The Nodesource Blog

#shoptalk Subscribe

Node.js v4.1.1 Release Summary and Stats

Only 5 days passed between 4.1.0 and the newest Node.js release, 4.1.1. This update addresses a minor potential security vulnerability in 4.1.0, and also brings in some other assorted fixes. This is a v4 release and as such should be a drop-in replacement for v4.0.0 or v4.1.0. Rebuilding add-ons should not be necessary.

Code Change Stats

Of a total of 27 commits:

  • 4 were documentation-only commits.
  • 6 only modify tests and 1 only affects development tooling.
  • 4 of the commits consist of 1 dependency update + floating patches:
    • 2 additional floating patches for v8 (8da3da4 & b93ad5a).
    • npm @ 2.14.4 (Patched with node-gyp @ 3.0.3)

The remaining significant commits are as follows:

  • [d63e02e08d] - buffer: don't set zero fill for zero-length buffer (Trevor Norris) #2931
  • [5905b14bff] - build: fix icutrim when building small-icu on BE (Stewart Addison) #2602
  • [f010cb5d96] - configure: detect mipsel host (Jérémy Lal) #2971
  • [f68fed2e6f] - http: remove redundant code in _deferToConnect (Malcolm Ahoy) #2769
  • [f542e74c93] - http: guard against response splitting in trailers (Ben Noordhuis) #2945
  • [1860e0cebd] - lib,src: remove usage of events.EventEmitter (Sakthipriyan Vairamani) #2921
  • [d4cd5ac407] - readline: fix tab completion bug (Matt Harrison) #2816
  • [9760e04839] - repl: don't use tty control codes when $TERM is set to "dumb" (Salman Aljammaz) #2712
  • [cb971cc97d] - repl: backslash bug fix (Sakthipriyan Vairamani) #2968
  • [2034f68668] - src: honor --abort_on_uncaught_exception flag (Evan Lucas) #2776
  • [0b1ca4a9ef] - src: Add ABORT macro (Evan Lucas) #2776

Notable Changes (extended)

  • buffer: Fixed a bug introduced in v4.1.0 where allocating a new zero-length buffer can result in the next allocation of a TypedArray or ArrayBuffer not being zero-filled. (Trevor Norris) #2931.

    • In certain circumstances this could result in data leakage via reuse of memory space in TypedArrays, breaking the normally safe assumption that TypedArrays should be always zero-filled.
  • http: Guard against response-splitting of HTTP trailing headers added via response.addTrailers() by removing new-line ([\r\n]) characters from values. (Ben Noordhuis) #2945.

    • Note that standard header values are already stripped of new-line characters.
    • The expected security impact is low because trailing headers are rarely used.
  • npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full details (Kat Marchán) #2958

    • Upgrades graceful-fs on multiple dependencies to no longer rely on monkey-patching fs.
    • Fix npm link for pre-release / RC builds of Node.
  • v8: Update post-mortem metadata to allow post-mortem debugging tools to find and inspect:

    • JavaScript objects that use dictionary properties (Julien Gilli) #2959
    • ScopeInfo and thus closures (Julien Gilli) #2974
    • These two changes should pave the way for mdb_v8 to work with node v4. Please see #2517 for status on mdb_v8 in node v4+.

Git Diffstats

(Showing the delta between v4.1.0 and v4.1.1, ignoring deps/npm.)

Without deps, docs, or tests:

 configure                                |  1 +
 lib/_http_agent.js                       |  2 +-
 lib/_http_client.js                      | 24 ++++++++-------
 lib/_http_outgoing.js                    | 15 ++++++----
 lib/_http_server.js                      |  5 ++--
 lib/_stream_readable.js                  |  2 +-
 lib/_tls_legacy.js                       |  6 ++--
 lib/buffer.js                            | 19 ++++++++----
 lib/cluster.js                           |  2 +-
 lib/dgram.js                             |  6 ++--
 lib/fs.js                                |  2 +-
 lib/http.js                              |  2 +-
 lib/internal/child_process.js            |  2 +-
 lib/internal/repl.js                     |  5 +++-
 lib/internal/socket_list.js              |  2 +-
 lib/net.js                               |  6 ++--
 lib/readline.js                          |  7 +++--
 lib/repl.js                              |  5 ++--
 lib/stream.js                            |  2 +-
 src/cares_wrap.cc                        |  4 +--
 src/fs_event_wrap.cc                     |  2 +-
 src/node.cc                              | 18 ++++++-----
 src/node.js                              |  2 +-
 src/node_crypto.cc                       |  4 +--
 src/node_crypto_bio.cc                   |  2 +-
 src/node_http_parser.cc                  | 25 +++++++++++++++-
 src/node_version.h                       |  4 +--
 src/spawn_sync.cc                        |  4 +--
 src/stream_wrap.cc                       |  2 +-
 src/tls_wrap.cc                          |  2 +-
 src/tty_wrap.cc                          |  2 +-
 src/udp_wrap.cc                          |  4 +--
 src/util.h                               | 11 +++++--
 tools/icu/icu-generic.gyp                | 12 ++++++--
 tools/v8-prof/linux-tick-processor       | 23 --------------
 tools/v8-prof/mac-tick-processor         |  7 -----
 tools/v8-prof/tick-processor.js          | 51 ++++++++++++++++++++++++++++++++
 tools/v8-prof/windows-tick-processor.bat | 19 ------------
 38 files changed, 190 insertions(+), 123 deletions(-)

Deps only:

 deps/v8/src/objects.h                    |  2 +-
 deps/v8/tools/gen-postmortem-metadata.py | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

Docs only:

 CHANGELOG.md             | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
 doc/api/addons.markdown  | 10 ----------
 doc/api/assert.markdown  | 19 +++++++++---------
 doc/api/errors.markdown  |  4 ++--
 doc/api/events.markdown  |  2 +-
 doc/api/modules.markdown |  2 +-
 doc/api/process.markdown | 10 +++++-----
 doc/api/util.markdown    | 10 +++++-----
 8 files changed, 76 insertions(+), 33 deletions(-)

Tests only:

 test/abort/test-abort-uncaught-exception.js        | 31 ++++++++
 test/fixtures/readdir/are                          |  0
 test/fixtures/readdir/dir/empty                    |  0
 test/fixtures/readdir/empty                        |  0
 test/fixtures/readdir/files                        |  0
 test/fixtures/readdir/for                          |  0
 test/fixtures/readdir/just                         |  0
 test/fixtures/readdir/testing.js                   |  0
 test/fixtures/readdir/these                        |  0
 test/parallel/test-buffer-zero-fill-reset.js       | 19 +++++
 test/parallel/test-cluster-master-error.js         |  7 +-
 test/parallel/test-cluster-master-kill.js          |  7 +-
 test/parallel/test-cwd-enoent-preload.js           |  4 +-
 test/parallel/test-cwd-enoent-repl.js              |  4 +-
 test/parallel/test-cwd-enoent.js                   |  4 +-
 test/parallel/test-fs-mkdir-rmdir.js               | 37 ++++++++++
 test/parallel/test-fs-readdir.js                   | 36 ++++++++++
 .../test-http-header-response-splitting.js         | 83 ++++++++++++++++------
 test/parallel/test-http-regr-gh-2928.js            | 51 +++++++++++++
 test/parallel/test-readline-undefined-columns.js   | 36 ++++++++++
 test/parallel/test-repl-envvars.js                 | 55 ++++++++++++++
 test/parallel/test-repl.js                         |  7 ++
 test/parallel/test-spawn-cmd-named-pipe.js         | 58 +++++++++++++++
 test/parallel/test-tick-processor.js               | 16 +----
 test/sequential/test-mkdir-rmdir.js                | 43 -----------
 test/sequential/test-readdir.js                    | 71 ------------------
 26 files changed, 413 insertions(+), 156 deletions(-)

Most active commit

Of the 27 commits, 6ea8ec1 was the most active (not counting npm updates).

commit 6ea8ec1c591777b5ddff314d28bc4cc642971033
Author: Matt Loring <mattloring@google.com>
Date:   Mon Sep 14 15:28:27 2015 -0700

    tools: single, cross-platform tick processor

    Currently there are three separate tick processor scripts for
    mac, windows, and linux. These have been replaced with a single
    node.js script to improve maintainability and remove the need
    to preserve parallel logic in these separate places.

    PR-URL: https://github.com/nodejs/node/pull/2868
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>

 test/parallel/test-tick-processor.js     | 16 ++--------
 tools/v8-prof/linux-tick-processor       | 23 --------------
 tools/v8-prof/mac-tick-processor         |  7 -----
 tools/v8-prof/tick-processor.js          | 51 ++++++++++++++++++++++++++++++++
 tools/v8-prof/windows-tick-processor.bat | 19 ------------
 5 files changed, 54 insertions(+), 62 deletions(-)

These quick patch releases will become routine though v4’s stable lifecycle, and this will also continue into future stable release lines. There is a lot more effort being put into core than in the recent past and frequent releases mean that the work being done gets into your hands quicker. We will be sure to let you know when a release contains a critical update and a recommendation to upgrade. Of course, we'd love you to upgrade, but this release is not critical unless you are experiencing one of the bugs identified and fixed above — both the Buffer and HTTP fixes address issues which require specific conditions that are unlikely to be met.