News from 2016

• 22 Mar Node v4.4.1 (LTS)
  • build:
    • Updated Logos for the OSX + Windows installers
      • (Rod Vagg) #5401
      • (Robert Jefe Lindstaedt) #5531
    • New option to select your VS Version in the Windows installer
      • (julien.waechter) #4645
    • Support Visual C++ Build Tools 2015
      • (João Reis) #5627
  • tools:
    • Gyp now works on OSX without XCode
      • (Shigeki Ohtsu) nodejs/node#1325

  Read more...
• 16 Mar Node v5.9.0 (Stable)
  • contextify: Fixed a memory consumption issue related to heavy use of vm.createContext and vm.runInNewContext. (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/5392
  • governance: The following members have been added as collaborators:
    • Andreas Madsen (@AndreasMadsen)
    • Benjamin Gruenbaum (@benjamingr)
    • Claudio Rodriguez (@claudiorodriguez)
    • Glen Keane (@thekemkid)
    • Jeremy Whitlock (@whitlockjc)
    • Matt Loring (@matthewloring)
    • Phillip Johnsen (@phillipj)
  • lib: copy arguments object instead of leaking it (Nathan Woltman) https://github.com/nodejs/node/pull/4361
  • src: allow both -i and -e flags to be used at the same time (Rich Trott) https://github.com/nodejs/node/pull/5655
  • timers: Internal Node.js timeouts now use the same logic path as those created with setTimeout() (Jeremiah Senkpiel) #4007
    • This may cause a slightly different performance profile in some situations. So far, it has shown to be positive in most cases.
  • v8: backport fb4ccae from v8 upstream (Vladimir Krivosheev) #4231
    • breakout events from v8 to offer better support for external debuggers
  • zlib: add support for concatenated members (Kári Tristan Helgason) https://github.com/nodejs/node/pull/5120
    • Previously, if multiple members were in the same archive, only the first would be read. The others are no longer thrown away.

  Read more...
• 09 Mar AppDynamics, New Relic, Opbeat and Sphinx Join the Node.js Foundation as Silver Members

  SAN FRANCISCO, Mar. 9, 2016 — The Node.js Foundation, a community-led and industry-backed consortium to advance the development of the Node.js platform, today announced AppDynamics, New Relic, Opbeat and Sphinx are joining the Foundation as Silver Members to continue to sustain and grow the Node.js platform.

  Read more...
• 09 Mar Node v4.4.0 (LTS)

  The SEMVER-MINOR changes include:

  • deps:
    • An update to v8 that introduces a new flag --perf_basic_prof_only_functions (Ali Ijaz Sheikh) #3609
  • http:
    • A new feature in http(s) agent that catches errors on keep alived connections (José F. Romaniello) #4482
  • src:
    • Better support for Big-Endian systems (Bryon Leung) #3410
  • tls:
    • A new feature that allows you to pass common SSL options to tls.createSecurePair (Коренберг Марк) #2441
  • tools:
    • a new flag --prof-process which will execute the tick processor on the provided isolate files (Matt Loring) #4021

  Read more...
• 09 Mar Node v5.8.0 (Stable)
  • child_process: send() now accepts an options parameter (cjihrig) #5283.
    • Currently the only option is keepOpen, which keeps the underlying socket open after the message is sent.
  • constants: ENGINE_METHOD_RSA is now correctly exposed (Sam Roberts) #5463.
  • Fixed two regressions which originated in v5.7.0:
    • http: Errors inside of http client callbacks now propagate correctly (Trevor Norris) #5591.
    • path: Fixed normalization of absolute paths (Evan Lucas) #5589.
  • repl: start() no longer requires an options parameter (cjihrig) #5388.
  • util: Improved format() performance 50-300% (Evan Lucas) #5360.

  Read more...
• 09 Mar Node v0.12.12 (LTS)
  • openssl: Fully remove SSLv2 support, the --enable-ssl2 command line argument will now produce an error. The DROWN Attack (https://drownattack.com/) creates a vulnerability where SSLv2 is enabled by a server, even if a client connection is not using SSLv2. The SSLv2 protocol is widely considered unacceptably broken and should not be supported. More information is available at https://www.openssl.org/news/vulnerabilities.html#2016-0800

  Read more...
• 07 Mar Weekly Update - Mar 7th, 2016

  Node v0.10.43 (Maintenance), Node v0.12.11 (LTS), Node v5.7.1 (Stable) and Node v4.3.2 (LTS) are released.

  We have four releases: Node v0.10.43 (Maintenance), Node v0.12.11 (LTS), Node v5.7.1 (Stable) and Node v4.3.2 (LTS). Complete changelog from previous releases can be found on GitHub.

  Read more...
• 04 Mar Node v0.10.43 (Maintenance)

  This release contains security updates. OpenSSL 1.0.1s fixes some low-severity defects that impact Node.js. See our impact assessment for full details.

  Read more...
• 03 Mar Node v0.12.11 (LTS)

  This release contains security updates. OpenSSL 1.0.1s fixes some low-severity defects that impact Node.js. See our impact assessment for full details.

  Read more...
• 02 Mar Node v5.7.1 (Stable)
  • governance: The Core Technical Committee (CTC) added four new members to help guide Node.js core development: Evan Lucas, Rich Trott, Ali Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).
  • openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) #5507.
    • Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705.
    • Fix a defect that can cause memory corruption in certain very rare cases relating to the internal BN_hex2bn() and BN_dec2bn() functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are unlikely to be possible. More info is available at CVE-2016-0797.
    • Fix a defect that makes the CacheBleed Attack possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702.
  • Fixed several regressions that appeared in v5.7.0:
    • path.relative():
      • Output is no longer unnecessarily verbose (Brian White) #5389.
      • Resolving UNC paths on Windows now works correctly (Owen Smith) #5456.
      • Resolving paths with prefixes now works correctly from the root directory (Owen Smith) #5490.
    • url: Fixed an off-by-one error with parse() (Brian White) #5394.
    • dgram: Now correctly handles a default address case when offset and length are specified (Matteo Collina) #5407.

  Read more...
• 02 Mar Node v4.3.2 (LTS)
• 01 Mar Weekly Update - Mar 1st, 2016
• 29 Feb OpenSSL updates, 1.0.2g and 1.0.1s
• 23 Feb Weekly Update - Feb 23rd, 2016
• 23 Feb Node v5.7.0 (Stable)
• 17 Feb Node v4.3.1 (LTS)
• 15 Feb Weekly Update - Feb 15th, 2016
• 10 Feb Node.js Foundation to Add Express to its Incubator Program
• 09 Feb February 2016 Security Release Summary
• 09 Feb Node v0.10.42 (LTS)
• 09 Feb Node v0.12.10 (LTS)
• 09 Feb Node v4.3.0 (LTS)
• 09 Feb Node v5.6.0 (Stable)
• 08 Feb Weekly Update - Feb 8th, 2016
• 29 Jan Weekly Update - Jan 29th, 2016
• 27 Jan OpenSSL upgrade low-severity Node.js security fixes
• 22 Jan Weekly Update - Jan 22th, 2016
• 21 Jan Node v4.2.6 (LTS)
• 21 Jan Node v5.5.0 (Stable)
• 20 Jan Node v4.2.5 (LTS)
• 18 Jan Weekly Update - Jan 18th, 2016
• 12 Jan Node v5.4.1 (Stable)
• 11 Jan Weekly Update - Jan 11th, 2016
• 06 Jan Node v5.4.0 (Stable)
• 01 Jan Weekly Update - Jan 1st, 2016