The Nodesource Blog

Node.js 7.5.0 Release Brief

The Node.js 7.5.0 release is both a regular maintenance and feature release, as well as a security release containing an update to OpenSSL 1.0.2k. Such multifaceted releases are typical for a Node.js Current release stream.

While the OpenSSL team have said this is at most a moderate update, the Node.js Crypto team (Ben Noordhuis, Shigeki Ohtsu and Fedor Indutny) have determined that the impact of the OpenSSL vulnerability is low. You can learn more about the details of how they came to this conclusion on the Node.js blog.

Also, big thanks to @italoacasas, who is being onboarded to the Node.js release team, for preparing most of this release!

As with all releases within major version lines, minor and patch upgrades should be drop-in replacements for previous versions.

Overview

Of a total of 289 commits:

9 commits were tagged as semver-minor, adding new functionality and justifying the jump to 7.5.0:

  • [a1897c1445] - crypto: ability to select cert store at runtime (Adam Majer) #8334
  • [aeea13b6f6] - crypto: Use system CAs instead of using bundled ones (Adam Majer) #8334
  • [ac2b059500] - crypto: do not use pointers to std::vector (Adam Majer) #8334
  • [84e2ff3738] - doc: add basic documentation for WHATWG URL API (James M Snell) #10620
  • [d24491c6a7] - process: add NODE_NO_WARNINGS environment variable (cjihrig) #10842
  • [978acd138f] - src: support "--" after "-e" as end-of-options (John Barboza) #10651
  • [c92b8ecd81] - tools: add mdn link for Iterator (James M Snell) #10620
  • [2f9fdc454f] - url: allow use of URL with http.request and https.request (James M Snell) #10638

The remaining significant commits are as follows:

  • [b2d0c44fb1] - assert: update comments (Kai Cataldo) #10579
  • [c217b438f2] - assert, tools: enforce strict (not)equal in eslint (Gibson Fahnestock) #10698
  • [94c4323d56] - async\wrap: close the destroy_ids_idle_handle</i> (René Schünemann) #10385
  • [f61c71b533] - benchmark: add progress indicator to compare.js (Joyee Cheung) #10823
  • [ccdc922ada] - benchmark: move setImmediate benchmarks to timers (Joshua Colvin) #11010
  • [062c8513ad] - benchmark: add more thorough timers benchmarks (Jeremiah Senkpiel) #10925
  • [1e0294ccc9] - benchmark: add benchmark for object properties (Michaël Zasso) #10949
  • [47c0953b12] - benchmark: add benchmark for vm.runIn*() (Rich Trott) #10816
  • [2f339e7200] - benchmark: cleanup child_process IPC benchmark (Yuya Tanaka) #10557
  • [eac1871c45] - benchmark: improve WHATWG URL benchmarks (Joyee Cheung) #10678
  • [ecf72d8b54] - benchmark: use "confidence" in output of compare.R (Joyee Cheung) #10737
  • [35334273b9] - benchmark: don't lint autogenerated modules (Brian White) #10756
  • [4f96272f12] - benchmark: fix typo "categoty" -> "category" (Victor Felder) #10568
  • [2f4577c07d] - benchmark: keep decimals in results (Brian White) #10559
  • [372e3eeb4b] - benchmark: improve readability of net benchmarks (Brian White) #10446
  • [d19136da84] - benchmark: move punycode benchmark out of net (Brian White) #10446
  • [be24cc0187] - benchmark: add ClientRequest creation benchmark (Brian White) #10654
  • [1438d00119] - benchmark,lib,test: adjust for linting (Rich Trott) #10561
  • [d13aba8499] - buffer: improve compare() performance (Brian White) #10927
  • [6549bc2a35] - buffer: fix comments in bidirectionalIndexOf (dcposch@dcpos.ch) #10162
  • [a114f63627] - buffer: improve toJSON() performance (Brian White) #10895
  • [9c2f686f7e] - build: don't build deps/zlib if --shared-zlib set (Gibson Fahnestock) #10657
  • [659428fe1d] - build: sort sources alphabetically (Daniel Bevenius) #10892
  • [74f9cc9f0a] - build: move source files from headers section (Daniel Bevenius) #10850
  • [a408ba6454] - build: don't squash signal handlers with --shared (Stewart X Addison) #10539
  • [ddcd1a202f] - child_process: optimize IPC for large data (Yuya Tanaka) #10557
  • [d751afae0f] - cluster: refactor module into multiple files (cjihrig) #10746
  • [6687b95263] - crypto: return the retval of HMAC_Update (Travis Meisenheimer) #10891
  • [5fd0f9ae63] - crypto: freelist_max_len is gone in OpenSSL 1.1.0 (Adam Langley) #10859
  • [4e7a31b3a0] - crypto,tls: fix mutability of return values (Rich Trott) #10795
  • [84a9c158ef] - deps: fix npm files from upgrade to 4.1.2 (João Reis) #11085
  • [78a495e1a4] - eslint: remove dangling eslint symlink (Sam Roberts) #10771
  • [5cca69320f] - events: avoid emit() eager deopt (Victor Felder) #10568
  • [ded17579e5] - events: improve removeListener() performance (Brian White) #10572
  • [d047f8e8f8] - fs: remove unused parameter for encodeRealpathResult (Jackson Tian) #10862
  • [4c0f29723c] - http: use direct parameters instead (Jackson Tian) #10833
  • [c32984361a] - http: make request.abort() destroy the socket (Luigi Pinca) #10818
  • [8ba2cf9c51] - http: define all used properties in constructors (vitkarpov) #9116
  • [75aa6050ab] - http: eliminate capture of ClientRequest in Agent (Evan Torrie) #10134
  • [5059b76cbc] - http: misc ClientRequest cleanup (Brian White) #10654
  • [44c0e4f1ad] - http: avoid duplicate isArray() (Brian White) #10654
  • [e7859c217f] - http: optimize default method case (Brian White) #10654
  • [c9bff043c7] - http: optimize short path validation (Brian White) #10654
  • [c012dd79dc] - https: Use secureProtocol in Agent#getName (Andreas Lind) #9452
  • [9a111e701e] - inspector: no crash when WS server can't start (Eugene Ostroukhov) #10878
  • [2d08bbadd6] - inspector: stop relying on magic strings (Eugene Ostroukhov) #10159
  • [e30e307a70] - inspector: move options parsing (Eugene Ostroukhov) #9691
  • [60f27f91e4] - inspector: remove unused uv_async_t (Eugene Ostroukhov) #10392
  • [a3abba0b1a] - lib: remove unnecessary parameter for assertCrypto() (Jackson Tian) #10834
  • [4de7b03a7d] - lib: refactor bootstrap_node.js regular expression (Rich Trott) #10749
  • [a6c93af244] - lib: refactor crypto cipher/hash/curve getters (Rich Trott) #10682
  • [6e8d627217] - lib,src: support values > 4GB in heap statistics (Ben Noordhuis) #10186
  • [de8eee6b16] - meta: decharter the http working group (James M Snell) #10604
  • [97ff43232b] - querystring: improve unescapeBuffer performance (Brian White) #10837
  • [f4796d5f6e] - querystring: improve stringify() performance (Brian White) #10852
  • [53421b174c] - querystring: improve parse() performance (Brian White) #10874
  • [d64e2371f6] - readline: refactor construct Interface (Jackson Tian) #4740
  • [e7b656db6e] - Revert "repl: disable Ctrl+C support on win32 for now" (Anna Henningsen) #8645
  • [a24264eb18] - src: fix v8 local handling in node_url.cc (Anna Henningsen) #11064
  • [8a6367cb20] - Revert "src: don't overwrite non-writable vm globals" (Anna Henningsen) #10920
  • [cd94642356] - src: add NODE_NO_WARNINGS to --help output (cjihrig) #10918
  • [63f43021b0] - src: remove unused PROTOCOL_JSON array (Ben Noordhuis) #10407
  • [5a976decf7] - src: remove unnecessary req_wrap_obj (Daniel Bevenius) #10942
  • [0c0334f7a4] - src: add a missing space in node_os.cc (Alexey Orlenko) #10931
  • [b89d848b36] - src: enable writev for pipe handles on Unix (Alexey Orlenko) #10677
  • [f0de955220] - src: reduce test_inspector_socket_server output (Daniel Bevenius) #10537
  • [59196af646] - stream: avoid additional validation for Buffers (Brian White) #10580
  • [1555ced404] - test, win: fix up symlink tests (Hitesh Kanwathirtha) #10477
  • [31f8f6f768] - tools, test: require const/let in test (Gibson Fahnestock) #10685
  • [438a98ca95] - url: make URLSearchParams/Iterator match spec (Timothy Gu) #11057
  • [2bfd58adb1] - url: define @@toStringTag as a data property (Timothy Gu) #10906
  • [f1851cb8e4] - url: do not public expose inspect methods on URL (Timothy Gu) #10906
  • [b48b80f630] - url: stop exporting originFor() (Timothy Gu) #10955
  • [c0c1a4c029] - url: refactor lib/internal/url.js (Rich Trott) #10912
  • [95faa55ab9] - url: check forEach callback is a function (Timothy Gu) #10905
  • [3642f35d09] - url: add return value to ToUnicode/ToAscii stubs (Birunthan Mohanathas) #10893
  • [021338dc6d] - url: export URLSearchParams (Timothy Gu)
  • [5d33c96679] - url: improving URLSearchParams (Timothy Gu) #10399
  • [824978e337] - url: do not decode arbitrary %2e sequences in paths (James M Snell) #10602
  • [e46bdcf2bb] - url: change null password handling (James M Snell) #10601
  • [2b01138451] - url: TupleOrigin#toString use unicode by default (Joyee Cheung) #10552
  • [9f6d1f6fc2] - util: improve readability of normalizeEncoding (Joyee Cheung) #10439
  • [d628f3a227] - util: avoid out-of-bounds arguments index access (Teddy Katz) #10569
  • [2641cd496d] - vm: improve performance of vm.runIn*() (Rich Trott) #10816

Notable Changes

  • crypto:
    • The cert store is now selectable at runtime. (Adam Majer) #8334
    • The ability to use system Certificate Authorities has been added. (Adam Majer) #8334
  • doc: Added basic documentation for the WHATWG URL API. (James M Snell) #10620
  • process: Added a NODE_NO_WARNINGS environment variable. (cjihrig) #10842
  • url: The new URL objects now work with with http.request and https.request. (James M Snell) #10638

Git Diffstats

(Showing the delta between v7.4.0 and v7.5.0, ignoring deps/npm.)

Without deps, tools, docs, benchmarks, or tests:

 .eslintignore                              |   1 +
 .eslintrc                                  | 149 ------
 .eslintrc.yaml                             | 156 ++++++
 Makefile                                   |  10 +-
 configure                                  |   7 +
 lib/.eslintrc                              |   5 -
 lib/.eslintrc.yaml                         |   5 +
 lib/_http_agent.js                         |  56 +-
 lib/_http_client.js                        | 125 +++--
 lib/_http_common.js                        |   2 -
 lib/_http_outgoing.js                      |  28 +-
 lib/_http_server.js                        |   1 +
 lib/_stream_writable.js                    |  37 +-
 lib/_tls_common.js                         |   4 +-
 lib/_tls_legacy.js                         |   2 +-
 lib/_tls_wrap.js                           |   2 +-
 lib/assert.js                              |  77 +--
 lib/buffer.js                              |  59 +-
 lib/cluster.js                             | 771 +--------------------------
 lib/crypto.js                              |  20 +-
 lib/events.js                              |   5 +-
 lib/fs.js                                  |   4 +-
 lib/https.js                               |   9 +-
 lib/internal/bootstrap_node.js             |   4 +-
 lib/internal/child_process.js              |  29 +-
 lib/internal/cluster.js                    |   4 -
 lib/internal/cluster/child.js              | 224 ++++++++
 lib/internal/cluster/master.js             | 367 +++++++++++++
 lib/internal/cluster/round_robin_handle.js | 115 ++++
 lib/internal/cluster/shared_handle.js      |  48 ++
 lib/internal/cluster/utils.js              |  44 ++
 lib/internal/cluster/worker.js             |  63 +++
 lib/internal/module.js                     |  10 +-
 lib/internal/process/warning.js            |   2 +-
 lib/internal/url.js                        | 358 +++++++++----
 lib/internal/util.js                       |  28 +-
 lib/net.js                                 |   5 +-
 lib/os.js                                  |   5 +-
 lib/querystring.js                         | 207 ++++---
 lib/readline.js                            |  15 +-
 lib/repl.js                                |  49 +-
 lib/tls.js                                 |   8 +-
 lib/url.js                                 |   2 +-
 lib/util.js                                |  23 +-
 lib/v8.js                                  |   4 +-
 lib/vm.js                                  |  26 +-
 node.gyp                                   |  27 +-
 src/connection_wrap.cc                     |   3 +-
 src/debug-agent.cc                         |  16 +-
 src/debug-agent.h                          |   6 +-
 src/env-inl.h                              |  21 +-
 src/env.h                                  |  12 +-
 src/inspector_agent.cc                     | 153 +++---
 src/inspector_agent.h                      |   5 +-
 src/inspector_socket_server.cc             |  74 ++-
 src/inspector_socket_server.h              |  12 +-
 src/node.cc                                | 226 +++-----
 src/node.h                                 |   5 +-
 src/node_contextify.cc                     |  23 +-
 src/node_crypto.cc                         |  26 +-
 src/node_debug_options.cc                  | 144 +++++
 src/node_debug_options.h                   |  51 ++
 src/node_os.cc                             |   2 +-
 src/node_url.cc                            |  77 ++-
 src/node_v8.cc                             |  12 +-
 src/node_version.h                         |   2 +-
 src/pipe_wrap.cc                           |   4 +
 67 files changed, 2333 insertions(+), 1743 deletions(-)

Tools only:

 tools/test.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Deps only:

   0.5% deps/openssl/asm/
   7.2% deps/openssl/openssl/apps/
   0.6% deps/openssl/openssl/crypto/aes/asm/
   0.6% deps/openssl/openssl/crypto/bn/asm/
   0.5% deps/openssl/openssl/crypto/bn/
   1.4% deps/openssl/openssl/crypto/ec/
   4.2% deps/openssl/openssl/crypto/evp/
   0.5% deps/openssl/openssl/crypto/perlasm/
   0.5% deps/openssl/openssl/crypto/rsa/
   7.8% deps/openssl/openssl/crypto/ui/
   1.6% deps/openssl/openssl/crypto/
   0.6% deps/openssl/openssl/doc/apps/
   1.2% deps/openssl/openssl/doc/crypto/
   5.5% deps/openssl/openssl/doc/ssl/
   0.7% deps/openssl/openssl/include/openssl/
  21.8% deps/openssl/openssl/ssl/
   0.9% deps/openssl/openssl/util/
  21.4% deps/openssl/openssl/
   1.8% deps/uv/src/unix/
   5.6% deps/uv/src/win/
   4.8% deps/uv/test/
   1.6% deps/uv/
   1.0% deps/v8/src/
   2.9% deps/v8/test/intl/general/
   2.9% deps/v8/test/mjsunit/regress/
   0.5% deps/v8/test/mjsunit/
 139 files changed, 1293 insertions(+), 720 deletions(-)

Docs only:

 AUTHORS                                       |   2 +-
 BUILDING.md                                   |  11 +-
 CHANGELOG.md                                  |   3 +-
 COLLABORATOR_GUIDE.md                         |  18 +-
 CONTRIBUTING.md                               |  11 +-
 README.md                                     |  15 +-
 WORKING_GROUPS.md                             |  16 -
 benchmark/README.md                           |   8 +-
 doc/api/buffer.md                             |  83 +++-
 doc/api/child_process.md                      |  50 +--
 doc/api/cli.md                                |  61 ++-
 doc/api/console.md                            |   2 +-
 doc/api/crypto.md                             | 103 ++---
 doc/api/debugger.md                           |   2 +-
 doc/api/dgram.md                              |  40 +-
 doc/api/dns.md                                |   2 +-
 doc/api/domain.md                             |   2 +-
 doc/api/fs.md                                 |   3 +-
 doc/api/globals.md                            |  10 +-
 doc/api/http.md                               | 116 +++---
 doc/api/modules.md                            |   2 +-
 doc/api/os.md                                 |   5 +
 doc/api/process.md                            |   8 +-
 doc/api/repl.md                               |   9 +
 doc/api/stream.md                             |  47 ++-
 doc/api/tls.md                                |  48 ++-
 doc/api/url.md                                | 458 ++++++++++++++++++++++
 doc/api/vm.md                                 |   6 +-
 doc/api/zlib.md                               |  17 +-
 doc/api_assets/dnt_helper.js                  |  49 +++
 doc/changelogs/CHANGELOG_V7.md                | 324 +++++++++++++++-
 doc/guides/maintaining-V8.md                  |   4 +-
 doc/guides/timers-in-node.md                  | 192 ----------
 doc/guides/writing-tests.md                   |  97 +++--
 doc/node.1                                    |  61 ++-
 doc/onboarding-extras.md                      |   5 +-
 doc/onboarding.md                             |   4 +
 doc/template.html                             |   1 +
 doc/topics/blocking-vs-non-blocking.md        | 143 -------
 doc/topics/domain-postmortem.md               | 301 ---------------
 doc/topics/domain-resource-cleanup-example.js | 136 -------
 doc/topics/event-loop-timers-and-nexttick.md  | 486 ------------------------
 42 files changed, 1394 insertions(+), 1567 deletions(-)

Tests & Benchmarks only:

   0.2% benchmark/buffers/
   0.7% benchmark/misc/
   0.2% benchmark/net/
   0.2% benchmark/querystring/
   0.6% benchmark/timers/
   1.6% benchmark/url/
   0.2% benchmark/util/
   0.1% benchmark/vm/
   1.3% benchmark/
   0.1% test/addons/repl-domain-abort/
   0.1% test/addons/stringbytes-external-exceed-max/
   0.1% test/addons/
   0.2% test/cctest/
   0.3% test/debugger/
   0.5% test/disabled/
   0.1% test/doctool/
   1.1% test/fixtures/
   0.3% test/gc/node_modules/weak/build/
   0.2% test/gc/
   2.1% test/internet/
   0.1% test/known_issues/
   0.1% test/message/
  79.3% test/parallel/
   6.3% test/pummel/
   2.4% test/sequential/
   0.4% test/
 1098 files changed, 12080 insertions(+), 9284 deletions(-)

Most active commit

Of the 289 commits, a3b3b35 was the most active:
(Excluding docs, npm, eslint, and tests.)

commit a3b3b35c5302f8618cc745f53fb297bb15c32012
Author: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date:   Fri Jan 27 00:48:11 2017 +0900

    deps: copy all openssl header files to include dir

    All symlink files in `deps/openssl/openssl/include/openssl/`
    are removed and replaced with real header files to avoid
    issues on Windows. Two files of opensslconf.h in crypto and
    include dir are replaced to refer config/opensslconf.h.

    PR-URL: https://github.com/nodejs/node/pull/11021
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

  99.5% deps/openssl/openssl/include/openssl/
 76 files changed, 38406 insertions(+), 265 deletions(-)

This is security release in addition to being a regular and routine release for a Node.js Current release line.

Do note that while we assess the security issues as being low-impact to Node.js, we still suggest you upgrade so as to avoid anything unforeseen.