-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release proposal: v4.1.1 #2995
Release proposal: v4.1.1 #2995
Conversation
going to need some reviews in the notable changes, ping @trevnorris, @bnoordhuis, @ChALkeR, @zkat, @misterdjules |
Is wrong. What you describe is #2526, and #2945 removes |
eb99301
to
35bfe82
Compare
@rvagg I believe that the actual commit wasn't changed. Check the |
35bfe82
to
5c53e66
Compare
README so far LGTM. |
Notable changes LGTM. |
I think this is good to go, would still appreciate review of Notable items as it's kind of sensitive, we neither want to frighten people nor do we want them to take the two security-ish issues lightly. Also, failure on ARMv6, which I believe is known flaky but I've been seeing it mentioned a lot lately and there may be something to investigate here.
... and |
reopened relevant issue on the failing test #2370 |
You could mention this (possibly re-phrased) from #2945:
Or you could mention something like «added through addTrailers()», because that's the only entry point for those, and probably when someone will see it they'll think «addWhat? I don't use that anyway». The current Notable changles make it look like the problem was with something header-related, and it's not clear that it's in a thing that almost noone uses. Most usages of |
«Next allocation» it is not actually a valid argument here (you could still keep it, though, because the statement is still valid, it just doesn't make this issue considerably less important), but the fact that people usually don't leak TypedArrays or don't rely on it being zero-filled is. |
@rvagg I'm not sure the V8 changes are "notable", in the sense that it's worth knowing only if you're building a debugging tool that reads V8's internal data structures. If you'd still like to include it, I would suggest to change it slightly: "Update post-mortem metadata to allow post-mortem debugging tools to find and inspect:
|
5c53e66
to
8d72d4b
Compare
updated commits from master they were all fairly trivial so I'm comfortable with the last minute additions tweaked the http entry to add more clarity about trailers, tweaked the v8 entry to put more detail, it's more technical than we'd normally include but I did think it worthwhile showing that this is being worked on because there are a small set of users for which this is very important. @ChALkeR I'm not sure what your suggestion is re the TypedArray comment so I haven't changed anything CI: https://ci.nodejs.org/job/node-test-pull-request/367/ moving straight to release after this so get your feedback in re CHANGELOG |
sorry @misterdjules! I switched branches just before copypasta and ended up dumping in the 4.1.0 notes in the OP, updated now with 4.1.1 including those 2 PRs using your words |
8d72d4b
to
15d567b
Compare
@rvagg OK, I was confused for a second, thank you 👍 :) |
Notable changes * buffer: Fixed a bug introduced in v4.1.0 where allocating a new zero-length buffer can result in the next allocation of a TypedArray in JavaScript not being zero-filled. In certain circumstances this could result in data leakage via reuse of memory space in TypedArrays, breaking the normally safe assumption that TypedArrays should be always zero-filled. (Trevor Norris) #2931. * http: Guard against response-splitting of HTTP trailing headers added via response.addTrailers() by removing new-line ([\r\n]) characters from values. Note that standard header values are already stripped of new-line characters. The expected security impact is low because trailing headers are rarely used. (Ben Noordhuis) #2945. * npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full details (Kat Marchán) #2958 - Upgrades graceful-fs on multiple dependencies to no longer rely on monkey-patching fs - Fix npm link for pre-release / RC builds of Node * v8: Update post-mortem metadata to allow post-mortem debugging tools to find and inspect: - JavaScript objects that use dictionary properties (Julien Gilli) #2959 - ScopeInfo and thus closures (Julien Gilli) #2974
15d567b
to
ab55b45
Compare
Going with ab55b45 as the HEAD for this release, although I've started builds @ https://ci.nodejs.org/job/iojs+release/183/ it looks like we might be in for at least a minor repeat of last week's build dramas with 4.1.0, armv8 has already borked (thanks Jenkins and Java). |
https://ci.nodejs.org/job/iojs+release/191/ this one's looking promising, so much fail with ICU and Jenkins |
Notable changes * buffer: Fixed a bug introduced in v4.1.0 where allocating a new zero-length buffer can result in the next allocation of a TypedArray in JavaScript not being zero-filled. In certain circumstances this could result in data leakage via reuse of memory space in TypedArrays, breaking the normally safe assumption that TypedArrays should be always zero-filled. (Trevor Norris) #2931. * http: Guard against response-splitting of HTTP trailing headers added via response.addTrailers() by removing new-line ([\r\n]) characters from values. Note that standard header values are already stripped of new-line characters. The expected security impact is low because trailing headers are rarely used. (Ben Noordhuis) #2945. * npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full details (Kat Marchán) #2958 - Upgrades graceful-fs on multiple dependencies to no longer rely on monkey-patching fs - Fix npm link for pre-release / RC builds of Node * v8: Update post-mortem metadata to allow post-mortem debugging tools to find and inspect: - JavaScript objects that use dictionary properties (Julien Gilli) #2959 - ScopeInfo and thus closures (Julien Gilli) #2974 PR-URL: #2995
thanks all, v4.1.1 is live |
Looks like the ARMv6 binaries need to be promoted. |
👍 |
2015-09-22, Version 4.1.1 (Stable), @rvagg
Notable changes
response.addTrailers()
by removing new-line ([\r\n]
) characters from values. Note that standard header values are already stripped of new-line characters. The expected security impact is low because trailing headers are rarely used. (Ben Noordhuis) #2945.graceful-fs
on multiple dependencies to no longer rely on monkey-patchingfs
npm link
for pre-release / RC builds of NodeKnown issues
See confirmed-bugIssues with confirmed bugs.
for complete and current list of known issues.
beforeExit
are still to be resolved. See #1264.dns.setServers()
while a DNS query is in progress can cause the process to crash on a failed assertion. #894url.resolve
may transfer the auth portion of the url when resolving between two full hosts, see #1435.Commits
d63e02e08d
] - buffer: don't set zero fill for zero-length buffer (Trevor Norris) #29315905b14bff
] - build: fix icutrim when building small-icu on BE (Stewart Addison) #2602f010cb5d96
] - configure: detect mipsel host (Jérémy Lal) #2971b93ad5abbd
] - deps: backport 357e6b9 from V8's upstream (Julien Gilli) #29748da3da4d41
] - deps: backport ff7d70b from V8's upstream (Julien Gilli) #29592600fb8ae6
] - deps: upgraded to [email protected] in npm (Kat Marchán) #2958793aad2d7a
] - deps: upgrade to npm 2.14.4 (Kat Marchán) #295843e2b7f836
] - doc: remove usage of events.EventEmitter (Sakthipriyan Vairamani) #29219c59d2f16a
] - doc: remove extra using v8::HandleScope statement (Christopher J. Brody) #2983f7edbab367
] - doc: clarify description of assert.ifError() (Rich Trott) #2941b2ddf0f9a2
] - doc: refine process.kill() and exit explanations (Rich Trott) #2918f68fed2e6f
] - http: remove redundant code in _deferToConnect (Malcolm Ahoy) #2769f542e74c93
] - http: guard against response splitting in trailers (Ben Noordhuis) #2945bc9f629387
] - http_parser: do not dealloc during kOnExecute (Fedor Indutny) #29561860e0cebd
] - lib,src: remove usage of events.EventEmitter (Sakthipriyan Vairamani) #2921d4cd5ac407
] - readline: fix tab completion bug (Matt Harrison) #28169760e04839
] - repl: don't use tty control codes when $TERM is set to "dumb" (Salman Aljammaz) #2712cb971cc97d
] - repl: backslash bug fix (Sakthipriyan Vairamani) #29682034f68668
] - src: honor --abort_on_uncaught_exception flag (Evan Lucas) #27760b1ca4a9ef
] - src: Add ABORT macro (Evan Lucas) #27764519dd00f9
] - test: test sync version of mkdir & rmdir (Sakthipriyan Vairamani) #2588816f609c8b
] - test: use tmpDir instead of fixtures in readdir (Sakthipriyan Vairamani) #25872084f52585
] - test: test more http response splitting scenarios (Ben Noordhuis) #2945fa08d1d8a1
] - test: add test-spawn-cmd-named-pipe (Alexis Campailla) #277071b5d80682
] - test: make cluster tests more time tolerant (Michael Dawson) #28913e09dcfc32
] - test: update cwd-enoent tests for AIX (Imran Iqbal) #29096ea8ec1c59
] - tools: single, cross-platform tick processor (Matt Loring) #2868Commits on
master
not included inv4.x
:5f6579d366
] - (SEMVER-MAJOR) buffer: remove raw & raws encoding (Sakthipriyan Vairamani) #2859b9813641dc
] - 2015-09-15 io.js v3.3.1 Release (Rod Vagg) #2698380a3d89c3
] - 2015-09-08, Version 4.0.0 (Stable) Release (Rod Vagg) #274242a8a0a53e
] - Working on v5.0.0 (Rod Vagg)