2022-02-22, Version 17.6.0 (Current), @BethGriggs prepared by @bengl

Notable Changes

• [6b88595142] - doc: deprecate notice for process methods (Yash Ladha) #41587
• [77462b6083] - stream: revert map spec compliance (Benjamin Gruenbaum) #41931
• [b968d89fc9] - build: remove broken x32 arch support (Ben Noordhuis) #41905
• [ba639d052b] - (SEMVER-MINOR) esm: support https remotely and http locally under flag (Bradley Farias) #36328
• [214d17650b] - (SEMVER-MINOR) fs: support copy of relative links with cp and cpSync (Marcos Bjoerkelund) #41819
• [ec0d623bd7] - (SEMVER-MINOR) lib: add FormData global when fetch is enabled (Michaël Zasso) #41956
• [3243701997] - (SEMVER-MINOR) readline: bind keystroke ctrl+6 to redo (Ray) #41662
• [5796c3a7ea] - process: deprecate multipleResolves (Benjamin Gruenbaum) #41872
  • Documentation-only.

Dependency Updates

• [d1ef43f2aa] - deps: upgrade npm to 8.5.1 (npm-robot) #42039
• [09c17481f6] - deps: update undici to 3e267ece5f (Michaël Zasso) #41955
• [0a6f0b416f] - deps: upgrade npm to 8.5.0 (npm-robot) #41925

New Collaborators

• [90d90e3868] - doc: add marsonya to collaborators (Akhil Marsonya) #41991
• [0de611f53a] - doc: add joesepi to collaborators (Joe Sepi) #41914

Commits

• [c673953f6d] - build: cancel running CI jobs when a PR is updated (Michaël Zasso) #42017
• [782506c099] - build: increase operations and test tag (Michael Dawson) #42038
• [d3e6ad1ed5] - build: allow manual run of feature request action (Michael Dawson) #42037
• [69d7736e08] - build: add action to close stale feature requests (Michael Dawson) #41981
• [1315f1eb25] - build: prevent concurrent CI and CQ workflow runs (Michaël Zasso) #42016
• [1e8e8bc22b] - build: use zoslib_include_dir provided by node-gyp (alexcfyung) #41713
• [4e2e2cb821] - build: move tool updates workflow runtime a day later (Rich Trott) #41982
• [cd04ed1382] - build: extend yamllint configuration (Mestery) #41756
• [b968d89fc9] - build: remove broken x32 arch support (Ben Noordhuis) #41905
• [2b1dabfb16] - build: revert fast-track changes (Filip Skokan) #41892
• [182e6b9ee9] - build: improve consistency between workflows (Mestery) #41791
• [f4cb72600d] - build,tools: change the quotes in YAML (Mestery) #41756
• [24b0a563a4] - child_process: kHideConsoleWindows for spawnSync (Raymond Zhao) #41412
• [c41e402c06] - cluster: respect listen backlog set by workers (Elad Nava) #41623
• [84b1e4fba7] - crypto: check result of BIO_new in X509ToObject (Tobias Nießen) #41979
• [946ac96817] - crypto: rename X509_NAME_FLAGS (Tobias Nießen) #42001
• [60682917dd] - (SEMVER-MINOR) crypto: expose Web Crypto API on the global scope (Antoine du Hamel) #41938
• [0fff4d2314] - crypto: do not advertise unsupported algorithms (Brian White) #41864
• [67f1ebf9b4] - debugger: add debugger alias for exec(expr) (Xuguang Mei) #41907
• [1eac0a1677] - debugger: remove duplicate setPauseOnException call (Balakrishna Avulapati) #41838
• [d1ef43f2aa] - deps: upgrade npm to 8.5.1 (npm-robot) #42039
• [09c17481f6] - deps: update undici to 3e267ece5f (Michaël Zasso) #41955
• [0a6f0b416f] - deps: upgrade npm to 8.5.0 (npm-robot) #41925
• [fea682ca94] - doc: fix typo in http2 endAfterHeaders description (Alexandru Comanescu) #42060
• [9c618ad729] - doc: make minor fixes to contributing guides (T-O-R-U-S) #41966
• [60bbacdd91] - doc: use openpgp.org for keyserver examples (Nick Schonning) #39227
• [2e252b3c95] - doc: adjust a/an word usage (Derek Wolpert) #41915
• [c7d590c66e] - doc: remove extra <td> (Ray) #42006
• [06f225c6a6] - doc: capitalize valgrind (T•Ø•R•Ü•S) #41986
• [6195de506a] - doc: fix deprecation number (Antoine du Hamel) #41990
• [90d90e3868] - doc: add marsonya to collaborators (Akhil Marsonya) #41991
• [6b88595142] - doc: deprecate notice for process methods (Yash Ladha) #41587
• [d34ee45134] - doc: fix bug in readable.unshift code example (Xuguang Mei) #41944
• [8748b1e61d] - doc: add missing buffer in the stream/consumers import example (Mestery) #41961
• [cb9dba034a] - doc: fix typo in readableStream.locked description (Tobias Nießen) #41923
• [43a5161cee] - doc: fix wrong indent in stream documentation (Xuguang Mei) #41943
• [dca2692ae3] - doc: emphasize security warning in vm module doc (Rich Trott) #41916
• [b0e8ccb84c] - doc: clarify tls.Server 'connection' event documentation (Austin Cheney) #41917
• [6a7b0160df] - doc: improve scrollbar appearance in dark mode (Aaron Xie) #41890
• [aa684a78fe] - doc: replace text with path...

2022-02-10, Version 17.5.0 (Current), @ruyadorno

Notable Changes

Add fetch API

Adds experimental support to the fetch API. This adds a --experimental-fetch
flag that installs the fetch, Request, Reponse and Headers globals.

• [76a229c4ff] - (SEMVER-MINOR) lib: add fetch (Michaël Zasso) #41749

Add stream methods

• [1ae648567a] - (SEMVER-MINOR) stream: add iterator helper find (linkgoron) #41849
• [62e1a68077] - (SEMVER-MINOR) stream: add toArray (Benjamin Gruenbaum) #41553
• [da11b95988] - (SEMVER-MINOR) stream: add forEach method (Benjamin Gruenbaum) #41445
• [34684a1c89] - (SEMVER-MINOR) stream: support some and every (Benjamin Gruenbaum) #41573

Other Notable Changes

• [2cae99425b] - (SEMVER-MINOR) node-api: add node_api_symbol_for() (Darshan Sen) #41329
• [9c6b078892] - module: unflag esm json modules (Geoffrey Booth) #41736
• [28650eca00] - deps: upgrade npm to 8.4.1 (npm team) #41836

Commits

• [0844935e1f] - async_hooks: fix imports in context example (Yash Ladha) #39229
• [44ca20b7a1] - benchmark: avoid input param manipulation (Jithil P Ponnan) #41741
• [ad32ad6cfd] - benchmark: enable no-empty ESLint rule (Rich Trott) #41831
• [28b95a5a9f] - benchmark: use Object.hasOwn() instead of hasOwnProperty() (Rich Trott) #41769
• [ca1cd4254a] - benchmark: replace hasOwnProperty() with Object.hasOwn() (Rich Trott) #41724
• [6fefd5112a] - (SEMVER-MINOR) benchmark: add subarray to buffer-slice (Benjamin Gruenbaum) #41596
• [878b2e73bb] - benchmark: remove unreachable code from crypto/hash-stream-creation (Rich Trott) #41535
• [6064b1df5d] - buffer: fix atob/btoa no-arg case (Benjamin Gruenbaum) #41478
• [89c327387b] - (SEMVER-MINOR) buffer: alias subarray and slice (Benjamin Gruenbaum) #41596
• [adcde6bb78] - build: check if python is a executable program (himself65) #36696
• [33351765c7] - build: enable zoslib installation on z/OS (alexcfyung) #41493
• [e8062bfb92] - build: add --v8-enable-hugepage flag (Daoming Qiu) #41487
• [8681c837ca] - build: add loong64 configure (Shi Pujin) #41323
• [7c2b5861be] - build: fix libuv builds for android aarch64 (Darshan Sen) #41555
• [e117c0f86c] - crypto: check return code from EVP_DigestUpdate (Michael Dawson) #41800
• [9c59abe588] - crypto: fix webcrypto.subtle signature (Antoine du Hamel) #41761
• [627f19a84b] - crypto: revise variables for const use instead of let (Rich Trott) #41614
• [9e39e62ae2] - crypto: remove wildcard options for checkEmail (Tobias Nießen) #41599
• [4a4c907604] - crypto: adjust types for getRandomValues (LiviaMedeiros) #41481
• [b43faf0fc5] - crypto: remove checkIP options argument (Tobias Nießen) #41571
• [076ec47557] - (SEMVER-MINOR) crypto: support RFC 2818 compatible checkHost (Tobias Nießen) #41569
• [28650eca00] - deps: upgrade npm to 8.4.1 (npm-robot) #41836
• [bee4451ed8] - deps: V8: cherry-pick cc9a8a37445e (Gus Caplan) #41823
• [4b174ce7f6] - deps: upgrade npm to 8.3.2 (npm team) #41621
• [0d4f043f0e] - dgram: remove unreachable connectState assign (Rongjian Zhang) #38590
• [d641eb7f80] - doc: use the same case as the section heading (Mestery) #41876
• [ffd1933ad9] - doc: use Oxford comma in crypto docs (Tobias Nießen) #41875
• [145a3b8294] - doc: use sentence case in readme introduction (Mestery) #41874
• [f8acca8df8] - doc: add missing space before hyphen (Mestery) #41873
• [5085813688] - doc: add stream pipelining note on Http usage (Rafael Silva) #41796
• [0a8995d36b] - doc: improve SSL_OP_PRIORITIZE_CHACHA description (Tobias Nießen) #41866
• [1c62eb64f6] - doc: add missing commas in cluster docs (Tobias Nießen) #41865
• [3676505413] - doc: add history information for Corepack (Antoine du Hamel) #41813
• [8a42a20b8a] - doc: add comments to empty blocks in worker_threads text (Rich Trott) #41831
• [c3721fcf9a] - doc: remove empty block from console.timeEnd() example (Rich Trott) #41831
• [451f3331d9] - doc: feature management proposal (Michael Dawson) #41420
• [72a857f56c] - doc: add overhead hints for heap snapshot generation (Gerhard Stöbich) #41822
• [7aeaa27d67] - doc: fix X509 CA acronym capitalization (Tobias Nießen) #41841
• [d3a4c62600] - doc: use sentence case for X509 error codes header (Tobias Nießen) #41829
• [cb16fad0ab] - doc: add initial version of maintaining-http.md (Michael Dawson) #41798
• [49f6b97b64] - doc: add registry numbers for Electron 19 and 20 (Keeley Hammond) #41814
• [4db343bb8e] - doc: add note about resource type in async_hooks (Tony Gorez) #41797
• [d726a3442c] - doc: use example.com for examples (Ateş Göral) #41827
• [4eb1938f51] -...

2022-02-08, Version 16.14.0 'Gallium' (LTS), @danielleadams

Notable changes

Importing JSON modules now requires experimental import assertions syntax

This release adds experimental support for the import assertions stage 3 proposal.

To keep Node.js ESM implementation as compatible as possible with the HTML spec, import assertions are now required to import JSON modules (still behind the --experimental-json-modules CLI flag):

import info from './package.json' assert { type: 'json' };

Or use dynamic import:

const info = await import('./package.json', { assert: { type: 'json' } });

Contributed by Antoine du Hamel and Geoffrey Booth #40250

Other notable changes

• async_hooks:
  • (SEMVER-MINOR) expose async_wrap providers (Rafael Gonzaga) #40760
• child_process:
  • (SEMVER-MINOR) add support for URL to cp.fork (Antoine du Hamel) #41225
• doc:
  • add @Mesteery to collaborators (Mestery) #41543
  • add @bnb as a collaborator (Tierney Cyren) #41100
• esm:
  • (SEMVER-MINOR) graduate capturerejections to supported (James M Snell) #41267
  • (SEMVER-MINOR) add EventEmitterAsyncResource to core (James M Snell) #41246
• events:
  • (SEMVER-MINOR) propagate weak option for kNewListener (James M Snell) #40899
• fs:
  • (SEMVER-MINOR) accept URL as argument for fs.rm and fs.rmSync (Antoine du Hamel) #41132
• lib:
  • (SEMVER-MINOR) make AbortSignal cloneable/transferable (James M Snell) #41050
  • (SEMVER-MINOR) add AbortSignal.timeout (James M Snell) #40899
  • (SEMVER-MINOR) add reason to AbortSignal (James M Snell) #40807
  • (SEMVER-MINOR) add unsubscribe method to non-active DC channels (simon-id) #40433
  • (SEMVER-MINOR) add return value for DC channel.unsubscribe (simon-id) #40433
• loader:
  • (SEMVER-MINOR) return package format from defaultResolve if known (Gabriel Bota) #40980
• perf_hooks:
  • (SEMVER-MINOR) multiple fixes for Histogram (James M Snell) #41153
• process:
  • (SEMVER-MINOR) add getActiveResourcesInfo() (Darshan Sen) #40813
• src:
  • (SEMVER-MINOR) add x509.fingerprint512 to crypto module (3nprob) #39809
  • (SEMVER-MINOR) add flags for controlling process behavior (Cheng Zhao) #40339
• stream:
  • (SEMVER-MINOR) add filter method to readable (Benjamin Gruenbaum) #41354
  • (SEMVER-MINOR) add isReadable helper (Robert Nagy) #41199
  • (SEMVER-MINOR) add map method to Readable (Benjamin Gruenbaum) #40815
  • deprecate thenable support (Antoine du Hamel) #40860
• util:
  • (SEMVER-MINOR) pass through the inspect function to custom inspect functions (Ruben Bridgewater) #41019
  • (SEMVER-MINOR) add numericSeparator to util.inspect (Ruben Bridgewater) #41003
  • (SEMVER-MINOR) always visualize cause property in errors during inspection (Ruben Bridgewater) #41002
• timers:
  • (SEMVER-MINOR) add experimental scheduler api (James M Snell) #40909
• v8:
  • (SEMVER-MINOR) multi-tenant promise hook api (Stephen Belanger) #39283

Commits

• [336010341f] - assert: prefer reference comparison over string comparison (Darshan Sen) #41015
• [2d471e47a0] - assert: use stricter stack frame detection in .ifError() (Ruben Bridgewater) #41006
• [f788a47b8b] - async_hooks: add missing initialization (Michael Dawson) #41288
• [b688f201df] - async_hooks: fix AsyncLocalStorage in unhandledRejection cases (Bradley Farias) #41202
• [6af3e34b6b] - Revert "async_hooks: merge resource_symbol with owner_symbol" (Darshan Sen) #40741
• [85a02ec979] - async_hooks: eliminate require side effects (Stephen Belanger) #40782
• [078a0c996f] - (SEMVER-MINOR) async_hooks: expose async_wrap providers (Rafael Gonzaga) #40760
• [4a09904d05] - benchmark: simplify http benchmarker regular expression (Rich Trott) #38206
• [bc48ed2834] - benchmark: fix benchmark/run.js handling of --set (Rich Trott) #41334
• [e68bf84e31] - benchmark,test: use Object.hasOwn() where applicable (Rich Trott) #41229
• [799cf57581] - buffer: fix Blob constructor on various TypedArrays (Irakli Gozalishvili) #40706
• [5c1dc5f307] - build: fix npm version detection (Michaël Zasso) #41575
• [3e4d977c28] - build: fix node build failures in WSL Ubuntu (MrJithil) #41476
• [6ffb1e878c] - build: fix workflow access to git history (Rich Trott) #41472
• [c49a651e67] - build: start build on z/OS (alexcfyung) #41273
• [c65ac72b6c] - build: use list for mutable retval rather than tuple (Rich Trott) #41372
• [ff48705372] - build: remove Python 2 workaround (Rich Trott) #41357
• [c10fcb1f05] - build: improve readability of texts in workflows (Mestery) #40988
• [93450e5e8e] - build: use '<(python)' instead of 'python' (Cheng Zhao) #41146
• [0b411c436a] - build: fix comment-labeled workflow (Mestery) #41176
• [7756e1c692] - build: use gh cli in workflows file (Mestery) #40985
• [d3289b2506] - build: fix commit-queue-rebase functionality (Rich Trott) #41140
• [860d552431] - build: skip documentation generation if no ICU (Rich Trott) #41091
• [c8625d18ba] - build: re-enable V8 concurrent marking (Michaël Zasso) #41013
• [74557c3ac1] - build: add --without-corepack (Jonah Snider) #41060
• [f826c866e9] - build: fail early in test-macos.yml (Rich Trott) #41035
• [535bb5fb6b] - build: add tools/doc to tools.yml updates (Rich Trott) #41036
• [20c4c6aa72] - build: update Actions versions (Mestery) #40987
• [70fd4a15fc] - build: set persist-credentials: false on workflows (Rich Trott) #40972
• [b72e50e5ef] - build: add OpenSSL gyp artifacts to .gitignore (Luigi P...

2022-02-01, Version 14.19.0 'Fermium' (LTS), @richardlau

Notable Changes

Corepack

Node.js now includes Corepack, a script that acts as a bridge between Node.js projects and the package managers they are intended to be used with during development.
In practical terms, Corepack will let you use Yarn and pnpm without having to install them - just like what currently happens with npm, which is shipped in Node.js by default.
Please head over to the Corepack documentation page for more information on how to use it.

Contributed by Maël Nison - #39608

ICU updated

ICU has been updated to 70.1. This updates timezone database to 2021a3, including bringing forward the start for DST for Jordan from March to February.

Contributed by Michaël Zasso - #40658

New option to disable loading of native addons

A new command line option --no-addons has been added to disallow loading of native addons.

Contributed by Dominic Elm - #39977

Updated Root Certificates

Root certificates have been updated to those from Mozilla's Network Security Services 3.71.

Contributed by Richard Lau - #40280

Other Notable Changes

• [0d448eaab5] - (SEMVER-MINOR) crypto: make FIPS related options always available (Vít Ondruch) #36341
• [004eafbebf] - (SEMVER-MINOR) lib: add unsubscribe method to non-active DC channels (simon-id) #40433
• [625be7585d] - (SEMVER-MINOR) lib: add return value for DC channel.unsubscribe (simon-id) #40433
• [607bc74eae] - (SEMVER-MINOR) module: support pattern trailers (Guy Bedford) #39635
• [f74fe2a59c] - (SEMVER-MINOR) src: make napi_create_reference accept symbol (JckXia) #39926

Commits

• [0231ffa501] - build: add --without-corepack (Jonah Snider) #41060
• [5389b8ab05] - crypto: update root certificates (Richard Lau) #40280
• [0d448eaab5] - (SEMVER-MINOR) crypto: make FIPS related options always available (Vít Ondruch) #36341
• [cd20ecc7cb] - deps: upgrade Corepack to 0.10 (Maël Nison) #40374
• [737df75e17] - (SEMVER-MINOR) deps: add corepack (Maël Nison) #39608
• [b85aa5a143] - deps: upgrade npm to 6.14.16 (Ruy Adorno) #41603
• [2755d391a5] - deps: update ICU to 70.1 (Michaël Zasso) #40658
• [3089326d89] - deps: update archs files for OpenSSL-1.1.1m (Richard Lau) #41173
• [59da7c12aa] - deps: upgrade openssl sources to 1.1.1m (Richard Lau) #41173
• [cede1f26f6] - deps: add -fno-strict-aliasing flag to libuv (Daniel Bevenius) #40631
• [4477da858f] - doc: fix corepack grammar for --force flag (Steven) #40762
• [5971d58600] - doc: add missing YAML tag in esm.md (Antoine du Hamel) #41516
• [e903798ae1] - doc: add note regarding unfinished TLA (Antoine du Hamel) #41434
• [a90defebcf] - esm: make process.exit() default to exit code 0 (Gang Chen) #41388
• [fc328f1ab0] - fs: nullish coalescing to respect zero positional reads (Omar El-Mihilmy) #40716
• [004eafbebf] - (SEMVER-MINOR) lib: add unsubscribe method to non-active DC channels (simon-id) #40433
• [625be7585d] - (SEMVER-MINOR) lib: add return value for DC channel.unsubscribe (simon-id) #40433
• [2c365961d0] - module: support pattern trailers for imports field (Guy Bedford) #40041
• [607bc74eae] - (SEMVER-MINOR) module: support pattern trailers (Guy Bedford) #39635
• [f74fe2a59c] - (SEMVER-MINOR) src: make napi_create_reference accept symbol (JckXia) #39926
• [b050c65885] - src: add option to disable loading native addons (Dominic Elm) #39977
• [c1695ac68a] - tools: update certdata.txt (Richard Lau) #40280

2022-02-01, Version 12.22.10 'Erbium' (LTS), @ruyadorno

Notable changes

• Upgrade npm to 6.14.16
• Updated ICU time zone data

Commits

• [33899b435d] - deps: upgrade npm to 6.14.16 (Ruy Adorno) #41601
• [d9237c46ca] - tools: update tzdata to 2021a4 (Albert Wang) #41443

2022-01-18, Version 17.4.0 (Current), @targos

Notable Changes

• [ef6f98c2e3] - (SEMVER-MINOR) child_process: add support for URL to cp.fork (Antoine du Hamel) #41225
• [d62fe315c2] - (SEMVER-MINOR) crypto: alias webcrypto.subtle and webcrypto.getRandomValues on crypto (James M Snell) #41266
• [fcb37e9ce5] - doc: add Mesteery to collaborators (Mestery) #41543
• [4079fc42b7] - (SEMVER-MINOR) events: graduate capturerejections to supported (James M Snell) #41267
• [fe21607901] - (SEMVER-MINOR) events: add EventEmitterAsyncResource to core (James M Snell) #41246
• [6d8eb6ace6] - (SEMVER-MINOR) loader: return package format from defaultResolve if known (Gabriel Bota) #40980
• [27c619140a] - (SEMVER-MINOR) perf_hooks: multiple fixes for Histogram (James M Snell) #41153
• [09c25bb224] - (SEMVER-MINOR) stream: add filter method to readable (Benjamin Gruenbaum, Robert Nagy) #41354
• [1150963217] - (SEMVER-MINOR) stream: add isReadable helper (Robert Nagy) #41199
• [9f5a873965] - (SEMVER-MINOR) stream: add map method to Readable (Benjamin Gruenbaum, Robert Nagy) #40815

Commits

• [314102b14d] - async_hooks: add missing initialization (Michael Dawson) #41288
• [56345a3f63] - async_hooks: fix AsyncLocalStorage in unhandledRejection cases (Bradley Farias) #41202
• [fa84353952] - benchmark: simplify http benchmarker regular expression (Rich Trott) #38206
• [88d760c559] - benchmark: fix benchmark/run.js handling of --set (Rich Trott) #41334
• [dcf1ea0a3f] - benchmark,test: use Object.hasOwn() where applicable (Rich Trott) #41229
• [4958c800da] - build: fix npm version detection (Michaël Zasso) #41575
• [e8538c3751] - build: fix node build failures in WSL Ubuntu (MrJithil) #41476
• [3d88ea195e] - build: fix workflow access to git history (Rich Trott) #41472
• [b0f0ad1004] - build: start build on z/OS (alexcfyung) #41273
• [80a3766ac7] - build: use list for mutable retval rather than tuple (Rich Trott) #41372
• [afe1e00509] - build: remove Python 2 workaround (Rich Trott) #41357
• [011c5f6498] - build: improve readability of texts in workflows (Mestery) #40988
• [2233f31069] - build,tools,win: trim unused VCBUILD_PYTHON_LOCATION variable (David Sanders) #41235
• [d9465ae614] - child_process: queue pending messages (Erick Wendel) #41221
• [ed41fd110d] - child_process: revise argument processing (Rich Trott) #41280
• [ef6f98c2e3] - (SEMVER-MINOR) child_process: add support for URL to cp.fork (Antoine du Hamel) #41225
• [d62fe315c2] - (SEMVER-MINOR) crypto: alias webcrypto.subtle and webcrypto.getRandomValues on crypto (James M Snell) #41266
• [8ea56a9606] - crypto: fix error capture when loading engine (Tobias Nießen) #41187
• [f5b8aee1a1] - deps: upgrade npm to 8.3.1 (npm-robot) #41503
• [af3acecd7e] - deps: V8: cherry-pick 3b6b21f595f6 (Michaël Zasso) #41457
• [02ca5d7c7c] - deps: upgrade to libuv 1.43.0 (Colin Ihrig) #41398
• [48e4780fd7] - doc: remove statement about client private keys (Tobias Nießen) #41505
• [ba7160e815] - doc: fix typo in onboarding.md (Antoine du Hamel) #41544
• [fcb37e9ce5] - doc: add Mesteery to collaborators (Mestery) #41543
• [abbfed8789] - doc: add missing word in readable.read() text (Rich Trott) #41524
• [712dfdc11f] - doc: add missing YAML tag in esm.md (Antoine du Hamel) #41516
• [f443a4e8fa] - doc: expand fs.access() mode parameter docs (Colin Ihrig) #41484
• [5c0c459976] - doc: correct checkHost behavior with wildcards etc (Tobias Nießen) #41468
• [c632241440] - doc: remove extraneous colon in legacy subject (Tobias Nießen) #41477
• [b7b0631b10] - doc: remove SameValue comparison reference (Rich Trott) #41460
• [524103d6bf] - doc: update mailmap entries for mhdawson (Michael Dawson) #41437
• [62aa190c01] - doc: add guidance on order vulns are listed in (Michael Dawson) #41429
• [d721a758b2] - doc: update output in inspector examples (David Sanders) #41390
• [60025bde16] - doc: add note regarding unfinished TLA (Antoine du Hamel) #41434
• [10bdb5969e] - doc: add reference for === operator in assert.md (Rich Trott) #41442
• [edc6a7af42] - doc: clarify uncaughtException origin for ESM (Antoine du Hamel) #41339
• [4a369d03b4] - doc: revise HTTPRequestOptions text (Rich Trott) #41407
• [f43bfe2e16] - doc: add reference for == and != operators (Rich Trott) #41413
• [d3111bf0cc] - doc: add @RaisinTen to the TSC (Michael Dawson) #41419
• [e6bed4e972] - doc: update Abstract Equality Comparison text in assert.md (Rich Trott) #41375
• [19db19bb80] - doc: fix example commands for REPLACEME updates (Richard Lau) #41269
• [16c0bea91d] - doc: document that `...

2022-01-10, Version 17.3.1 (Current), @BethGriggs

This is a security release.

Notable changes

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44531 after publication.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44532 after publication.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.

Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

More details will be available at CVE-2021-44533 after publication.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.

Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.

More details will be available at CVE-2022-21824 after publication.

Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.

Commits

• [2a0515f73c] - console: fix prototype pollution via console.table (Tobias Nießen) nodejs-private/node-private#307
• [2e2c45553d] - crypto,tls: implement safe x509 GeneralName format (Tobias Nießen) nodejs-private/node-private#300
• [df3141f59b] - src: add cve reverts and associated tests (Michael Dawson) nodejs-private/node-private#300
• [5398548746] - src: remove unused x509 functions (Tobias Nießen) nodejs-private/node-private#300
• [1f7fdff64a] - tls: fix handling of x509 subject and issuer (Tobias Nießen) nodejs-private/node-private#300
• [b11b4cc69d] - tls: drop support for URI alternative names (Tobias Nießen) nodejs-private/node-private#300

2022-01-10, Version 16.13.2 'Gallium' (LTS), @danielleadams

This is a security release.

Notable changes

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44531 after publication.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44532 after publication.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.

Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

More details will be available at CVE-2021-44533 after publication.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.

Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.

More details will be available at CVE-2022-21824 after publication.

Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.

Commits

• [8dd4ca4537] - console: fix prototype pollution via console.table (Tobias Nießen) nodejs-private/node-private#307
• [e52882da4c] - crypto,tls: implement safe x509 GeneralName format (Tobias Nießen) nodejs-private/node-private#300
• [9a0a189b0b] - src: add cve reverts and associated tests (Michael Dawson) nodejs-private/node-private#300
• [4a262d42bc] - src: remove unused x509 functions (Tobias Nießen) nodejs-private/node-private#300
• [965536fe3d] - tls: fix handling of x509 subject and issuer (Tobias Nießen) nodejs-private/node-private#300
• [a2cbfa95ff] - tls: drop support for URI alternative names (Tobias Nießen) nodejs-private/node-private#300

2022-01-10, Version 14.18.3 'Fermium' (LTS), @richardlau

This is a security release.

Notable changes

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44531 after publication.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44532 after publication.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.

Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

More details will be available at CVE-2021-44533 after publication.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.

Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.

More details will be available at CVE-2022-21824 after publication.

Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.

Commits

• [e2a74f3c99] - console: fix prototype pollution via console.table (Tobias Nießen) nodejs-private/node-private#307
• [df1b2c33f6] - crypto,tls: implement safe x509 GeneralName format (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300
• [9f2c52617f] - src: add cve reverts and associated tests (Michael Dawson and Akshay Kumar) nodejs-private/node-private#300
• [b14be42518] - src: remove unused x509 functions (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300
• [83d8f880bb] - tls: fix handling of x509 subject and issuer (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300
• [461a0c674b] - tls: drop support for URI alternative names (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300

2022-01-10, Version 12.22.9 'Erbium' (LTS), @richardlau

This is a security release.

Notable changes

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44531 after publication.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44532 after publication.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.

Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

More details will be available at CVE-2021-44533 after publication.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.

Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.

More details will be available at CVE-2022-21824 after publication.

Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.

Commits

• [be69403528] - console: fix prototype pollution via console.table (Tobias Nießen) nodejs-private/node-private#307
• [19873abfb2] - crypto,tls: implement safe x509 GeneralName format (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300
• [ff9ac7d757] - doc: fix date for v12.22.8 (Richard Lau) #41213
• [a5c7843cab] - src: add cve reverts and associated tests (Michael Dawson and Akshay Kumar) nodejs-private/node-private#300
• [d4e5d1b9ca] - src: remove unused x509 functions (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300
• [8c2db2c86b] - tls: fix handling of x509 subject and issuer (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300
• [e0fe6a635e] - tls: drop support for URI alternative names (Tobias Nießen and Akshay Kumar) nodejs-private/node-private#300