Node.js

News from 2016

15 Oct October security releases and v6 LTS "Boron" security inclusions

Next week, on Tuesday the 18th (late evening UTC), the Node.js Foundation will be launching its second new LTS release line, a continuation of the v6.x series of releases. This line will be codenamed "Boron" and the first version will be v6.9.0.
In addition to a change to introduce the process.release.lts property, set to 'Boron', we will also be including 3 low-severity security patches that only apply to the v6.x release series.
Read more...
15 Oct Node v6.8.1 (Current)
- build: Fix building with shared zlib. (Bradley T. Hughes) #9077
- stream: Fix regression in stream.Writable subclass instanceof checks. (Anna Henningsen) #9088
- timers: Fix regression where immediates that are cleared in the callback would never be called. (Brian White) #9086
Read more...
12 Oct Node v6.8.0 (Current)
- fs:
  - SyncWriteStream now inherits from Stream.Writable. (Anna Henningsen) #8830
    Practically, this means that when stdio is piped to a file, stdout and stderr will still be Writable streams.
  - fs.existsSync() has been undeprecated. fs.exists() remains deprecated. (Dan Fabulich) #8364
- http: http.request() now accepts a timeout option. (Rene Weber) #8101
- module: The module loader now maintains its own realpath cache. (Anna Henningsen) #8100
- npm: Upgraded to 3.10.8 (Kat Marchán) #8706
- stream: Duplex streams now show proper instanceof Stream.Writable. (Anna Henningsen) #8834
- timers: Improved setTimeout/Interval performance by up to 22%. (Brian White) #8661
Read more...
28 Sep Node v6.7.0 (Current)
This is an important security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.
Semver Minor:
- openssl:
  - Upgrade to 1.0.2i, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-2178 and CVE-2016-6306. (Shigeki Ohtsu) #8714
  - Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in a crash when using CRLs, CVE-2016-7052. (Shigeki Ohtsu) #8786
  - Remove support for loading dynamic third-party engine modules. An attacker may be able to hide malicious code to be inserted into Node.js at runtime by masquerading as one of the dynamic engine modules. Originally reported by Ahmed Zaki (Skype). (Ben Noordhuis) nodejs/node-private#73
- http: CVE-2016-5325 - Properly validate for allowable characters in the reason argument in ServerResponse#writeHead(). Fixes a possible response splitting attack vector. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas) nodejs/node-private#60
Read more...
28 Sep Node v4.6.0 (LTS)
This is an important security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.
Semver Minor:
- openssl:
  - Upgrade to 1.0.2i, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-6303, CVE-2016-2178 and CVE-2016-6306. (Shigeki Ohtsu) #8714
  - Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in a crash when using CRLs, CVE-2016-7052. (Shigeki Ohtsu) #8786
  - Remove support for loading dynamic third-party engine modules. An attacker may be able to hide malicious code to be inserted into Node.js at runtime by masquerading as one of the dynamic engine modules. Originally reported by Ahmed Zaki (Skype). (Ben Noordhuis) nodejs/node-private#70
- http: CVE-2016-5325 - Properly validate for allowable characters in the reason argument in ServerResponse#writeHead(). Fixes a possible response splitting attack vector. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas) nodejs/node-private#46
Read more...
28 Sep Node v0.12.16 (Maintenance)
This is an important security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.
- buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat() while providing a totalLength parameter that exceeds the total length of the original Buffer objects being concatenated. (Сковорода Никита Андреевич)
- http:
  - CVE-2016-5325 - Properly validate for allowable characters in the reason argument in ServerResponse#writeHead(). Fixes a possible response splitting attack vector. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas)
  - Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. Lack of proper validation may also serve as a potential response splitting attack vector. Backported from v4.x. (Brian White)
- openssl:
  - Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-6303, CVE-2016-2178 and CVE-2016-6306.
  - Remove support for loading dynamic third-party engine modules. An attacker may be able to hide malicious code to be inserted into Node.js at runtime by masquerading as one of the dynamic engine modules. Originally reported by Ahmed Zaki (Skype). (Ben Noordhuis, Rod Vagg)
- tls: CVE-2016-7099 - Fix invalid wildcard certificate validation check whereby a TLS server may be able to serve an invalid wildcard certificate for its hostname due to improper validation of *. in the wildcard string. Originally reported by Alexander Minozhenko and James Bunton (Atlassian). (Ben Noordhuis)
Read more...
28 Sep Node v0.10.47 (Maintenance)
This is an important security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.
- buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat() while providing a totalLength parameter that exceeds the total length of the original Buffer objects being concatenated. (Сковорода Никита Андреевич)
- http:
  - CVE-2016-5325 - Properly validate for allowable characters in the reason argument in ServerResponse#writeHead(). Fixes a possible response splitting attack vector. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas)
  - Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. Lack of proper validation may also serve as a potential response splitting attack vector. Backported from v4.x. (Brian White)
- openssl: Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-2183, CVE-2016-2178 and CVE-2016-6306.
- tls: CVE-2016-7099 - Fix invalid wildcard certificate validation check whereby a TLS server may be able to serve an invalid wildcard certificate for its hostname due to improper validation of *. in the wildcard string. Originally reported by Alexander Minozhenko and James Bunton (Atlassian) (Ben Noordhuis)
Read more...
23 Sep Security updates for all active release lines, September 2016
Updates are now available for all active Node.js release lines. These include the recently published versions of OpenSSL 1.0.1 and 1.0.2 as well as fixes for some Node.js-specific security-related defects.
The OpenSSL security fixes included in these updates that impact Node.js are:
- CVE-2016-6304: "OCSP Status Request extension unbounded memory growth"
- CVE-2016-2183: "SWEET32 Mitigation"
- CVE-2016-6303: "OOB write in MDC2_Update()"
- CVE-2016-2178: "Constant time flag not preserved in DSA signing"
- CVE-2016-6306: "Certificate message OOB reads"
Read more...
15 Sep Node v6.6.0 (Current)
- crypto: Added crypto.timingSafeEqual(). (not-an-aardvark) #8304
- events: Made the "max event listeners" memory leak warning more accessible. (Anna Henningsen) #8298
- promises: Unhandled rejections now emit a process warning after the first tick. (Benjamin Gruenbaum) #8223
- repl: Added auto alignment for .editor mode. (Prince J Wesley) #8241
- util: Some functionality has been added to util.inspect():
  - Returning this from a custom inspect function now works. (Anna Henningsen) #8174
  - Added support for Symbol-based custom inspection methods. (Anna Henningsen) #8174
Read more...
12 Sep Node.js Foundation Announces Schedule for Second Annual Node.js Interactive North America

SAN FRANCISCO, September 12, 2016 — The Node.js Foundation, a community-led and industry-backed consortium to advance the development of the Node.js platform, today announced the keynotes and agenda for Node.js Interactive North America, November 29 - December 2, 2016, in Austin, TX. The event attracts enterprise users, developers, and community stakeholders, providing them with the tools and training they need to optimize the Node.js platform.
Read more...
06 Sep Farewell to Node.js v5, Preparing for v7
29 Aug Node v6.5.0 (Current)
17 Aug Cars.com and Dynatrace join the Foundation to support the stability and success of the Node.js platform
16 Aug Node v4.5.0 (LTS)
16 Aug Node v6.4.0 (Current)
15 Aug Weekly Update - August 15th, 2016
22 Jul Weekly Update - July 22nd, 2016
21 Jul Node v6.3.1 (Current)
16 Jul Weekly Update - July 16th, 2016
08 Jul Weekly Update - July 8th, 2016
06 Jul Node v6.3.0 (Current)
29 Jun Node.js Foundation Announces Keynotes and Programming for Node.js Interactive Europe
28 Jun Node v4.4.7 (LTS)
26 Jun Weekly Update - June 26th, 2016
23 Jun Node v5.12.0 (Stable)
23 Jun Node v4.4.6 (LTS)
23 Jun Node v0.12.15 (Maintenance)
23 Jun Node v0.10.46 (Maintenance)
17 Jun Node v6.2.2 (Current)
16 Jun Weekly Update - June 16th, 2016
13 Jun Security updates for all active release lines, June 2016
02 Jun Node v6.2.1 (Current)
30 May Weekly Update - May 30th, 2016
24 May Node v4.4.5 (LTS)
17 May Node v6.2.0 (Current)
06 May Node v4.4.4 (LTS)
06 May Node v0.12.14 (Maintenance)
06 May Node v0.10.45 (Maintenance)
05 May Node v6.1.0 (Current)
05 May Node v5.11.1 (Stable)
02 May OpenSSL updates, 1.0.1t and 1.0.2h
29 Apr Weekly Update - Apr 29th, 2016
26 Apr Node v6.0.0 (Current)
26 Apr World’s Fastest Growing Open Source Platform Pushes Out New Release
23 Apr Weekly Update - Apr 23rd, 2016
21 Apr Node v5.11.0 (Stable)
17 Apr Weekly Update - Apr 17th, 2016
12 Apr Node v4.4.3 (LTS)
12 Apr New Node.js Foundation Survey Reports New “Full Stack” In Demand Among Enterprise Developers
05 Apr Node v5.10.1 (Current)
01 Apr Node v0.10.44 (Maintenance)
01 Apr Node v5.10.0 (Current)
01 Apr Node v4.4.2 (LTS)
01 Apr Node v0.12.13 (LTS)
31 Mar npm security updates v2.15.1 and v3.8.3
29 Mar Welcome Google Cloud Platform!
23 Mar Node v5.9.1 (Current)
22 Mar Node v4.4.1 (LTS)
16 Mar Node v5.9.0 (Current)
14 Mar Weekly Update - Mar 14th, 2016
09 Mar AppDynamics, New Relic, Opbeat and Sphinx Join the Node.js Foundation as Silver Members
09 Mar Node v4.4.0 (LTS)
09 Mar Node v5.8.0 (Current)
09 Mar Node v0.12.12 (LTS)
07 Mar Weekly Update - Mar 7th, 2016
04 Mar Node v0.10.43 (Maintenance)
03 Mar Node v0.12.11 (LTS)
02 Mar Node v5.7.1 (Current)
02 Mar Node v4.3.2 (LTS)
01 Mar Weekly Update - Mar 1st, 2016
29 Feb OpenSSL updates, 1.0.2g and 1.0.1s
23 Feb Weekly Update - Feb 23rd, 2016
23 Feb Node v5.7.0 (Current)
17 Feb Node v4.3.1 (LTS)
15 Feb Weekly Update - Feb 15th, 2016
10 Feb Node.js Foundation to Add Express to its Incubator Program
09 Feb February 2016 Security Release Summary
09 Feb Node v0.10.42 (LTS)
09 Feb Node v0.12.10 (LTS)
09 Feb Node v4.3.0 (LTS)
09 Feb Node v5.6.0 (Current)
08 Feb Weekly Update - Feb 8th, 2016
29 Jan Weekly Update - Jan 29th, 2016
27 Jan OpenSSL upgrade low-severity Node.js security fixes
22 Jan Weekly Update - Jan 22th, 2016
21 Jan Node v4.2.6 (LTS)
21 Jan Node v5.5.0 (Current)
20 Jan Node v4.2.5 (LTS)
18 Jan Weekly Update - Jan 18th, 2016
12 Jan Node v5.4.1 (Current)
11 Jan Weekly Update - Jan 11th, 2016
06 Jan Node v5.4.0 (Current)
01 Jan Weekly Update - Jan 1st, 2016