Node.js 7.5.0 Release Brief
The Node.js 7.5.0 release is both a regular maintenance and feature release, as well as a security release containing an update to OpenSSL 1.0.2k. Such multifaceted releases are typical for a Node.js Current release stream.
While the OpenSSL team have said this is at most a moderate update, the Node.js Crypto team (Ben Noordhuis, Shigeki Ohtsu and Fedor Indutny) have determined that the impact of the OpenSSL vulnerability is low. You can learn more about the details of how they came to this conclusion on the Node.js blog.
Also, big thanks to @italoacasas, who is being onboarded to the Node.js release team, for preparing most of this release!
As with all releases within major version lines, minor and patch upgrades should be drop-in replacements for previous versions.
Overview
Of a total of 289 commits:
- 51 were documentation-only commits.
- 126 only modify tests and 7 only affect internal tooling.
- 16 of the commits consist of 16 dependency updates + floating patches:
- 3 dependencies were upgraded:
- libuv @ 1.10.2:
ffd938a694] - (cjihrig) #10717 - npm @ 4.1.2: 9e60af893c,
1fae98b833- (Kat Marchán, Rebecca Turner) #11020 - OpenSSL @ 1.0.2k:
6a0f1fabb1,edd20720ac,ce20ad76ec,06f87c3e0a,093cacf61b,a3b3b35c53,4caa0126aa- (Shigeki Ohtsu)
- libuv @ 1.10.2:
- 3 commits were backported from upstream V8:
- [
2f5da9aas1c4bf9e8ff] - (Steven R. Loomis) #9828 - [
baba152asaa6b9f979e] - (Michaël Zasso) #10688 - [
a814b8aas5887396150] - (ishell@chromium.org) #10733
9 commits were tagged as semver-minor, adding new functionality and justifying the jump to 7.5.0:
- [
a1897c1445] - crypto: ability to select cert store at runtime (Adam Majer) #8334 - [
aeea13b6f6] - crypto: Use system CAs instead of using bundled ones (Adam Majer) #8334 - [
ac2b059500] - crypto: do not use pointers to std::vector (Adam Majer) #8334 - [
84e2ff3738] - doc: add basic documentation for WHATWG URL API (James M Snell) #10620 - [
d24491c6a7] - process: add NODE_NO_WARNINGS environment variable (cjihrig) #10842 - [
978acd138f] - src: support "--" after "-e" as end-of-options (John Barboza) #10651 - [
c92b8ecd81] - tools: add mdn link for Iterator (James M Snell) #10620 - [
2f9fdc454f] - url: allow use of URL with http.request and https.request (James M Snell) #10638
The remaining significant commits are as follows:
- [
b2d0c44fb1] - assert: update comments (Kai Cataldo) #10579 - [
c217b438f2] - assert, tools: enforce strict (not)equal in eslint (Gibson Fahnestock) #10698 - [
94c4323d56] - async_wrap: close thedestroy_ids_idle_handle_(René Schünemann) #10385 - [
f61c71b533] - benchmark: add progress indicator tocompare.js(Joyee Cheung) #10823 - [
ccdc922ada] - benchmark: movesetImmediatebenchmarks to timers (Joshua Colvin) #11010 - [
062c8513ad] - benchmark: add more thorough timers benchmarks (Jeremiah Senkpiel) #10925 - [
1e0294ccc9] - benchmark: add benchmark for object properties (Michaël Zasso) #10949 - [
47c0953b12] - benchmark: add benchmark forvm.runIn*()(Rich Trott) #10816 - [
2f339e7200] - benchmark: cleanupchild_processIPC benchmark (Yuya Tanaka) #10557 - [
eac1871c45] - benchmark: improve WHATWG URL benchmarks (Joyee Cheung) #10678 - [
ecf72d8b54] - benchmark: use "confidence" in output ofcompare.R(Joyee Cheung) #10737 - [
35334273b9] - benchmark: don't lint autogenerated modules (Brian White) #10756 - [
4f96272f12] - benchmark: fix typo "categoty" -> "category" (Victor Felder) #10568 - [
2f4577c07d] - benchmark: keep decimals in results (Brian White) #10559 - [
372e3eeb4b] - benchmark: improve readability of net benchmarks (Brian White) #10446 - [
d19136da84] - benchmark: move punycode benchmark out of net (Brian White) #10446 - [
be24cc0187] - benchmark: addClientRequestcreation benchmark (Brian White) #10654 - [
1438d00119] - benchmark,lib,test: adjust for linting (Rich Trott) #10561 - [
d13aba8499] - buffer: improvecompare()performance (Brian White) #10927 - [
6549bc2a35] - buffer: fix comments inbidirectionalIndexOf(dcposch@dcpos.ch) #10162 - [
a114f63627] - buffer: improvetoJSON()performance (Brian White) #10895 - [
9c2f686f7e] - build: don't builddeps/zlibif--shared-zlibset (Gibson Fahnestock) #10657 - [
659428fe1d] - build: sort sources alphabetically (Daniel Bevenius) #10892 - [
74f9cc9f0a] - build: move source files from headers section (Daniel Bevenius) #10850 - [
a408ba6454] - build: don't squash signal handlers with--shared(Stewart X Addison) #10539 - [
ddcd1a202f] - child_process: optimize IPC for large data (Yuya Tanaka) #10557 - [
d751afae0f] - cluster: refactor module into multiple files (cjihrig) #10746 - [
6687b95263] - crypto: return the retval ofHMAC_Update(Travis Meisenheimer) #10891 - [
5fd0f9ae63] - crypto:freelist_max_lenis gone in OpenSSL 1.1.0 (Adam Langley) #10859 - [
4e7a31b3a0] - crypto,tls: fix mutability of return values (Rich Trott) #10795 - [
84a9c158ef] - deps: fix npm files from upgrade to 4.1.2 (João Reis) #11085 - [
78a495e1a4] - eslint: remove dangling eslint symlink (Sam Roberts) #10771 - [
5cca69320f] - events: avoidemit()eager deopt (Victor Felder) #10568 - [
ded17579e5] - events: improveremoveListener()performance (Brian White) #10572 - [
d047f8e8f8] - fs: remove unused parameter forencodeRealpathResult(Jackson Tian) #10862 - [
4c0f29723c] - http: use direct parameters instead (Jackson Tian) #10833 - [
c32984361a] - http: makerequest.abort()destroy the socket (Luigi Pinca) #10818 - [
8ba2cf9c51] - http: define all used properties in constructors (vitkarpov) #9116 - [
75aa6050ab] - http: eliminate capture ofClientRequestinAgent(Evan Torrie) #10134 - [
5059b76cbc] - http: miscClientRequestcleanup (Brian White) #10654 - [
44c0e4f1ad] - http: avoid duplicateisArray()(Brian White) #10654 - [
e7859c217f] - http: optimize default method case (Brian White) #10654 - [
c9bff043c7] - http: optimize short path validation (Brian White) #10654 - [
c012dd79dc] - https: UsesecureProtocolinAgent#getName(Andreas Lind) #9452 - [
9a111e701e] - inspector: no crash when WS server can't start (Eugene Ostroukhov) #10878 - [
2d08bbadd6] - inspector: stop relying on magic strings (Eugene Ostroukhov) #10159 - [
e30e307a70] - inspector: move options parsing (Eugene Ostroukhov) #9691 - [
60f27f91e4] - inspector: remove unuseduv_async_t(Eugene Ostroukhov) #10392 - [
a3abba0b1a] - lib: remove unnecessary parameter forassertCrypto()(Jackson Tian) #10834 - [
4de7b03a7d] - lib: refactorbootstrap_node.jsregular expression (Rich Trott) #10749 - [
a6c93af244] - lib: refactor crypto cipher/hash/curve getters (Rich Trott) #10682 - [
6e8d627217] - lib,src: support values > 4GB in heap statistics (Ben Noordhuis) #10186 - [
de8eee6b16] - meta: decharter the http working group (James M Snell) #10604 - [
97ff43232b] - querystring: improveunescapeBufferperformance (Brian White) #10837 - [
f4796d5f6e] - querystring: improvestringify()performance (Brian White) #10852 - [
53421b174c] - querystring: improveparse()performance (Brian White) #10874 - [
d64e2371f6] - readline: refactor construct Interface (Jackson Tian) #4740 - [
e7b656db6e] - Revert "repl: disable Ctrl+C support on win32 for now" (Anna Henningsen) #8645 - [
a24264eb18] - src: fix v8 local handling innode_url.cc(Anna Henningsen) #11064 - [
8a6367cb20] - Revert "src: don't overwrite non-writable vm globals" (Anna Henningsen) #10920 - [
cd94642356] - src: addNODE_NO_WARNINGSto--helpoutput (cjihrig) #10918 - [
63f43021b0] - src: remove unusedPROTOCOL_JSONarray (Ben Noordhuis) #10407 - [
5a976decf7] - src: remove unnecessaryreq_wrap_obj(Daniel Bevenius) #10942 - [
0c0334f7a4] - src: add a missing space innode_os.cc(Alexey Orlenko) #10931 - [
b89d848b36] - src: enablewritevfor pipe handles on Unix (Alexey Orlenko) #10677 - [
f0de955220] - src: reducetest_inspector_socket_serveroutput (Daniel Bevenius) #10537 - [
59196af646] - stream: avoid additional validation for Buffers (Brian White) #10580 - [
1555ced404] - test, win: fix up symlink tests (Hitesh Kanwathirtha) #10477 - [
31f8f6f768] - tools, test: require const/let in test (Gibson Fahnestock) #10685 - [
438a98ca95] - url: makeURLSearchParams/Iteratormatch spec (Timothy Gu) #11057 - [
2bfd58adb1] - url: define@@toStringTagas a data property (Timothy Gu) #10906 - [
f1851cb8e4] - url: do not public expose inspect methods on URL (Timothy Gu) #10906 - [
b48b80f630] - url: stop exportingoriginFor()(Timothy Gu) #10955 - [
c0c1a4c029] - url: refactor lib/internal/url.js (Rich Trott) #10912 - [
95faa55ab9] - url: checkforEachcallback is a function (Timothy Gu) #10905 - [
3642f35d09] - url: add return value toToUnicode/ToAsciistubs (Birunthan Mohanathas) #10893 - [
021338dc6d] - url: exportURLSearchParams(Timothy Gu) - [
5d33c96679] - url: improvingURLSearchParams(Timothy Gu) #10399 - [
824978e337] - url: do not decode arbitrary%2esequences in paths (James M Snell) #10602 - [
e46bdcf2bb] - url: change null password handling (James M Snell) #10601 - [
2b01138451] - url:TupleOrigin#toStringuse unicode by default (Joyee Cheung) #10552 - [
9f6d1f6fc2] - util: improve readability ofnormalizeEncoding(Joyee Cheung) #10439 - [
d628f3a227] - util: avoid out-of-bounds arguments index access (Teddy Katz) #10569 - [
2641cd496d] - vm: improve performance ofvm.runIn*()(Rich Trott) #10816
Notable Changes
- crypto:
- doc: Added basic documentation for the WHATWG URL API. (James M Snell) #10620
- process: Added a
NODE_NO_WARNINGSenvironment variable. (cjihrig) #10842 - url: The new URL objects now work with with
http.requestandhttps.request. (James M Snell) #10638
Git Diffstats
(Showing the delta between v7.4.0 and v7.5.0, ignoring deps/npm.)
Without deps, tools, docs, benchmarks, or tests:
.eslintignore | 1 +
.eslintrc | 149 ------
.eslintrc.yaml | 156 ++++++
Makefile | 10 +-
configure | 7 +
lib/.eslintrc | 5 -
lib/.eslintrc.yaml | 5 +
lib/_http_agent.js | 56 +-
lib/_http_client.js | 125 +++--
lib/_http_common.js | 2 -
lib/_http_outgoing.js | 28 +-
lib/_http_server.js | 1 +
lib/_stream_writable.js | 37 +-
lib/_tls_common.js | 4 +-
lib/_tls_legacy.js | 2 +-
lib/_tls_wrap.js | 2 +-
lib/assert.js | 77 +--
lib/buffer.js | 59 +-
lib/cluster.js | 771 +--------------------------
lib/crypto.js | 20 +-
lib/events.js | 5 +-
lib/fs.js | 4 +-
lib/https.js | 9 +-
lib/internal/bootstrap_node.js | 4 +-
lib/internal/child_process.js | 29 +-
lib/internal/cluster.js | 4 -
lib/internal/cluster/child.js | 224 ++++++++
lib/internal/cluster/master.js | 367 +++++++++++++
lib/internal/cluster/round_robin_handle.js | 115 ++++
lib/internal/cluster/shared_handle.js | 48 ++
lib/internal/cluster/utils.js | 44 ++
lib/internal/cluster/worker.js | 63 +++
lib/internal/module.js | 10 +-
lib/internal/process/warning.js | 2 +-
lib/internal/url.js | 358 +++++++++----
lib/internal/util.js | 28 +-
lib/net.js | 5 +-
lib/os.js | 5 +-
lib/querystring.js | 207 ++++---
lib/readline.js | 15 +-
lib/repl.js | 49 +-
lib/tls.js | 8 +-
lib/url.js | 2 +-
lib/util.js | 23 +-
lib/v8.js | 4 +-
lib/vm.js | 26 +-
node.gyp | 27 +-
src/connection_wrap.cc | 3 +-
src/debug-agent.cc | 16 +-
src/debug-agent.h | 6 +-
src/env-inl.h | 21 +-
src/env.h | 12 +-
src/inspector_agent.cc | 153 +++---
src/inspector_agent.h | 5 +-
src/inspector_socket_server.cc | 74 ++-
src/inspector_socket_server.h | 12 +-
src/node.cc | 226 +++-----
src/node.h | 5 +-
src/node_contextify.cc | 23 +-
src/node_crypto.cc | 26 +-
src/node_debug_options.cc | 144 +++++
src/node_debug_options.h | 51 ++
src/node_os.cc | 2 +-
src/node_url.cc | 77 ++-
src/node_v8.cc | 12 +-
src/node_version.h | 2 +-
src/pipe_wrap.cc | 4 +
67 files changed, 2333 insertions(+), 1743 deletions(-)
Tools only:
tools/test.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Deps only:
0.5% deps/openssl/asm/
7.2% deps/openssl/openssl/apps/
0.6% deps/openssl/openssl/crypto/aes/asm/
0.6% deps/openssl/openssl/crypto/bn/asm/
0.5% deps/openssl/openssl/crypto/bn/
1.4% deps/openssl/openssl/crypto/ec/
4.2% deps/openssl/openssl/crypto/evp/
0.5% deps/openssl/openssl/crypto/perlasm/
0.5% deps/openssl/openssl/crypto/rsa/
7.8% deps/openssl/openssl/crypto/ui/
1.6% deps/openssl/openssl/crypto/
0.6% deps/openssl/openssl/doc/apps/
1.2% deps/openssl/openssl/doc/crypto/
5.5% deps/openssl/openssl/doc/ssl/
0.7% deps/openssl/openssl/include/openssl/
21.8% deps/openssl/openssl/ssl/
0.9% deps/openssl/openssl/util/
21.4% deps/openssl/openssl/
1.8% deps/uv/src/unix/
5.6% deps/uv/src/win/
4.8% deps/uv/test/
1.6% deps/uv/
1.0% deps/v8/src/
2.9% deps/v8/test/intl/general/
2.9% deps/v8/test/mjsunit/regress/
0.5% deps/v8/test/mjsunit/
139 files changed, 1293 insertions(+), 720 deletions(-)
Docs only:
AUTHORS | 2 +-
BUILDING.md | 11 +-
CHANGELOG.md | 3 +-
COLLABORATOR_GUIDE.md | 18 +-
CONTRIBUTING.md | 11 +-
README.md | 15 +-
WORKING_GROUPS.md | 16 -
benchmark/README.md | 8 +-
doc/api/buffer.md | 83 +++-
doc/api/child_process.md | 50 +--
doc/api/cli.md | 61 ++-
doc/api/console.md | 2 +-
doc/api/crypto.md | 103 ++---
doc/api/debugger.md | 2 +-
doc/api/dgram.md | 40 +-
doc/api/dns.md | 2 +-
doc/api/domain.md | 2 +-
doc/api/fs.md | 3 +-
doc/api/globals.md | 10 +-
doc/api/http.md | 116 +++---
doc/api/modules.md | 2 +-
doc/api/os.md | 5 +
doc/api/process.md | 8 +-
doc/api/repl.md | 9 +
doc/api/stream.md | 47 ++-
doc/api/tls.md | 48 ++-
doc/api/url.md | 458 ++++++++++++++++++++++
doc/api/vm.md | 6 +-
doc/api/zlib.md | 17 +-
doc/api_assets/dnt_helper.js | 49 +++
doc/changelogs/CHANGELOG_V7.md | 324 +++++++++++++++-
doc/guides/maintaining-V8.md | 4 +-
doc/guides/timers-in-node.md | 192 ----------
doc/guides/writing-tests.md | 97 +++--
doc/node.1 | 61 ++-
doc/onboarding-extras.md | 5 +-
doc/onboarding.md | 4 +
doc/template.html | 1 +
doc/topics/blocking-vs-non-blocking.md | 143 -------
doc/topics/domain-postmortem.md | 301 ---------------
doc/topics/domain-resource-cleanup-example.js | 136 -------
doc/topics/event-loop-timers-and-nexttick.md | 486 ------------------------
42 files changed, 1394 insertions(+), 1567 deletions(-)
Tests & Benchmarks only:
0.2% benchmark/buffers/
0.7% benchmark/misc/
0.2% benchmark/net/
0.2% benchmark/querystring/
0.6% benchmark/timers/
1.6% benchmark/url/
0.2% benchmark/util/
0.1% benchmark/vm/
1.3% benchmark/
0.1% test/addons/repl-domain-abort/
0.1% test/addons/stringbytes-external-exceed-max/
0.1% test/addons/
0.2% test/cctest/
0.3% test/debugger/
0.5% test/disabled/
0.1% test/doctool/
1.1% test/fixtures/
0.3% test/gc/node_modules/weak/build/
0.2% test/gc/
2.1% test/internet/
0.1% test/known_issues/
0.1% test/message/
79.3% test/parallel/
6.3% test/pummel/
2.4% test/sequential/
0.4% test/
1098 files changed, 12080 insertions(+), 9284 deletions(-)
Most active commit
Of the 289 commits, a3b3b35 was the most active:
(Excluding docs, npm, eslint, and tests.)
commit a3b3b35c5302f8618cc745f53fb297bb15c32012
Author: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date: Fri Jan 27 00:48:11 2017 +0900
deps: copy all openssl header files to include dir
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/11021
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
99.5% deps/openssl/openssl/include/openssl/
76 files changed, 38406 insertions(+), 265 deletions(-)
This is security release in addition to being a regular and routine release for a Node.js Current release line.
Do note that while we assess the security issues as being low-impact to Node.js, we still suggest you upgrade so as to avoid anything unforeseen.