Node.js v6.9.0 Release Brief

by:

in Community on Oct 19 2016

Closely tracking the Long Term Support Schedule, 6.9.0 has been released this week as LTS. This means the 6.x release line has moved into LTS-mode and semver-minor version number increments, the y in x.y.z - indicating the addition of new features, will become less frequent. These are v6 releases and as such should be a drop-in replacements for previous v6.x releases. Recompiling native add-ons should not be necessary.

In-line with the LTS plan, Node.js collaborators chose “Boron” as the codename for v6 LTS from the Periodic Table of Elements, in alphabetical order by the first letter. The process.release.lts property in this release contains the string ”Boron” for easily checking if a running node process is running on an LTS version. This property will be undefined in regular Current releases.

Additionally, v6.9.0 is also a security update as detailed in the October 2016 Security Releases blog on the Node.js website.

Overview

Of a total of 8 commits:

No documentation, tooling, or test-specific commits were included.
One patch was backported from V8 upstream:
- [0e14baf712 as c947d448da] - (Rod Vagg) nodejs/node-private#80

1 commit was tagged as semver-minor, adding new functionality and justifying the jump to v6.9.0:

[455272ad33] - (SEMVER-MINOR) src: add process.release.lts property (Rod Vagg) #3212

The remaining significant commits are as follows:

[99e4eee8ef] - build: do not define ZLIB_CONST (Bradley T. Hughes) #9122
[cae9eb35f0] - crypto: fix openssl.cnf FIPS handling & testing (Rod Vagg) nodejs/node-private#82
[647afe9d9a] - inspector: generate UUID for debug targets (Eugene Ostroukhov) nodejs/node-private#79
[1ea0358a91] - node: --openssl-config cli argument (Fedor Indutny) nodejs/node-private#78
[9ace073949] - win,build: try multiple timeservers when signing (Rod Vagg) #9155

Notable Changes

crypto: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSL_CONF environment variable or from the default location for the current platform. Always triggering a configuration file load attempt may allow an attacker to load compromised OpenSSL configuration into a Node.js process if they are able to place a file in a default location. (Fedor Indutny, Rod Vagg)
node: Introduce the process.release.lts property, set to "Boron". This value is "Argon" for v4 LTS releases and undefined for all other releases. (Rod Vagg)
V8: Backport fix for CVE-2016-5172, an arbitrary memory read. The parser in V8 mishandled scopes, potentially allowing an attacker to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. This vulnerability would require an attacker to be able to execute arbitrary JavaScript code in a Node.js process. (Rod Vagg)
v8_inspector: Generate a UUID for each execution of the inspector. This provides additional security to prevent unauthorized clients from connecting to the Node.js process via the v8_inspector port when running with --inspect. Since the debugging protocol allows extensive access to the internals of a running process, and the execution of arbitrary code, it is important to limit connections to authorized tools only. Vulnerability originally reported by Jann Horn. (Eugene Ostroukhov)

Git Diffstats

(Showing the delta between v6.8.1 and v6.9.0, ignoring deps/npm.)

Without deps, tools, docs, benchmarks, or tests:

 node.gyp               |   2 -
 src/inspector_agent.cc | 131 +++++++++++++++++++++++++----------------------
 src/node.cc            |  16 +++++-
 src/node_crypto.cc     |  25 ++++++++-
 src/node_internals.h   |   4 ++
 src/node_version.h     |   7 ++-
 vcbuild.bat            |   4 +-
 7 files changed, 119 insertions(+), 70 deletions(-)

Tools only:

 tools/sign.bat | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Deps only:

 .../src/parsing/parameter-initializer-rewriter.cc |  4 ++++
 deps/v8/src/parsing/parser.cc                     |  6 ++++++
 deps/v8/src/parsing/pattern-rewriter.cc           | 22 ++++++++++++++++++++-
 deps/v8/test/mjsunit/regress/regress-616386.js    | 10 ++++++++++
 deps/zlib/zlib.gyp                                |  4 ----
 5 files changed, 41 insertions(+), 5 deletions(-)

Docs only:

 doc/api/cli.md                 | 10 ++++++++++
 doc/api/process.md             |  6 ++++++
 doc/changelogs/CHANGELOG_V6.md | 36 ++++++++++++++++++++++++++++++++----
 doc/node.1                     |  6 ++++++
 4 files changed, 54 insertions(+), 4 deletions(-)

Tests & Benchmarks only:

 test/inspector/inspector-helper.js    | 65 ++++++++++++++++++---------------
 test/inspector/test-inspector.js      |  5 ++-
 test/parallel/test-crypto-fips.js     | 35 ++++++++++++++----
 test/parallel/test-process-release.js | 16 ++++++++
 4 files changed, 83 insertions(+), 38 deletions(-)

Most active commit

Of the 8 commits, 647afe9 was the most active: (Excluding docs, npm, eslint, and tests.)

commit 647afe9d9a96b21eadc01759edc17e4e2872971b
Author: Eugene Ostroukhov <eostroukhov@chromium.org>
Date:   Fri Sep 30 17:40:44 2016 -0700

    inspector: generate UUID for debug targets
    
    PR-URL: https://github.com/nodejs/node-private/pull/79
    Fixes: https://github.com/nodejs/security/issues/81
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

 src/inspector_agent.cc             | 129 +++++++++++++++++++----------------
 test/inspector/inspector-helper.js |  65 ++++++++++--------
 test/inspector/test-inspector.js   |   5 +-
 3 files changed, 109 insertions(+), 90 deletions(-)

This is a routine semver-minor release for a Node.js release line transitioning into LTS. However, this release also contains security updates for the v6 release line. As such, it is recommended that existing users of Node.js v6.x upgrade as soon as possible to v6.9.0 LTS.

The NodeSource Blog