forked from nodejs/node
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node.js v18.20.2 #5
Open
asana-kristoferbuno
wants to merge
88
commits into
v18
Choose a base branch
from
v18.20.2
base: v18
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The warning message was inadvertently changed to a newer version of g++ than the one being checked for when a refactor PR was merged to v18.x-staging. Refs: nodejs#47667 PR-URL: nodejs#51695 Reviewed-By: Ruy Adorno <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Mohammed Keyvanzadeh <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: nodejs#51792 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Joyee Cheung <[email protected]>
PR-URL: nodejs#51782 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: nodejs#51799 Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
PR-URL: nodejs#51800 Fixes: nodejs#51789 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
Replace the setInterval with a queueMicrotask to make test less flaky. Fixes: nodejs#51883 PR-URL: nodejs#51943 Reviewed-By: Joyee Cheung <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Paolo Insogna <[email protected]>
Original commit message: [symbol-as-weakmap-key] Implement Symbol as WeakMap Keys Allow non-registered symbols as keys in weakmap and weakset. Allow non-registered symbols as target and unregisterToken in WeakRef and FinalizationRegistry. Bug: v8:12947 Change-Id: Ieb63bda66e3cc378879ac651e23300b71caed627 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865056 Reviewed-by: Dominik Inführ <[email protected]> Commit-Queue: Marja Hölttä <[email protected]> Reviewed-by: Jakob Linke <[email protected]> Cr-Commit-Position: refs/heads/main@{#83313} Refs: v8/v8@c400af4 PR-URL: nodejs#51004 Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message: [symbol-as-weakmap-key] Add tests to check weak collection size ... after gc. This CL also adds a runtime test function GetWeakCollectionSize to get the weak collection size. Bug: v8:12947 Change-Id: I4aff39165a54b63b3d690bfea71c2a439da01d00 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905071 Reviewed-by: Marja Hölttä <[email protected]> Commit-Queue: 王澳 <[email protected]> Cr-Commit-Position: refs/heads/main@{#83464} Refs: v8/v8@7f5daed PR-URL: nodejs#51004 Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message: [symbol-as-weakmap-key] Stage the feature Bug: v8:12947 Change-Id: I0a151a6b301ee93675cc9f87a4fa24cb1be76462 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3928061 Auto-Submit: Shu-yu Guo <[email protected]> Commit-Queue: Marja Hölttä <[email protected]> Reviewed-by: Marja Hölttä <[email protected]> Cr-Commit-Position: refs/heads/main@{#83483} Refs: v8/v8@9a98f96 PR-URL: nodejs#51004 Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message: [symbol-as-weakmap-key] Fix DCHECKs and add CanBeHeldWeakly There are a few DCHECKs that weren't updated to allow for Symbols as weak collection keys. This CL updates those DCHECKs and also does the following refactors for clarity: - Add Object::CanBeHeldWeakly - Rename GotoIfCannotBeWeakKey -> GotoIfCannotBeHeldWeakly to align with spec AO name Bug: chromium:1370400, chromium:1370402, v8:12947 Change-Id: I380840c8377497feae97e3fca37555dae0dcc255 Fixed: chromium:1370400, chromium:1370402 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3928150 Auto-Submit: Shu-yu Guo <[email protected]> Reviewed-by: Marja Hölttä <[email protected]> Commit-Queue: Marja Hölttä <[email protected]> Cr-Commit-Position: refs/heads/main@{#83507} Refs: v8/v8@94e8282 PR-URL: nodejs#51004 Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message: [inspector] Support Symbols in EntryPreview The Symbols-as-WeakMap-keys proposal allows non-Symbol.for Symbol values in weak collections, which means it can show in EntryPreviews. Also apparently Symbols in regular Maps and Sets were also unsupported. Bug: v8:13350, v8:12947 Change-Id: Ib10476fa2f3c7f59af67933f0bf61640be1bbd97 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3930037 Reviewed-by: Benedikt Meurer <[email protected]> Reviewed-by: Simon Zünd <[email protected]> Commit-Queue: Shu-yu Guo <[email protected]> Cr-Commit-Position: refs/heads/main@{#83518} Refs: v8/v8@3dd9576 PR-URL: nodejs#51004 Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message: [symbol-as-weakmap-key] Fix DCHECKs when clearing JS weakrefs Bug: chromium:1372500, v8:12947 Fixed: chromium:1372500 Change-Id: Id6330de5886e4ea72544b307c358e2190ea47d9c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942586 Reviewed-by: Anton Bikineev <[email protected]> Commit-Queue: Shu-yu Guo <[email protected]> Cr-Commit-Position: refs/heads/main@{#83632} Refs: v8/v8@1fada6b PR-URL: nodejs#51004 Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message: [symbol-as-weakmap-key] Ship the proposal I2S with 3 LGTMs: https://groups.google.com/a/chromium.org/g/blink-dev/c/E6pDZP_TiBA/m/ZcXLwiz8AAAJ Bug: v8:12947 Change-Id: Ibce4abc8b0610afb2041d44cc9ed136db8b62c0d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4004610 Commit-Queue: Shu-yu Guo <[email protected]> Reviewed-by: Camillo Bruni <[email protected]> Cr-Commit-Position: refs/heads/main@{#84128} Refs: v8/v8@705e374 PR-URL: nodejs#51004 Reviewed-By: Chengzhong Wu <[email protected]>
PR-URL: nodejs#49855 Backport-PR-URL: nodejs#51004 Fixes: nodejs#49848 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]>
In preparation of https://chromium-review.googlesource.com/c/v8/v8/+/4707972 which changes the return value to v8::Data. PR-URL: nodejs#48943 Backport-PR-URL: nodejs#51004 Reviewed-By: Juan José Arboleda <[email protected]> Reviewed-By: Mohammed Keyvanzadeh <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Stephen Belanger <[email protected]> Reviewed-By: Jiawen Geng <[email protected]>
This is a non-ABI breaking solution for v8/v8@b60a03d and v8/v8@0aa622e which are necessary for backporting vm-related memory fixes to v18.x. PR-URL: nodejs#49874 Backport-PR-URL: nodejs#51004 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Jiawen Geng <[email protected]>
There is no need to initialize the internal fields to undefined and then initialize them to something else in the caller. Simply pass the internal fields into the constructor to initialize them just once. PR-URL: nodejs#49391 Backport-PR-URL: nodejs#51004 Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Stephen Belanger <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]>
Previously when managing the importModuleDynamically callback of vm.compileFunction(), we use an ID number as the host defined option and maintain a per-Environment ID -> CompiledFnEntry map to retain the top-level referrer function returned by vm.compileFunction() in order to pass it back to the callback, but it would leak because with how we used v8::Persistent to maintain this reference, V8 would not be able to understand the cycle and would just think that the CompiledFnEntry was supposed to live forever. We made an attempt to make that reference known to V8 by making the CompiledFnEntry weak and using a private symbol to make CompiledFnEntry strongly references the top-level referrer function in nodejs#46785, but that turned out to be unsound, because the there's no guarantee that the top-level function must be alive while import() can still be initiated from that function, since V8 could discard the top-level function and only keep inner functions alive, so relying on the top-level function to keep the CompiledFnEntry alive could result in use-after-free which caused a revert of that fix. With this patch we use a symbol in the host defined options instead of a number, because with the stage-3 symbol-as-weakmap-keys proposal we could directly use that symbol to keep the referrer alive using a WeakMap. As a bonus this also keeps the other kinds of referrers alive as long as import() can still be initiated from that Script/Module, so this also fixes the long-standing crash caused by vm.Script being GC'ed too early when its importModuleDynamically callback still needs it. PR-URL: nodejs#48510 Backport-PR-URL: nodejs#51004 Refs: nodejs#44211 Refs: nodejs#42080 Refs: nodejs#47096 Refs: nodejs#43205 Refs: nodejs#38695 Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Stephen Belanger <[email protected]>
Previously we maintain a strong persistent reference to the ModuleWrap to retrieve the ID-to-ModuleWrap mapping from the HostImportModuleDynamicallyCallback using the number ID stored in the host-defined options. As a result the ModuleWrap would be kept alive until the Environment is shut down, which would be a leak for user code. With the new symbol-based host-defined option we can just get the ModuleWrap from the JS-land WeakMap so there's now no need to maintain this strong reference. This would at least fix the leak for vm.SyntheticModule. vm.SourceTextModule is still leaking due to the strong persistent reference to the v8::Module. PR-URL: nodejs#48510 Backport-PR-URL: nodejs#51004 Refs: nodejs#44211 Refs: nodejs#42080 Refs: nodejs#47096 Refs: nodejs#43205 Refs: nodejs#38695 Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Stephen Belanger <[email protected]>
Replace the persistent handles to v8::Module and v8::UnboundScript with an internal reference that V8's GC is aware of to fix the leaks. PR-URL: nodejs#48510 Backport-PR-URL: nodejs#51004 Refs: nodejs#44211 Refs: nodejs#42080 Refs: nodejs#47096 Refs: nodejs#43205 Refs: nodejs#38695 Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Stephen Belanger <[email protected]>
PR-URL: nodejs#49671 Backport-PR-URL: nodejs#51004 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michaël Zasso <[email protected]>
Previously we simply create a lot of the target objects and check if the process crash due to OOM. Due to how we use emphemeron GC to handle memory management, which is inefficient but necessary for correctness, the tests can produce false positives as the GC isn't efficient enough to catch up with a very fast heap growth. This patch uses a new checkIfCollectable() utility to terminate the test early once we detect that any of the target object can actually be garbage collected. This should lower the chance of false positives. As a drive-by this also allows us to use setImmediate() to grow the heap even faster to make the tests run faster. PR-URL: nodejs#49671 Backport-PR-URL: nodejs#51004 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michaël Zasso <[email protected]>
Similar to the test-vm-source-text-module-leak fix, use a snapshot to force a thorough GC in order to prevent false positives. PR-URL: nodejs#49710 Backport-PR-URL: nodejs#51004 Refs: nodejs/reliability#669 Reviewed-By: Franziska Hinkelmann <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Rich Trott <[email protected]>
This makes it possile to hit the in-isolate compilation cache when host-defined options are not necessary. PR-URL: nodejs#49950 Backport-PR-URL: nodejs#51004 Refs: nodejs#35375 Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Stephen Belanger <[email protected]>
Set a default host-defined option for vm.compileFunction so that it's consistent with vm.Script. PR-URL: nodejs#50137 Backport-PR-URL: nodejs#51004 Refs: nodejs#35375 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
Instead of using the public versions of the vm APIs internally, use the internal versions so that we can skip unnecessary argument validation. The public versions would need special care to the generation of host-defined options to hit the isolate compilation cache when imporModuleDynamically isn't used, while internally it's almost always used, so this allows us to handle the host-defined options separately. PR-URL: nodejs#50137 Backport-PR-URL: nodejs#51004 Refs: nodejs#35375 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
Users cannot access any API that can be used to return a module or module namespace in this callback without --experimental-vm-modules anyway, so this would eventually lead to a rejection. This patch rejects in this case with our own error message and use a constant host-defined option for the rejection, so that scripts with the same source can still be compiled using the compilation cache if no `import()` is actually called in the script. PR-URL: nodejs#50137 Backport-PR-URL: nodejs#51004 Refs: nodejs#35375 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
PR-URL: nodejs#50515 Backport-PR-URL: nodejs#51973 Reviewed-By: Steven R Loomis <[email protected]> Reviewed-By: LiviaMedeiros <[email protected]> Refs: nodejs#51933
PR-URL: nodejs#51461 Backport-PR-URL: nodejs#51973 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Refs: nodejs#51933
PR-URL: nodejs#51105 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: nodejs#51274 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michaël Zasso <[email protected]>
Fix `internet/test-inspector-help-page` to handle the relative redirect of `https://nodejs.org/en/docs/inspector` to `/en/docs/guides/debugging-getting-started`. Previously this URL redirected to an absolute URL. PR-URL: nodejs#51121 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]>
c-ares has made intentional changes to the behavior of TXT records to comply with RFC 7208, which concatenates multiple strings for the same TXT record into a single string. Multiple TXT records are not concatenated. Also, response handling has changed, such that a response which is completely invalid in formatting is thrown away as a malicious forged/spoofed packet rather than returning EBADRESP. This is one step toward RFC 9018 (EDNS COOKIES) which will require the message to at least be structurally valid to validate against spoofed records. Fix By: Brad House (@bradh352) PR-URL: nodejs#50743 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]> Fixes: nodejs#50741 Refs: nodejs#50444
PR-URL: nodejs#51385 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
This should get rid of the following GCC warning: ISO C90 does not support ‘long long’ [-Wlong-long] PR-URL: nodejs#51410 Reviewed-By: Jiawen Geng <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]>
PR-URL: nodejs#51582 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: nodejs#51846 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Mohammed Keyvanzadeh <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Original commit message: Fix reading integer-indexed import assertions in dynamic import Use GetPropertyOrElement instead of GetProperty to read import assertion values from the import assertions object, to support cases in which the key is an integer index such as `"0"`. The added test case, when using GetProperty, triggers the following DCHECK in debug builds: https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/lookup-inl.h;l=108;drc=515f187ba067ee4a99fdf5198cca2c97abd342fd In release builds it silently fails to read the property, and thus throws about it not being a valid string. Bug: v8:14069 Change-Id: Ifd4645b7bd9bfd07f06fa33727441d27eabc4d32 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4614489 Reviewed-by: Victor Gomes <[email protected]> Commit-Queue: Marja Hölttä <[email protected]> Reviewed-by: Marja Hölttä <[email protected]> Cr-Commit-Position: refs/heads/main@{#88267} Refs: v8/v8@d90d453 PR-URL: nodejs#50077 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Mohammed Keyvanzadeh <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Richard Lau <[email protected]>
PR-URL: nodejs#52184 Refs: nodejs#51136 Refs: nodejs#52165 (comment) Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Geoffrey Booth <[email protected]>
Add a flag for each experimental feature to indicate its presence. That way, if we compile with `NAPI_EXPERIMENTAL` turned on, we'll be able to distinguish between what `NAPI_EXPERIMENTAL` used to mean on an old version of the headers when compiling against such an old version, and what it means on a new version of Node.js. PR-URL: nodejs#50991 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Vladimir Morozov <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Backport-PR-URL: nodejs#51804 (cherry picked from commit 727dd28)
* Create macro for checking new string arguments. * Create macro for combining env check and inside-gc check. PR-URL: nodejs#50664 Reviewed-By: Vladimir Morozov <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Backport-PR-URL: nodejs#51804 (cherry picked from commit 5e250bd)
We define a new type called `node_api_nogc_env` as the `const` version of `napi_env` and `node_api_nogc_finalize` as a variant of `napi_finalize` that accepts a `node_api_nogc_env` as its first argument. We then modify those APIs which do not affect GC state as accepting a `node_api_nogc_env`. APIs accepting finalizer callbacks are modified to accept `node_api_nogc_finalize` callbacks. Thus, the only way to attach a `napi_finalize` callback, wherein Node-APIs affecting GC state may be called is to call `node_api_post_finalizer` from a `node_api_nogc_finalize` callback. In keeping with the process of introducing new Node-APIs, this feature is guarded by `NAPI_EXPERIMENTAL`. Since this feature modifies APIs already marked as stable, it is additionally guared by `NODE_API_EXPERIMENTAL_NOGC_ENV`, so as to provide a further buffer to adoption. Nevertheless, both guards must be removed upon releasing a new version of Node-API. PR-URL: nodejs#50060 Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Vladimir Morozov <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Backport-PR-URL: nodejs#51804 (cherry picked from commit 7a216d5)
PR-URL: nodejs#50209 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Christian Clauss <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Fixes: nodejs#51993 PR-URL: nodejs#52005 Reviewed-By: Robert Nagy <[email protected]> Reviewed-By: Michaël Zasso <[email protected]>
Notable changes: Added support for import attributes: Support has been added for import attributes, to replace the old import assertions syntax. This will aid migration by making the new syntax available across all currently supported Node.js release lines. For more details, see * [nodejs#50134](nodejs#50134) * [nodejs#51622](nodejs#51622) Doc deprecation for `dirent.path`: Please use newly added `dirent.parentPath` instead. Experimental node-api feature flags Introduces an experimental feature to segregate finalizers that affect GC state. A new type called `node_api_nogc_env` has been introduced as the const version of `napi_env` and `node_api_nogc_finalize` as a variant of `napi_finalize` that accepts a `node_api_nogc_env` as its first argument. This feature can be turned off by defining `NODE_API_EXPERIMENTAL_NOGC_ENV_OPT_OUT`. Root certificates updated to NSS 3.98: Certificates added: * Telekom Security TLS ECC Root 2020 * Telekom Security TLS RSA Root 2023 Certificates removed: * Security Communication Root CA Updated dependencies: * ada updated to 2.7.6. * base64 updated to 0.5.2. * c-ares updated to 1.27.0. * corepack updated to 0.25.2. * ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1. * npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes. * simdutf8 updated to 4.0.8. * Timezone updated to 2024a. * zlib updated to 1.3.0.1-motley-40e35a7. vm: fix V8 compilation cache support for vm.Script: Previously repeated compilation of the same source code using `vm.Script` stopped hitting the V8 compilation cache after v16.x when support for `importModuleDynamically` was added to `vm.Script`, resulting in a performance regression that blocked users (in particular Jest users) from upgrading from v16.x. The recent fixes allow the compilation cache to be hit again for `vm.Script` when `--experimental-vm-modules` is not used even in the presence of the `importModuleDynamically` option, so that users affected by the performance regression can now upgrade. Ongoing work is also being done to enable compilation cache support for `vm.CompileFunction`. PR-URL: nodejs#52165
PR-URL: nodejs#52165
Co-Authored-By: Anna Henningsen <[email protected]> PR-URL: nodejs-private/node-private#561 Fixes: https://hackerone.com/reports/2319584 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> CVE-ID: CVE-2024-27983
Signed-off-by: Matteo Collina <[email protected]> PR-URL: nodejs-private/node-private#577 Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: nodejs-private/node-private#558 Refs: nodejs-private/node-private#556 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> CVE-ID: CVE-2024-27982
This is a security release. Notable changes: * CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High) * CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium) * llhttp version 9.2.1 * undici version 5.28.4 PR-URL: nodejs-private/node-private#573
An undocumented feature of the Win32 CreateProcess API allows spawning batch files directly but is potentially insecure because arguments are not escaped (and sometimes cannot be unambiguously escaped), hence why they are refused starting today. PR-URL: nodejs-private/node-private#564 Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> CVE-ID: CVE-2024-27980
This is a security release. Notable changes: src: * disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#564 PR-URL: nodejs-private/node-private#578
@seanwentzel @asana-kristoferbuno I believe we already use v18.20.2. Should we merge this PR to make sure that the v18 branch is up to date. |
seanwentzel
approved these changes
Nov 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
v18.20.2