The Nodesource Blog

#shoptalk Subscribe

Node.js v6.2.1 Release Brief

This week’s Current release fixes some critical issues in v6, as well as coming with the usual assortment of minor fixes.
Of note, an OS X stdio issue from v6.0.0 has been resolved, and a possible Buffer security concern has been addressed.

As with all releases within major version lines, minor and patch upgrades should be drop-in replacements for previous versions.

Overview

Of a total of 134 commits:

  • 55 were documentation-only commits.
  • 29 only modify tests and 4 only affect internal tooling.
  • 2 dependencies were updated:

The remaining significant commits are as follows:

  • [99c05a1af0] - async_wrap: pass uid to JS as double (Trevor Norris) #7096
  • [371be9cd80] - buffer: ignore negative allocation lengths (Anna Henningsen) #7051
  • [1bcc226edf] - buffer: fix dataview-set benchmark (Ingvar Stepanyan) #6922
  • [98270c6d15] - buffer: fix single digit hex string handling (Justin Sprigg) #6775
  • [1fece2f8c0] - build: re-add --ninja option to configure (Ehsan Akhgari) #6780
  • [e7b03be191] - build: update build-addons when node-gyp changes (Lance Ball) #6787
  • [55c0b3e0e5] - build: unbreak configure with python 2.6 (Ben Noordhuis) #6874
  • [0503681348] - child_process: measure buffer length in bytes (Rich Trott) #6764
  • [27d0eb054c] - child_process: emit IPC messages on next tick (cjihrig) #6909
  • [b28468e0a7] - child_process: allow buffer encoding in spawnSync() (cjihrig) #6939
  • [6a62bb0070] - cluster: expose result of send() (cjihrig) #6998
  • [2132d349b5] - cluster: rewrite debug ports consistently (cjihrig) #7050
  • [0bd8f4c4d8] - cluster: reset handle index on close (Santiago Gimeno) #6981
  • [93e150f1d6] - cluster: guard against undefined message handlers (cjihrig) #6902
  • [28b73428e1] - cluster: close ownerless handles on disconnect() (cjihrig) #6909
  • [2184e772d2] - debugger: propagate --debug-port= to debuggee (Ben Noordhuis) #3470
  • [8e6f8b2fb5] - dgram: copy the list in send (Matteo Collina) #6804
  • [588c76cd5c] - dgram,test: add addMembership/dropMembership tests (Rich Trott) #6753
  • [c4329aa226] - fs: move mkdtemp*() functions near static functions (Sakthipriyan Vairamani) #6828
  • [c068880757] - fs: mkdtemp shouldn't crash if no callback passed (Sakthipriyan Vairamani) #6828
  • [2ab36093e6] - http: use localAddress instead of path (Dirceu Pereira Tiegs) #5190
  • [6f0d8b3a1b] - installer: don't install node_internals.h (Ben Noordhuis) #6913
  • [178f3080f8] - module: don't cache uninitialized builtins (Anna Henningsen) #6907
  • [1908b7f00a] - path: fix basename() regressions (Brian White) #6590
  • [10671406ac] - process: internal/process/stdio.js cleanup / modernization (James M Snell) #6766
  • [64445674f0] - src: add include guards to internal headers (Ben Noordhuis) #6948
  • [4333fda46d] - src: no abort from getter if object isn't wrapped (Trevor Norris) #6184
  • [4da3e1e461] - src: always clear wrap before persistent Reset() (Trevor Norris) #6184
  • [7e5775704e] - src: inherit first from AsyncWrap (Trevor Norris) #6184
  • [0841496992] - src: fix --without-intl build (Anna Henningsen) #6820
  • [0d08fc415f] - stream_base: always use Base template class (Trevor Norris) #6184
  • [756ec80d50] - string_bytes: Make base64 encode/decode reusable (Eugene Ostroukhov) #6910
  • [79ad172589] - string_decoder: rewrite implementation (Brian White) #6777
  • [21e31352d7] - tls: catch certCbDone exceptions (Fedor Indutny) #6887
  • [257e54b9c0] - tls,https: respect address family when connecting (Ben Noordhuis) #6654
  • [5779ed2a4a] - tls_wrap: do not abort on new TLSWrap() (Trevor Norris) #6184
  • [4d3a7594a5] - tty: use blocking mode on OS X (Jeremiah Senkpiel) #6895
  • [36ed4a2d7a] - udp: use libuv API to get file descriptor (Saúl Ibarra Corretgé) #6908
  • [f3e3eebec8] - unix,stream: fix getting the correct fd for a handle (Saúl Ibarra Corretgé) #6753
  • [d270706881] - util: pretty-print SIMD types (Ben Noordhuis) #6917
  • [55b736a63b] - vm: don't abort process when stack space runs out (Anna Henningsen) #6907
  • [cb2ef35b76] - win,build: add creation of zip and 7z package (Bartosz Sosnowski) #5995
  • [1e26b82ce4] - zlib: release callback and buffer after processing (Matt Lavin) #6955
  • [64415564de] - zlib: remove _closed in source (Anna Henningsen) #6574

Notable Changes

  • buffer: Ignore negative lengths in calls to Buffer() and Buffer.allocUnsafe(). This fixes a possible security concern (reported by Feross Aboukhadijeh) where user input is passed unchecked to the Buffer constructor or allocUnsafe() as it can expose parts of the memory slab used by other Buffers in the application. Note that negative lengths are not supported by the Buffer API and user input to the constructor should always be sanitised and type-checked. (Anna Henningsen) #7051
  • npm: Upgrade npm to 3.9.3 (Kat Marchán) #7030
    • npm/npm@42d71be npm/npm#12685 When using npm ls <pkg> without a semver specifier, npm ls would skip any packages in your tree that matched by name, but had a prerelease version in their package.json. (@zkat)
    • npm/npm@f04e05 npm/npm#10013 read-package-tree@5.1.4: Fixes an issue where npm install would fail if your node_modules was symlinked. (@iarna)
    • b894413 #12372 Changing a nested dependency in an npm-shrinkwrap.json and then running npm install would not get up the updated package. This corrects that. (@misterbyrne)
    • This release includes npm@3.9.0, which is the result of our Windows testing push -- the test suite (should) pass on Windows now. We're working on getting AppVeyor to a place where we can just rely on it like Travis.
  • tty: Default to blocking mode for stdio on OS X. A bug fix in libuv 1.9.0, introduced in Node.js v6.0.0, exposed problems with Node's use of non-blocking stdio, particularly on OS X which has a small output buffer. This change should fix CLI applications that have been having problems with output since Node.js v6.0.0 on OS X. The core team is continuing to address stdio concerns that exist across supported platforms and progress can be tracked at #6980. (Jeremiah Senkpiel) #6895
  • V8: Upgrade to V8 5.0.71.52. This includes a fix that addresses problems experienced by users of node-inspector since Node.js v6.0.0, see https://github.com/node-inspector/node-inspector/issues/864 for details. (Michaël Zasso) #6928

Git Diffstats

(Showing the delta between v6.2.0 and v6.2.1, ignoring deps/npm.)

Without deps, docs, benchmarks, or tests:

 .eslintrc                         |   1 +
 Makefile                          |  20 +-
 configure                         |  29 ++-
 lib/_debugger.js                  |   4 +-
 lib/_http_agent.js                |   9 +-
 lib/_tls_wrap.js                  |   7 +-
 lib/buffer.js                     |  10 +-
 lib/child_process.js              |  73 ++++---
 lib/cluster.js                    |  50 +++--
 lib/dgram.js                      |  40 ++--
 lib/fs.js                         |  79 ++++----
 lib/internal/bootstrap_node.js    |  23 ++-
 lib/internal/child_process.js     |   4 +-
 lib/internal/process/stdio.js     |  56 ++++--
 lib/path.js                       |  12 +-
 lib/string_decoder.js             | 376 ++++++++++++++++++------------------
 lib/tty.js                        |   7 +
 lib/util.js                       |  54 ++++++
 lib/zlib.js                       |  40 ++--
 node.gyp                          |   1 +
 src/async-wrap-inl.h              |  10 +-
 src/async-wrap.cc                 |   3 +-
 src/async-wrap.h                  |   3 +
 src/base-object-inl.h             |   8 +
 src/base-object.h                 |   4 +
 src/base64.h                      | 194 +++++++++++++++++++
 src/cares_wrap.cc                 |   2 +
 src/debug-agent.h                 |   4 +
 src/env-inl.h                     |   4 +
 src/env.h                         |   4 +
 src/fs_event_wrap.cc              |   6 +-
 src/handle_wrap.cc                |  14 +-
 src/handle_wrap.h                 |   3 +
 src/js_stream.cc                  |  27 ++-
 src/js_stream.h                   |   6 +-
 src/node.cc                       |   4 +-
 src/node_config.cc                |   2 +-
 src/node_constants.h              |   4 +
 src/node_contextify.cc            |  37 ++--
 src/node_counters.h               |   4 +
 src/node_crypto.cc                | 278 +++++++++++++++++---------
 src/node_crypto.h                 |  10 +-
 src/node_crypto_bio.h             |   4 +
 src/node_crypto_clienthello-inl.h |   4 +
 src/node_crypto_clienthello.h     |   4 +
 src/node_crypto_groups.h          |   4 +
 src/node_dtrace.h                 |   4 +
 src/node_file.h                   |   4 +
 src/node_http_parser.cc           |  24 ++-
 src/node_http_parser.h            |   4 +
 src/node_i18n.h                   |   4 +
 src/node_internals.h              |   6 +
 src/node_javascript.h             |   4 +
 src/node_lttng.h                  |   4 +
 src/node_lttng_provider.h         |   4 +
 src/node_lttng_tp.h               |   4 +
 src/node_revert.h                 |   4 +
 src/node_root_certs.h             |   3 +
 src/node_stat_watcher.cc          |   6 +-
 src/node_stat_watcher.h           |   5 +
 src/node_version.h                |   2 +-
 src/node_watchdog.h               |   4 +
 src/node_win32_etw_provider-inl.h |   4 +
 src/node_win32_etw_provider.h     |   4 +
 src/node_win32_perfctr_provider.h |   4 +
 src/node_wrap.h                   |   6 +
 src/node_zlib.cc                  |  15 +-
 src/pipe_wrap.cc                  |  18 +-
 src/pipe_wrap.h                   |   3 +
 src/process_wrap.cc               |   7 +-
 src/req-wrap-inl.h                |   5 +
 src/req-wrap.h                    |   4 +
 src/signal_wrap.cc                |   6 +-
 src/spawn_sync.h                  |   4 +
 src/stream_base-inl.h             |  30 ++-
 src/stream_base.cc                |   3 +-
 src/stream_base.h                 |   4 +
 src/stream_wrap.cc                |   8 +-
 src/stream_wrap.h                 |   3 +
 src/string_bytes.cc               | 180 +----------------
 src/string_bytes.h                |   4 +
 src/string_search.h               |   4 +
 src/tcp_wrap.cc                   |  46 ++++-
 src/tcp_wrap.h                    |   3 +
 src/tls_wrap.cc                   |  33 +++-
 src/tls_wrap.h                    |   4 +
 src/tty_wrap.cc                   |  10 +-
 src/tty_wrap.h                    |   4 +
 src/udp_wrap.cc                   |  35 +++-
 src/udp_wrap.h                    |   4 +
 src/util-inl.h                    |   4 +
 src/util.h                        |  24 +++
 tools/install.py                  |   1 -
 tools/test.py                     |  84 ++++++--
 vcbuild.bat                       |  59 +++++-
 95 files changed, 1498 insertions(+), 757 deletions(-)

Deps only:

 deps/v8/include/v8-version.h                      |  2 +-
 deps/v8/src/compiler/js-create-lowering.cc        | 30 ++++++++------------
 deps/v8/src/compiler/js-create-lowering.h         |  1 -
 deps/v8/src/crankshaft/arm/lithium-codegen-arm.cc |  7 +++--
 .../src/crankshaft/arm64/lithium-codegen-arm64.cc |  7 +++--
 .../src/crankshaft/ia32/lithium-codegen-ia32.cc   |  7 +++--
 .../src/crankshaft/mips/lithium-codegen-mips.cc   |  5 ++--
 .../crankshaft/mips64/lithium-codegen-mips64.cc   |  5 ++--
 deps/v8/src/crankshaft/ppc/lithium-codegen-ppc.cc |  7 +++--
 deps/v8/src/crankshaft/x64/lithium-codegen-x64.cc |  7 +++--
 deps/v8/src/crankshaft/x87/lithium-codegen-x87.cc |  7 +++--
 deps/v8/src/full-codegen/arm/full-codegen-arm.cc  |  7 +++--
 .../src/full-codegen/arm64/full-codegen-arm64.cc  |  5 ++--
 .../v8/src/full-codegen/ia32/full-codegen-ia32.cc |  7 +++--
 .../v8/src/full-codegen/mips/full-codegen-mips.cc |  5 ++--
 .../full-codegen/mips64/full-codegen-mips64.cc    |  5 ++--
 deps/v8/src/full-codegen/ppc/full-codegen-ppc.cc  |  7 +++--
 deps/v8/src/full-codegen/x64/full-codegen-x64.cc  |  7 +++--
 deps/v8/src/full-codegen/x87/full-codegen-x87.cc  |  7 +++--
 deps/v8/src/objects.cc                            | 31 +++++++++++++++++----
 deps/v8/src/objects.h                             |  5 +++-
 deps/v8/src/parsing/parser.cc                     |  6 +++-
 deps/v8/src/runtime/runtime-function.cc           | 15 ++++++++--
 deps/v8/test/cctest/test-api.cc                   | 13 +++++++++
 .../v8/test/mjsunit/es6/regress/regress-594084.js | 10 +++++++
 deps/v8/test/mjsunit/mirror-function.js           |  1 +
 deps/v8/test/mjsunit/regress/regress-5010.js      |  9 ++++++
 .../test/mjsunit/regress/regress-crbug-610228.js  | 11 ++++++++
 28 files changed, 162 insertions(+), 74 deletions(-)

Docs only:

 .github/ISSUE_TEMPLATE.md                        |    7 +-
 .github/PULL_REQUEST_TEMPLATE.md                 |    8 +-
 CHANGELOG.md                                     |   95 +-
 CODE_OF_CONDUCT.md                               |    2 +-
 CONTRIBUTING.md                                  |    5 +-
 README.md                                        |    8 +-
 WORKING_GROUPS.md                                |   33 +-
 doc/api/buffer.md                                |    2 +-
 doc/api/child_process.md                         |   80 +-
 doc/api/cli.md                                   |   83 +-
 doc/api/console.md                               |   33 +-
 doc/api/crypto.md                                |    6 +-
 doc/api/debugger.md                              |   17 +-
 doc/api/dgram.md                                 |    6 +
 doc/api/dns.md                                   |   28 +
 doc/api/errors.md                                |    2 +-
 doc/api/fs.md                                    |  314 ++++-
 doc/api/globals.md                               |    5 +
 doc/api/https.md                                 |    4 +-
 doc/api/net.md                                   |   16 +-
 doc/api/process.md                               |   39 +-
 doc/api/punycode.md                              |   26 +-
 doc/api/string_decoder.md                        |   56 +-
 doc/api/tls.md                                   | 1197 +++++++++++---------
 doc/api/tty.md                                   |  106 +-
 doc/api/url.md                                   |  273 +++--
 doc/api/util.md                                  |  472 ++++----
 doc/api/v8.md                                    |   44 +-
 doc/api/vm.md                                    |  439 ++++---
 doc/api/zlib.md                                  |  102 ++
 doc/api_assets/style.css                         |   13 +
 doc/changelogs/CHANGELOG_ARCHIVE.md              |    4 +-
 doc/changelogs/CHANGELOG_IOJS.md                 |    2 +-
 doc/changelogs/CHANGELOG_V6.md                   |  152 +++
 doc/guides/building-node-with-ninja.md           |   13 +-
 doc/guides/writing_tests.md                      |  186 +++
 doc/onboarding.md                                |   33 +-
 doc/topics/domain-postmortem.md                  |    4 +-
 doc/topics/the-event-loop-timers-and-nexttick.md |   18 +-
 39 files changed, 2729 insertions(+), 1204 deletions(-)

Tests & Benchmarks only:

   0.0% benchmark/buffers/
   0.4% benchmark/child_process/
   0.8% benchmark/string_decoder/
   0.0% test/addons/buffer-free-callback/
   0.0% test/addons/load-long-path/
   0.0% test/addons/make-callback-recurse/
   0.0% test/addons/make-callback/
   0.0% test/addons/null-buffer-neuter/
   0.5% test/debugger/
   0.4% test/doctool/
   0.0% test/fixtures/clustered-server/
   1.9% test/gc/node_modules/bindings/
   4.4% test/gc/node_modules/nan/tools/
  59.3% test/gc/node_modules/nan/
  12.7% test/gc/node_modules/weak/build/
   0.7% test/gc/node_modules/weak/lib/
   4.1% test/gc/node_modules/weak/src/
   1.1% test/gc/node_modules/weak/
   0.3% test/gc/
   0.2% test/internet/
   0.1% test/known_issues/
   0.1% test/message/
   9.1% test/parallel/
   2.7% test/pseudo-tty/
   0.1% test/
 111 files changed, 10196 insertions(+), 489 deletions(-)

Most active commit

Of the 134 commits, 4333fda was the most active:
(Excluding docs, npm, eslint, and tests.)

commit 4333fda46d1feaab4afb75f31349f21c0c62fc40
Author: Trevor Norris <trev.norris@gmail.com>
Date:   Wed Apr 13 13:16:42 2016 -0600

    src: no abort from getter if object isn't wrapped

    v8::Object::GetAlignedPointerFromInternalField() returns a random value
    if Wrap() hasn't been run on the object handle. Causing v8 to abort if
    certain getters are accessed. It's possible to access these getters and
    functions during class construction through the AsyncWrap init()
    callback, and also possible in a subset of those scenarios while running
    the persistent handle visitor.

    Mitigate this issue by manually setting the internal aligned pointer
    field to nullptr in the BaseObject constructor and add necessary logic
    to return appropriate values when nullptr is encountered.

    PR-URL: https://github.com/nodejs/node/pull/6184
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>

 src/base-object-inl.h                      |   4 +
 src/fs_event_wrap.cc                       |   6 +-
 src/handle_wrap.cc                         |  12 +-
 src/js_stream.cc                           |  23 ++-
 src/node_contextify.cc                     |  23 +--
 src/node_crypto.cc                         | 276 ++++++++++++++++++---------
 src/node_http_parser.cc                    |  24 ++-
 src/node_internals.h                       |   2 +
 src/node_stat_watcher.cc                   |   6 +-
 src/node_wrap.h                            |   2 +
 src/node_zlib.cc                           |  15 +-
 src/pipe_wrap.cc                           |  18 +-
 src/process_wrap.cc                        |   7 +-
 src/signal_wrap.cc                         |   6 +-
 src/stream_base-inl.h                      |  16 +-
 src/stream_base.cc                         |   3 +-
 src/stream_wrap.cc                         |   6 +-
 src/tcp_wrap.cc                            |  46 ++++-
 src/tls_wrap.cc                            |  28 ++-
 src/tty_wrap.cc                            |  10 +-
 src/udp_wrap.cc                            |  29 ++-
 src/util.h                                 |  20 ++
 test/parallel/test-stream-base-no-abort.js |  58 ++++++
 23 files changed, 462 insertions(+), 178 deletions(-)

This is a regular and routine release for a Node.js Current release line. We will be sure to let you know when a release contains a critical update and a recommendation to upgrade. Of course, we'd love you to upgrade, but this release is not critical unless you are experiencing one of the issues identified and fixed above.