Node.js v4.1.1 Release Summary and Stats
Only 5 days passed between 4.1.0 and the newest Node.js release, 4.1.1. This update addresses a minor potential security vulnerability in 4.1.0, and also brings in some other assorted fixes. This is a v4 release and as such should be a drop-in replacement for v4.0.0 or v4.1.0. Rebuilding add-ons should not be necessary.
Code Change Stats
Of a total of 27 commits:
- 4 were documentation-only commits.
- 6 only modify tests and 1 only affects development tooling.
- 4 of the commits consist of 1 dependency update + floating patches:
The remaining significant commits are as follows:
- [
d63e02e08d] - buffer: don't set zero fill for zero-length buffer (Trevor Norris) #2931 - [
5905b14bff] - build: fix icutrim when building small-icu on BE (Stewart Addison) #2602 - [
f010cb5d96] - configure: detect mipsel host (Jérémy Lal) #2971 - [
f68fed2e6f] - http: remove redundant code in deferToConnect (Malcolm Ahoy) #2769 - [
f542e74c93] - http: guard against response splitting in trailers (Ben Noordhuis) #2945 - [
1860e0cebd] - lib,src: remove usage of events.EventEmitter (Sakthipriyan Vairamani) #2921 - [
d4cd5ac407] - readline: fix tab completion bug (Matt Harrison) #2816 - [
9760e04839] - repl: don't use tty control codes when $TERM is set to "dumb" (Salman Aljammaz) #2712 - [
cb971cc97d] - repl: backslash bug fix (Sakthipriyan Vairamani) #2968 - [
2034f68668] - src: honor --abort_on_uncaught_exception flag (Evan Lucas) #2776 - [
0b1ca4a9ef] - src: Add ABORT macro (Evan Lucas) #2776
Notable Changes (extended)
buffer: Fixed a bug introduced in v4.1.0 where allocating a new zero-length buffer can result in the _next allocation of a TypedArray or ArrayBuffer not being zero-filled. (Trevor Norris) #2931.
- In certain circumstances this could result in data leakage via reuse of memory space in TypedArrays, breaking the normally safe assumption that TypedArrays should be always zero-filled.
http: Guard against response-splitting of HTTP trailing headers added via
response.addTrailers()by removing new-line ([\r\n]) characters from values. (Ben Noordhuis) #2945.- Note that standard header values are already stripped of new-line characters.
- The expected security impact is low because trailing headers are rarely used.
npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full details (Kat Marchán) #2958
- Upgrades
graceful-fson multiple dependencies to no longer rely on monkey-patchingfs. - Fix
npm linkfor pre-release / RC builds of Node.
- Upgrades
v8: Update post-mortem metadata to allow post-mortem debugging tools to find and inspect:
Git Diffstats
(Showing the delta between v4.1.0 and v4.1.1, ignoring deps/npm.)
Without deps, docs, or tests:
configure | 1 +
lib/_http_agent.js | 2 +-
lib/_http_client.js | 24 ++++++++-------
lib/_http_outgoing.js | 15 ++++++----
lib/_http_server.js | 5 ++--
lib/_stream_readable.js | 2 +-
lib/_tls_legacy.js | 6 ++--
lib/buffer.js | 19 ++++++++----
lib/cluster.js | 2 +-
lib/dgram.js | 6 ++--
lib/fs.js | 2 +-
lib/http.js | 2 +-
lib/internal/child_process.js | 2 +-
lib/internal/repl.js | 5 +++-
lib/internal/socket_list.js | 2 +-
lib/net.js | 6 ++--
lib/readline.js | 7 +++--
lib/repl.js | 5 ++--
lib/stream.js | 2 +-
src/cares_wrap.cc | 4 +--
src/fs_event_wrap.cc | 2 +-
src/node.cc | 18 ++++++-----
src/node.js | 2 +-
src/node_crypto.cc | 4 +--
src/node_crypto_bio.cc | 2 +-
src/node_http_parser.cc | 25 +++++++++++++++-
src/node_version.h | 4 +--
src/spawn_sync.cc | 4 +--
src/stream_wrap.cc | 2 +-
src/tls_wrap.cc | 2 +-
src/tty_wrap.cc | 2 +-
src/udp_wrap.cc | 4 +--
src/util.h | 11 +++++--
tools/icu/icu-generic.gyp | 12 ++++++--
tools/v8-prof/linux-tick-processor | 23 --------------
tools/v8-prof/mac-tick-processor | 7 -----
tools/v8-prof/tick-processor.js | 51 ++++++++++++++++++++++++++++++++
tools/v8-prof/windows-tick-processor.bat | 19 ------------
38 files changed, 190 insertions(+), 123 deletions(-)
Deps only:
deps/v8/src/objects.h | 2 +-
deps/v8/tools/gen-postmortem-metadata.py | 11 ++++++++++-
2 files changed, 11 insertions(+), 2 deletions(-)
Docs only:
CHANGELOG.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
doc/api/addons.markdown | 10 ----------
doc/api/assert.markdown | 19 +++++++++---------
doc/api/errors.markdown | 4 ++--
doc/api/events.markdown | 2 +-
doc/api/modules.markdown | 2 +-
doc/api/process.markdown | 10 +++++-----
doc/api/util.markdown | 10 +++++-----
8 files changed, 76 insertions(+), 33 deletions(-)
Tests only:
test/abort/test-abort-uncaught-exception.js | 31 ++++++++
test/fixtures/readdir/are | 0
test/fixtures/readdir/dir/empty | 0
test/fixtures/readdir/empty | 0
test/fixtures/readdir/files | 0
test/fixtures/readdir/for | 0
test/fixtures/readdir/just | 0
test/fixtures/readdir/testing.js | 0
test/fixtures/readdir/these | 0
test/parallel/test-buffer-zero-fill-reset.js | 19 +++++
test/parallel/test-cluster-master-error.js | 7 +-
test/parallel/test-cluster-master-kill.js | 7 +-
test/parallel/test-cwd-enoent-preload.js | 4 +-
test/parallel/test-cwd-enoent-repl.js | 4 +-
test/parallel/test-cwd-enoent.js | 4 +-
test/parallel/test-fs-mkdir-rmdir.js | 37 ++++++++++
test/parallel/test-fs-readdir.js | 36 ++++++++++
.../test-http-header-response-splitting.js | 83 ++++++++++++++++------
test/parallel/test-http-regr-gh-2928.js | 51 +++++++++++++
test/parallel/test-readline-undefined-columns.js | 36 ++++++++++
test/parallel/test-repl-envvars.js | 55 ++++++++++++++
test/parallel/test-repl.js | 7 ++
test/parallel/test-spawn-cmd-named-pipe.js | 58 +++++++++++++++
test/parallel/test-tick-processor.js | 16 +----
test/sequential/test-mkdir-rmdir.js | 43 -----------
test/sequential/test-readdir.js | 71 ------------------
26 files changed, 413 insertions(+), 156 deletions(-)
Most active commit
Of the 27 commits, 6ea8ec1 was the most active (not counting npm updates).
commit 6ea8ec1c591777b5ddff314d28bc4cc642971033
Author: Matt Loring <mattloring@google.com>
Date: Mon Sep 14 15:28:27 2015 -0700
tools: single, cross-platform tick processor
Currently there are three separate tick processor scripts for
mac, windows, and linux. These have been replaced with a single
node.js script to improve maintainability and remove the need
to preserve parallel logic in these separate places.
PR-URL: https://github.com/nodejs/node/pull/2868
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
test/parallel/test-tick-processor.js | 16 ++--------
tools/v8-prof/linux-tick-processor | 23 --------------
tools/v8-prof/mac-tick-processor | 7 -----
tools/v8-prof/tick-processor.js | 51 ++++++++++++++++++++++++++++++++
tools/v8-prof/windows-tick-processor.bat | 19 ------------
5 files changed, 54 insertions(+), 62 deletions(-)
These quick patch releases will become routine though v4’s stable lifecycle, and this will also continue into future stable release lines. There is a lot more effort being put into core than in the recent past and frequent releases mean that the work being done gets into your hands quicker. We will be sure to let you know when a release contains a critical update and a recommendation to upgrade. Of course, we'd love you to upgrade, but this release is not critical unless you are experiencing one of the bugs identified and fixed above — both the Buffer and HTTP fixes address issues which require specific conditions that are unlikely to be met.