crypto.randomUUID()
method now allows to generate randomRFC 4122 Version 4 UUID strings:
Contributed by James M Snell #36729.
Experimental support for
AbortController
andAbortSignal
Node.js 14.17.0 adds experimental partial support for
AbortController
andAbortSignal
.Both constructors can be enabled globally using the
--experimental-abortcontroller
flag.Additionally, several Node.js APIs have been updated to support
AbortSignal
for cancellation.It is not mandatory to use the built-in constructors with them. Any spec-compliant third-party alternatives
should be compatible.
AbortSignal
support was added to the following methods:child_process.exec
child_process.execFile
child_process.fork
child_process.spawn
dgram.createSocket
events.on
events.once
fs.readFile
fs.watch
fs.writeFile
http.request
https.request
http2Session.request
setImmediate
andsetTimeout
Other notable changes
Commits
v14.16.1
Compare Source
This is a security release.
Notable Changes
Vulnerabilities fixed:
Commits
v14.16.0
Compare Source
This is a security release.
Notable changes
Vulnerabilities fixed:
Commits
v14.15.5
Compare Source
Notable Changes
dfcf1e8
(Michaël Zasso) #37245Commits
v14.15.4
Compare Source
This is a security release.
Notable Changes
Vulnerabilities fixed:
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
Node.js. You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
CVE-2020-8265: use-after-free in TLSWrap (High)
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits.
CVE-2020-8287: HTTP Request Smuggling in nodejs (Low)
a http request. For example, two Transfer-Encoding header fields. In
this case Node.js identifies the first header field and ignores the
second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
Commits
Configuration
📅 Schedule: At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.
Renovate Ignore Notification
Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future
17.x
releases. But if you manually upgrade to17.x
then Renovate will re-enableminor
andpatch
updates automatically.If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
Pull request closed