v15.14.0 proposal
2021-04-06, Version 15.14.0 (Current), @mylesborins
This is a security release.
Notable Changes
Vulnerabilties Fixed:
-
CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
-
CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
-
CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
- This is a vulnerability in the y18n NPM module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
- Impacts:
- All versions of the 14.x, 12.x and 10.x releases lines
Other Notable Changes:
- [
b6f4901221] - (SEMVER-MINOR) fs: add support for async iterators tofsPromises.writeFile(HiroyukiYagihashi) #37490 - [
0709cbb7fe] - (SEMVER-MINOR) net: allow net.BlockList to use net.SocketAddress objects (James M Snell) #37917 - [
daa8a7bbcf] - (SEMVER-MINOR) net: add SocketAddress class (James M Snell) #37917 - [
a4169ce519] - (SEMVER-MINOR) net: make net.BlockList cloneable (James M Snell) #37917 - [
669b81c68b] - (SEMVER-MINOR) net,tls: add abort signal support to connect (Nitzan Uziely) #37735 - [
a1123f0a29] - (SEMVER-MINOR) readline: add AbortSignal support to interface (Nitzan Uziely) #37932
Commits
- [
ac69b95e47] - crypto: use correct webcrypto RSASSA-PKCS1-v1_5 algorithm name (Filip Skokan) #38029 - [
960c6be229] - crypto: add buffering to randomInt (Tobias Nießen) #35110 - [
4ef102d34e] - deps: update to cjs-module-lexer@1.1.1 (Guy Bedford) #37992 - [
f0e77149a4] - deps: update archs files for OpenSSL-1.1.1k (Hassaan Pasha) #37916 - [
bbdcdad2c6] - deps: upgrade openssl sources to 1.1.1k+quic (Hassaan Pasha) #37916 - [
913ec56798] - deps: cjs-module-lexer: cherry-pick 22093e765f (pezhmanparsaee) #37895 - [
afc6ab2122] - doc: fix asyncLocalStorage.run() description (Darkripper214) #38023 - [
b40d35d649] - doc: document how to unref stdin when using readline.Interface (Anu Pasumarthy) #38019 - [
ce14080473] - doc: move psmarshall to collaborators emeriti (Peter Marshall) #37994 - [
ae70aa3c63] - doc: add distinctive color for code elements inside links (Antoine du Hamel) #37950 - [
8792c7c96b] - doc: add missing events.on metadata (Anna Henningsen) #37965 - [
a57dc06adf] - doc: improve Buffer's encoding documentation (Michaël Zasso) #37945 - [
f3fabb57cf] - doc: add missing cleanup step in OpenSSL upgrade (Tobias Nießen) #37927 - [
13c3924af8] - doc: add Windows-specific info to subprocess.kill() (João Lucas Lucchetta) #34867 - [
b6f4901221] - (SEMVER-MINOR) fs: add support for async iterators tofsPromises.writeFile(HiroyukiYagihashi) #37490 - [
ad7e34446c] - fs: fix chown abort (Darshan Sen) #38004 - [
d86aca9a77] - http: optimize debug function correctly (Michaël Zasso) #37966 - [
062541aae5] - http2: add specific error code for custom frames (Anna Henningsen) #37936 - [
8525231902] - lib: change wording in lib/domain.js comment (Akhil Marsonya) #37933 - [
21e399be4c] - lib: change wording in lib/internal/child_process comment (Akhil Marsonya) #37903 - [
3ab9619e56] - module: improve error message for invalid data URL (Antoine du Hamel) #37701 - [
0709cbb7fe] - (SEMVER-MINOR) net: allow net.BlockList to use net.SocketAddress objects (James M Snell) #37917 - [
daa8a7bbcf] - (SEMVER-MINOR) net: add SocketAddress class (James M Snell) #37917 - [
a4169ce519] - (SEMVER-MINOR) net: make net.BlockList cloneable (James M Snell) #37917 - [
669b81c68b] - (SEMVER-MINOR) net,tls: add abort signal support to connect (Nitzan Uziely) #37735 - [
a94cc27cbe] - path: refactor to use more primordials (Akhil Marsonya) #37893 - [
6cc1e15669] - readline: fix pre-aborted signal question handling (Nitzan Uziely) #37929 - [
a1123f0a29] - (SEMVER-MINOR) readline: add AbortSignal support to interface (Nitzan Uziely) #37932 - [
629e72e9f4] - src: fix typo in node_mutex (Tobias Nießen) #38011 - [
e61cc0bfb0] - src: fix typos in crypto comments (Tobias Nießen) #38024 - [
6ad0b6f0f5] - src: fix error handling for CryptoJob::ToResult (Tobias Nießen) #37076 - [
3175559bed] - test: add extra space in test failure output (Qingyu Deng) #37957 - [
0243376cfc] - test: use faster variant for rss (Pooja D P) #36839 - [
b02c352ad6] - test: fix test-tls-no-sslv3 for OpenSSL 3 (Richard Lau) #38027 - [
0db1a1eacf] - test: deflake test-fs-read-optional-params (Luigi Pinca) #37991 - [
4d50975cd7] - test: improve clarity of ALS-enable-disable.js (Darkripper214) #38008 - [
5e15ae05d0] - test: add DataView test case for v8 serdes (Rich Trott) #37955 - [
6d28a24f1c] - tools: update ESLint to 7.23.0 (Luigi Pinca) #37979 - [
51e7a33d54] - tools,doc: add "legacy" badge in the TOC (Antoine du Hamel) #37949 - [
570fbcef93] - url: forbid pipe in URL host (Darshan Sen) #37877