Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/28379
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Notable Changes:
Diagnostics channel (experimental module):
`diagnostics_channel` is a new experimental module that provides an API
to create named channels to report arbitrary message data for
diagnostics purposes.
The module was initially introduced in Node.js v15.1.0 and is
backported to v14.17.0 to enable testing it at a larger scale.
With `diagnostics_channel`, Node.js core and module authors can publish
contextual data about what they are doing at a given time. This could
be the hostname and query string of a mysql query, for example. Just
create a named channel with `dc.channel(name)` and call
`channel.publish(data)` to send the data to any listeners to that
channel.
```js
const dc = require('diagnostics_channel');
const channel = dc.channel('mysql.query');
MySQL.prototype.query = function query(queryString, values, callback) {
// Broadcast query information whenever a query is made
channel.publish({
query: queryString,
host: this.hostname,
});
this.doQuery(queryString, values, callback);
};
```
Channels are like one big global event emitter but are split into
separate objects to ensure they get the best performance. If nothing is
listening to the channel, the publishing overhead should be as close to
zero as possible. Consuming channel data is as easy as using
`channel.subscribe(listener)` to run a function whenever a message is
published to that channel.
```js
const dc = require('diagnostics_channel');
const channel = dc.channel('mysql.query');
channel.subscribe(({ query, host }) => {
console.log(`mysql query to ${host}: ${query}`);
});
```
The data captured can be used to provide context for what an app is
doing at a given time. This can be used for things like augmenting
tracing data, tracking network and filesystem activity, logging
queries, and many other things. It's also a very useful data source
for diagnostics tools to provide a clearer picture of exactly what the
application is doing at a given point in the data they are presenting.
Contributed by Stephen Belanger (https://github.com/nodejs/node/pull/34895).
UUID support in the crypto module:
The new `crypto.randomUUID()` method now allows to generate random
[RFC 4122](https://www.rfc-editor.org/rfc/rfc4122.txt) Version 4
UUID strings:
```js
const { randomUUID } = require('crypto');
console.log(randomUUID());
// 'aa7c91a1-f8fc-4339-b9db-f93fc7233429'
```
Contributed by James M Snell (https://github.com/nodejs/node/pull/36729).
Experimental support for `AbortController` and `AbortSignal`:
Node.js 14.17.0 adds experimental partial support for `AbortController`
and `AbortSignal`.
Both constructors can be enabled globally using the
`--experimental-abortcontroller` flag.
Additionally, several Node.js APIs have been updated to support
`AbortSignal` for cancellation.
It is not mandatory to use the built-in constructors with them. Any
spec-compliant third-party alternatives should be compatible.
`AbortSignal` support was added to the following methods:
* `child_process.exec`
* `child_process.execFile`
* `child_process.fork`
* `child_process.spawn`
* `dgram.createSocket`
* `events.on`
* `events.once`
* `fs.readFile`
* `fs.watch`
* `fs.writeFile`
* `http.request`
* `https.request`
* `http2Session.request`
* The promisified variants of `setImmediate` and `setTimeout`
Other notable changes:
* doc:
* revoke deprecation of legacy url, change status to legacy (James M Snell) (https://github.com/nodejs/node/pull/37784)
* add legacy status to stability index (James M Snell) (https://github.com/nodejs/node/pull/37784)
* upgrade stability status of report API (Gireesh Punathil) (https://github.com/nodejs/node/pull/35654)
* deps:
* V8: Backport various patches for Apple Silicon support (BoHong Li) (https://github.com/nodejs/node/pull/38051)
* update ICU to 68.1 (Michaël Zasso) (https://github.com/nodejs/node/pull/36187)
* upgrade to libuv 1.41.0 (Colin Ihrig) (https://github.com/nodejs/node/pull/37360)
* http:
* add http.ClientRequest.getRawHeaderNames() (simov) (https://github.com/nodejs/node/pull/37660)
* report request start and end with diagnostics\_channel (Stephen Belanger) (https://github.com/nodejs/node/pull/34895)
* util:
* add getSystemErrorMap() impl (eladkeyshawn) (https://github.com/nodejs/node/pull/38101)
PR-URL: https://github.com/nodejs/node/pull/38507
In the JSON fetching example, http.get request is being sent to
an http url that redirects to https. This causes the http.get
request to fail. To avoid redirect errors, a local http server
is set up that returns a json response.
Fixes: https://github.com/nodejs/node/issues/37907
PR-URL: https://github.com/nodejs/node/pull/38036
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Nitzan Uziely <linkgoron@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
- Add a paragraph about case-insensitivity of encoding options.
- Document "utf-8", "utf-16le" and "ucs-2" aliases.
- Always use "utf8" in documentation for defaults and examples.
PR-URL: https://github.com/nodejs/node/pull/37945
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/37662
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/37265
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
OutgoingMessage is a very old feature which is exported
to public in http module dated to v0.1.x. But
it is not documented at all.
This commit adds document for http.OutgogingMessage.
Fixes: https://github.com/nodejs/node/issues/33847
PR-URL: https://github.com/nodejs/node/pull/37265
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/36987
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/36913
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Pooja D P <Pooja.D.P@ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Make `response.setHeader` return the response object itself
so that multiple header setting can be chained.
Fixes: https://github.com/nodejs/node/issues/33148
PR-URL: https://github.com/nodejs/node/pull/35924
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ricky Zhou <0x19951125@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/36163
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
remark-parse@9.0.0 combined with our html.js tool ends a list if a
multi-line item does not include indentation. Update our docs for this
formatting.
I looked around for a lint rule to enforce this but didn't find one
readily available. (Happy to be shown that I'm wrong about that!) We may
need to write one.
PR-URL: https://github.com/nodejs/node/pull/36049
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Enables an optimization when the user already has the headers
in an array form, e.g. when proxying.
PR-URL: https://github.com/nodejs/node/pull/35274
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
`request.connection` and `response.connection` are deprecated. Use
`request.socket` and `response.socket` instead.
PR-URL: https://github.com/nodejs/node/pull/35439
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Pranshu Srivastava <rexagod@gmail.com>
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
This helps catch broken links as part of the test suite. This also
improves the user experience when browsing the markdown files.
PR-URL: https://github.com/nodejs/node/pull/35191
Fixes: https://github.com/nodejs/node/issues/35189
Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This is a security release.
Notable changes:
Vulnerabilities fixed:
- CVE-2020-8251: Denial of Service by resource exhaustion CWE-400 due
to unfinished HTTP/1.1 requests (Critical).
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion
(High).
PR-URL: https://github.com/nodejs-private/node-private/pull/225
This commits introduces a new http.Server option called requestTimeout
with a default value in milliseconds of 0.
If requestTimeout is set to a positive value, the server will start a new
timer set to expire in requestTimeout milliseconds when a new connection
is established. The timer is also set again if new requests after the
first are received on the socket (this handles pipelining and keep-alive
cases).
The timer is cancelled when:
1. the request body is completely received by the server.
2. the response is completed. This handles the case where the
application responds to the client without consuming the request body.
3. the connection is upgraded, like in the WebSocket case.
If the timer expires, then the server responds with status code 408 and
closes the connection.
CVE-2020-8251
PR-URL: https://github.com/nodejs-private/node-private/pull/208
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Mary Marchini <oss@mmarchini.me>
Co-Authored-By: Paolo Insogna <paolo@cowtech.it>
Co-Authored-By: Robert Nagy <ronagy@icloud.com>
Our docs describe static methods as Class Methods which seems
idiosyncratic for JavaScript. Align with MDN which calls them static
methods.
Refs: https://developer.mozilla.org/en-US/docs/MDN/Contribute/Structures/API_references/What_does_an_API_reference_need
JSON format for our docs will still use the key name `classMethods` for
this. I would like to change it to `staticMethods` but I don't know if
that will break things for consumers. So, leaving it alone. It's a
machine-consumable label more than a human-readable so I can live with
that.
PR-URL: https://github.com/nodejs/node/pull/34659
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
The state of the connection is unknown at this point and
writing to it can corrupt client state before it is aware
of an error.
PR-URL: https://github.com/nodejs/node/pull/34465
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The explanation that the HTTP requests include `\r\n` is true but not
important or relevant in these two specific contexts.
PR-URL: https://github.com/nodejs/node/pull/34178
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Prior to this commit, http request message code blocks in Markdown
files were not being highlighted correctly. This has been corrected by
adding the new grammar to the bundle, removing the CRLFs (`\r\n`) from
these code samples, adding a reminder to re-add them, and tuning the
syntax theme to support attribute highlighting.
PR-URL: https://github.com/nodejs/node/pull/33785
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Add maxTotalSockets to determine how many sockets an agent can open.
Unlike maxSockets, The maxTotalSockets does not count by per origin.
PR-URL: https://github.com/nodejs/node/pull/33617
Fixes: https://github.com/nodejs/node/issues/31942
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Our docs use a mixture of _Constructor: `new Fhqwhgads()`_ in some
headers and only _`new Fhqwhgads()`_ in other headers. The latter is
about three times as common, so let's standardize on that.
PR-URL: https://github.com/nodejs/node/pull/33781
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
These are changed to either ```text or ```console.
PR-URL: https://github.com/nodejs/node/pull/33028
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
In some cases, it is preferable to use a lifo scheduling strategy
for the free sockets instead of default one, which is fifo.
This commit introduces a scheduling option to add the ability
to choose which strategy best fits your needs.
PR-URL: https://github.com/nodejs/node/pull/33278
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
This commit updates ClientRequest#destroy() to return `this`
for consistency with other writable streams.
PR-URL: https://github.com/nodejs/node/pull/32789
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This commit updates IncomingMessage#destroy() to return `this`
for consistency with other readable streams.
PR-URL: https://github.com/nodejs/node/pull/32789
Fixes: https://github.com/nodejs/node/issues/32772
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
The use-case is for any framework that provides user mw a response
replacement, that collects the desired response state, and applies them
only on conclusion. As such a framework, I'd want to validate the
header names and values as soon as the user-code provides them.
This - to eliminate errors on response-send time, and provide developer
stack trace that contains the line that submits the offending values.
PR-URL: https://github.com/nodejs/node/pull/33119
Reviewed-By: Anna Henningsen <anna@addaleax.net>
PR-URL: https://github.com/nodejs/node/pull/33203
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
When cherry-picking release commits for LTS releases into master,
the `REPLACEME` metadata can be taken over as well, to give users
a more accurate view of what is being released on which release line.
This addresses this problem for all previous LTS releases for which
this has not been done.
Fixes: https://github.com/nodejs/node/issues/33001
PR-URL: https://github.com/nodejs/node/pull/33041
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
Doc deprecates ClientRequest.abort in favor of
ClientRequest.destroy. Also improves event order
documentation for abort and destroy.
Refs: https://github.com/nodejs/node/issues/32225
PR-URL: https://github.com/nodejs/node/pull/32807
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Zeyu Yang <himself65@outlook.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
The example referenced as being potentially unsafe specifies
Content-Length correctly.
PR-URL: https://github.com/nodejs/node/pull/32700
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Fixes: https://github.com/nodejs/node/issues/27645
PR-URL: https://github.com/nodejs/node/pull/32520
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Whether and when a socket is destroyed or not after a timeout is up to
the user. This leaves an edge case where a socket that has emitted
'timeout' might be re-used from the free pool. Even if destroy is called
on the socket, it won't be removed from the freelist until 'close' which
can happen several ticks later.
Sockets are removed from the free list on the 'close' event.
However, there is a delay between calling destroy() and 'close'
being emitted. This means that it possible for a socket that has
been destroyed to be re-used from the free list, causing unexpected
failures.
PR-URL: https://github.com/nodejs/node/pull/32000
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Our documentation uses em dashes inconsistently. They are treated
inconsistently typographically too. (For example, they are sometimes
surrounded by spaces and sometimes not.) They are also often confused
with ordinary hyphens such as in the CHANGELOG, where they are
inadvertently mixed together in a single list. The difference is
not obvious in the raw markdown but is very noticeable when rendered,
appearing to be a typographical error (which it in fact is).
The em dash is never needed. There are always alternatives. Remove em
dashes entirely.
PR-URL: https://github.com/nodejs/node/pull/32080
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Throughout the docs, we sometimes write the possessive of _Node.js_ as
_Node.js'_ and other times as _Node.js's_. The former conforms with some
generally accepted style guides (e.g., Associated Press Stylebook) while
the latter complies with others (e.g., Chicago Manual of Style).
Since there is no clear authoritative answer as to which form is
correct, and since (at least to me) both are visually jarring and
sometimes cause a pause to understand, I'd like to reword things to
eliminate the possessive form where possible.
This is one of those examples.
PR-URL: https://github.com/nodejs/node/pull/31748
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This is a security release.
Vulnerabilities fixed:
* **CVE-2019-15606**:
HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
Remotely trigger an assertion on a TLS server with a malformed
certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
PR-URL: https://github.com/nodejs-private/node-private/pull/196
From the issue:
> Some servers deviate from HTTP spec enougth that Node.js can't
> communicate with them, but "work" when `--insecure-http-parser`
> is enabled globally. It would be useful to be able to use this
> mode, as a client, only when connecting to known bad servers.
This is largely equivalent to https://github.com/nodejs/node/pull/31446
in terms of code changes.
Fixes: https://github.com/nodejs/node/issues/31440
Refs: https://github.com/nodejs/node/pull/31446
PR-URL: https://github.com/nodejs/node/pull/31448
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Make `maxHeaderSize` a.k.a. `--max-header-size` configurable now that
the legacy parser is gone (which only supported a single global value).
Refs: https://github.com/nodejs/node/pull/30567
PR-URL: https://github.com/nodejs/node/pull/30570
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
State that the 'error' event is emitted on the underlying socket, not
the IncomingMessage object.
PR-URL: https://github.com/nodejs/node/pull/30255
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
This commit is addressing the problem in issue #29948.
Fixes: https://github.com/nodejs/node/issues/29948
PR-URL: https://github.com/nodejs/node/pull/30155
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit causes http.IncomingMessage instances to set their
readableHighWaterMark value the same value used in the underlying
socket.
PR-URL: https://github.com/nodejs/node/pull/30135
Fixes: https://github.com/nodejs/node/issues/30107
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Notable changes:
* assert:
* If the validation function passed to `assert.throws()` or
`assert.rejects()` returns a value other than `true`, an assertion
error will be thrown instead of the original error to highlight the
programming mistake (Ruben Bridgewater).
https://github.com/nodejs/node/pull/28263
* If a constructor function is passed to validate the instance of
errors thrown in `assert.throws()` or `assert.reject()`, an
assertion error will be thrown instead of the original error
(Ruben Bridgewater).
https://github.com/nodejs/node/pull/28263
* build:
* Node.js releases are now built with default full-icu support. This
means that all locales supported by ICU are now included and
Intl-related APIs may return different values than before
(Richard Lau).
https://github.com/nodejs/node/pull/29887
* The minimum Xcode version supported for macOS was increased to 10.
It is still possible to build Node.js with Xcode 8 but this may no
longer be the case in a future v13.x release (Michael Dawson).
https://github.com/nodejs/node/pull/29622
* child_process:
* `ChildProcess._channel` (DEP0129) is now a Runtime deprecation
(cjihrig).
https://github.com/nodejs/node/pull/27949
* console:
* The output `console.timeEnd()` and `console.timeLog()` will now
automatically select a suitable time unit instead of always using
milliseconds (Xavier Stouder).
https://github.com/nodejs/node/pull/29251
* deps:
* The V8 engine was updated to version 7.8. This includes performance
improvements to object destructuring, memory usage and WebAssembly
startup time (Myles Borins).
https://github.com/nodejs/node/pull/29694)
* domain:
* The domain's error handler is now executed with the active domain
set to the domain's parent to prevent inner recursion
(Julien Gilli).
https://github.com/nodejs/node/pull/26211
* fs:
* The undocumented method `FSWatcher.prototype.start()` was removed
(Lucas Holmquist).
https://github.com/nodejs/node/pull/29905
* Calling the `open()` method on a `ReadStream` or `WriteStream` now
emits a runtime deprecation warning. The methods are supposed to be
internal and should not be called by user code (Robert Nagy).
https://github.com/nodejs/node/pull/29061
* `fs.read/write`, `fs.readSync/writeSync` and `fd.read/write` now
accept any safe integer as their `offset` parameter. The value of
`offset` is also no longer coerced, so a valid type must be passed
to the functions (Zach Bjornson).
https://github.com/nodejs/node/pull/26572
* http:
* Aborted requests no longer emit the `end` or `error` events after
`aborted` (Robert Nagy).
https://github.com/nodejs/node/pull/27984https://github.com/nodejs/node/pull/20077
* Data will no longer be emitted after a socket error (Robert Nagy).
https://github.com/nodejs/node/pull/28711
* The legacy HTTP parser (previously available under the
`--http-parser=legacy` flag) was removed (Anna Henningsen).
https://github.com/nodejs/node/pull/29589
* The `host` option for HTTP requests is now validated to be a string
value (Giorgos Ntemiris).
https://github.com/nodejs/node/pull/29568
* The `request.connection` and `response.connection` properties are now
runtime deprecated. The equivalent `request.socket` and `response.socket`
should be used instead (Robert Nagy).
https://github.com/nodejs/node/pull/29015
* http, http2:
* The default server timeout was removed (Ali Ijaz Sheikh).
https://github.com/nodejs/node/pull/27558
* Brought 425 status code name into accordance with RFC 8470. The name
changed from "Unordered Collection" to "Too Early" (Sergei Osipov).
https://github.com/nodejs/node/pull/29880
* lib:
* The `error.errno` property will now always be a number. To get the
string value, use `error.code` instead (Joyee Cheung).
https://github.com/nodejs/node/pull/28140
* module:
* `module.createRequireFromPath()` is deprecated. Use
`module.createRequire()` instead (cjihrig).
https://github.com/nodejs/node/pull/27951
* src:
* Changing the value of `process.env.TZ` will now clear the tz cache.
This affects the default time zone used by methods such as
`Date.prototype.toString` (Ben Noordhuis).
https://github.com/nodejs/node/pull/20026
* stream:
* The timing and behavior of streams was consolidated for a number of
edge cases. Please look at the individual commits below for more
information.
PR-URL: https://github.com/nodejs/node/pull/29504
IncomingMessage will no longer emit end after aborted.
PR-URL: https://github.com/nodejs/node/pull/27984
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Set ClientRequest.reusedSocket property when reusing socket for request,
so user can handle retry base on wether the request is reusing a socket.
Refs: https://github.com/request/request/issues/3131
PR-URL: https://github.com/nodejs/node/pull/29715
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Weijia Wang <starkwang@126.com>
Use explicit trailing `[]` for reference markdown links to prevent
implicit links when references are added to documents.
PR-URL: https://github.com/nodejs/node/pull/29808
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
In most cases, stability note is the first info in a doc section
after YAML. This PR makes it consistent across all docs,
as this info seems the most relevant for a reader.
PR-URL: https://github.com/nodejs/node/pull/29799
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Documents that callback is optional for IncomingMessage setTimeout
PR-URL: https://github.com/nodejs/node/pull/29654
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
In `.end()` methods, an optional `encoding` parameter makes sense
only if the `data` (`chunk`) parameter is provided.
PR-URL: https://github.com/nodejs/node/pull/29615
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Convert to asterisks when there are mixed styles in document.
Addresses Markdownlint MD004 rule
PR-URL: https://github.com/nodejs/node/pull/29516
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
This is the document formation, because `node` is a command to be
executed, we should reguard it as a command prompt instead of a command
txt type.
PR-URL: https://github.com/nodejs/node/pull/29389
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Also removed redundant statments as extends is self-explanatory.
PR-URL: https://github.com/nodejs/node/pull/29255
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes:
* crypto:
* Added an oaepHash option to asymmetric encryption which allows
users to specify a hash function when using OAEP padding.
https://github.com/nodejs/node/pull/28335
* deps:
* Updated V8 to 7.6.303.29. https://github.com/nodejs/node/pull/28955
* Improves the performance of various APIs such as `JSON.parse` and
methods called on frozen arrays.
* Adds the Promise.allSettled method.
* Improves support of `BigInt` in `Intl` methods.
* For more information: https://v8.dev/blog/v8-release-76
* Updated libuv to 1.31.0. https://github.com/nodejs/node/pull/29070
* `UV_FS_O_FILEMAP` has been added for faster access to memory
mapped files on Windows.
* `uv_fs_mkdir()` now returns `UV_EINVAL` for invalid filenames on
Windows. It previously returned `UV_ENOENT`.
* The `uv_fs_statfs()` API has been added.
* The `uv_os_environ()` and `uv_os_free_environ()` APIs have been
added.
* fs:
* Added `fs.writev`, `fs.writevSync` and `filehandle.writev` (promise
version) methods. They allow to write an array of `ArrayBufferView`s
to a file descriptor. https://github.com/nodejs/node/pull/25925https://github.com/nodejs/node/pull/29186
* http:
* Added three properties to `OutgoingMessage.prototype`:
`writableObjectMode`, `writableLength` and `writableHighWaterMark`
https://github.com/nodejs/node/pull/29018
* stream:
* Added an new property `readableEnded` to readable streams. Its value
is set to `true` when the `'end'` event is emitted.
https://github.com/nodejs/node/pull/28814
* Added an new property `writableEnded` to writable streams. Its value
is set to `true` after `writable.end()` has been called.
https://github.com/nodejs/node/pull/28934
PR-URL: https://github.com/nodejs/node/pull/29210
This is work towards resolving the response.finished confusion and
future deprecation.
Note that implementation-wise, streams have both an ending and ended
state. However, in this case (in order to avoid confusion in user space)
writableEnded is equal to writable.ending. The ending vs ended situation
is internal state required for internal stream logic.
PR-URL: https://github.com/nodejs/node/pull/28934
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/28943
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
response.writableFinished is true if all data has been flushed to the
underlying system.
PR-URL: https://github.com/nodejs/node/pull/28681
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
1xx intermediate status responses are allowed to have headers; so
expose the "httpVersion", "httpVersionMajor", "httpVersionMinor",
"headers", "rawHeaders", and "statusMessage" properties on this
event.
PR-URL: https://github.com/nodejs/node/pull/28459
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Timing out and closing the socket after two minutes have elapsed is
surprising and problematic for users. This behavior was specific to
Node.js, and doesn't seem to be common in other language runtimes.
Fixes: https://github.com/nodejs/node/issues/27556
PR-URL: https://github.com/nodejs/node/pull/27558
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Use "RFC 1234" instead of "rfc1234", "RFC1234" or similar variants.
PR-URL: https://github.com/nodejs/node/pull/26727
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
This updates a lot of comments.
PR-URL: https://github.com/nodejs/node/pull/26223
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Socket timeouts set using the `'connection'` event are replaced by
`server.keepAliveTimeout` when a response is handled.
PR-URL: https://github.com/nodejs/node/pull/25748
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Instead of returning a generic 400 response when the
max header size is reached, return a 431 Request Header
Fields Too Large.
This is a semver-major because it changes the HTTP
status code for requests that trigger the header
overflow error.
PR-URL: https://github.com/nodejs/node/pull/25605
Fixes: https://github.com/nodejs/node/issues/25528
Refs: https://tools.ietf.org/html/rfc6585#section-5
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
By default the agent options are passed to `net.createConnection()`
which sets the timeout on the socket immediately after creating it.
PR-URL: https://github.com/nodejs/node/pull/25489
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This commit exposes the value of --max-http-header-size
as a property of the http module.
PR-URL: https://github.com/nodejs/node/pull/24860
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
For new Agent() signature in http doc, list the supported options in
socket.connect().
Refs: https://github.com/nodejs/node/issues/24098
PR-URL: https://github.com/nodejs/node/pull/24846
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
document that incoming cookie headers are joined using '; '.
PR-URL: https://github.com/nodejs/node/pull/24740
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes:
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/156/
