-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release proposal: v0.10.41 #2805
Conversation
Has there been discussion or a decision about nodejs/Release#37? It would be nice to get a less broken npm into 0.10 at some point. |
@othiym23 @nodejs/lts let's get that question sorted out at next week's meeting and make sure the results of that make it into this release |
Rubber stamp LGTM. Would like to discuss npm also. |
The release should wait for the new libuv v0.10 release. |
Unless there were updates I missed while I was in Waterford, three are only 8 open PRs against v0.10. We should attempt to close those before cutting a new v0.10.41 |
|
Some of these can likely be closed straight off, but a few represent long standing bugs. |
See https://github.com/npm/npm/releases/tag/v1.4.29 for details. Encourage users to upgrade to a newer npm, and lays the groundwork for getting npm@2 into Node 0.10 LTS. PR-URL: #3639 Reviewed-By: Rod Vagg <[email protected]> Reviewed-By: James M Snell <[email protected]>
bfae860
to
bce11ed
Compare
Using the work in #3965 combined with the |
the pkg for OS X looks good |
4473495
to
0365803
Compare
Updated to match current #3965 which should be close to final. Preparing for OpenSSL upgrade. Unfortunately we can't do a simple OpenSSL-commits-only release for v0.10 because our build infra won't allow it and when you start pulling in commits to support our infra you end up with a large chunk of the commits staged on v0.10 anyway. So I'm suggesting we just move ahead with v0.10.41 with all pending commits as soon as we have the OpenSSL 1.0.1 upgrade ready. /cc @nodejs/security |
Contains fixes for: * CVE-2015-3194 Certificate verify crash with missing PSS parameter * CVE-2015-3195 X509_ATTRIBUTE memory leak fixup! character encoding noise fixup! update opensslconf.h PR-URL: #4132 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
PR-URL: #3965 Reviewed-By: Alexis Campailla <[email protected]> Reviewed-By: Johan Bergström <[email protected]>
PR-URL: #3965 Reviewed-By: Alexis Campailla <[email protected]> Reviewed-By: Johan Bergström <[email protected]>
PR-URL: #3965 Reviewed-By: Alexis Campailla <[email protected]> Reviewed-By: Johan Bergström <[email protected]>
When MSBuild invokes rc.exe, it passes NODE_TAG unstringified, but passes it correctly to cl.exe. Hence, this workaround was made to apply only to the resource file. Fixes: #2963 PR-URL: #3053 Reviewed-By: Alexis Campailla <[email protected]> Reviewed-By: Johan Bergström <[email protected]>
Security Update Notable items: * build: Add support for Microsoft Visual Studio 2015 * npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (nodejs/Release#37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2. * openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers; TLS clients are also impacted. Details are available at <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133 PR-URL: nodejs-private/node-private#15
0365803
to
2f947e9
Compare
https://ci.nodejs.org/job/node-test-pull-request/916/ Incorporated the OpenSSL fixes and the updated build fixes, updated commits list in OP, release notes now starts with: 2015-12-04, Version 0.10.41 (Maintenance), @rvagg Security Update Notable items:
|
Technically we can't do this with our new Jenkins setup and new nodejs.org server, we still have jenkins.nodejs.org and the original nodejs.org server in place to serve for emergencies but this release needs to come out of our new infra so there's work for @nodejs/build to do. Some details on that here: nodejs/build#164