Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release proposal: v5.7.1 #5464

Merged
merged 2 commits into from
Mar 2, 2016
Merged

Release proposal: v5.7.1 #5464

merged 2 commits into from
Mar 2, 2016

Conversation

rvagg
Copy link
Member

@rvagg rvagg commented Feb 27, 2016

Not much meat in here yet. The path.relative(), url.parse() and dgram.send() fixes have not landed yet but there are at least 4 commits queued up in the various pull requests, plus OpenSSL.

Milestone @Fishrock123 put together for this is https://github.com/nodejs/node/milestones/5.7.1

We're probably going to have to hold this up until at least we have an OpenSSL risk assessment. Perhaps we can move forward without even needing to bother with an OpenSSL upgrade but more likely we'll include it anyway. Which means the release date will be the 2nd or 3rd, next week.

Will figure out if/how we coordinate across release lines ASAP.

This is all we have so far:

Notable changes

  • governance: The Core Technical Committee (CTC) added four new members to help guide Node.js core development: Evan Lucas, Rich Trott, Ali Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda)

This was referenced Feb 27, 2016
@silverwind
Copy link
Contributor

Landed two of them. #5456 doesn't merge cleanly, #5407 has that Windows issue.

@silverwind
Copy link
Contributor

And #5456 is in. Leaving #5407 for @mcollina to land.

@mscdex mscdex added the meta Issues and PRs related to the general management of the project. label Feb 27, 2016
@rvagg
Copy link
Member Author

rvagg commented Feb 28, 2016

CI with latest cherry-picks https://ci.nodejs.org/job/node-test-commit/2367/

@mcollina
Copy link
Member

Landed #5407 in 725ffdb

@mscdex
Copy link
Contributor

mscdex commented Feb 29, 2016

I've added this PR to the milestone: #5484

@silverwind
Copy link
Contributor

Another potential path issue: #5485

@silverwind
Copy link
Contributor

One more off the list, and another added: #5490.

@silverwind
Copy link
Contributor

Okay, all known path issues are handled.

@Fishrock123
Copy link
Contributor

Here is branch-diff v5.7.0 master --exclude-label=semver-major,dont-land-on-v5.x --filter-release as of now, I guess we're probably gona be v5.8.0? I feel pretty bad for not getting a patch out last week to fix grunt-contrib-clean. :/

  • [c1b3d78a39] - 2016-02-16, Version 4.3.1 'Argon' (LTS) (Myles Borins)
  • [ffdc046e5c] - benchmark: add benchmark for buf.compare() (Rich Trott) #5441
  • [2426b3dd86] - benchmark: move string-decoder to its own category (Andreas Madsen) #5177
  • [15720fa25a] - benchmark: fix configuation parameters (Andreas Madsen) #5177
  • [f6c505d0b1] - benchmark: merge url.js with url-resolve.js (Andreas Madsen) #5177
  • [d9079ab801] - benchmark: move misc to categorized directories (Andreas Madsen) #5177
  • [4bb529d972] - benchmark: use strict mode (Rich Trott) #5336
  • [2ccc275fd7] - build: update Node.js logo on OSX installer (Rod Vagg) #5401
  • [e854f60585] - (SEMVER-MINOR) child_process: add keepOpen option to send() (cjihrig) #5283
  • [1952844f45] - (SEMVER-MINOR) child_process: support options in send() (cjihrig) #5283
  • [292033b1f5] - (SEMVER-MINOR) constants: define ENGINE_METHOD_RSA (Sam Roberts) #5463
  • [da3f425506] - crypto: PBKDF2 works with int not ssize_t (Fedor Indutny) #5397
  • [32719950df] - deps: upgrade openssl to 1.0.2g (Ben Noordhuis) #5507
  • [725ffdb9b7] - dgram: handle default address case when offset and length are specified (Matteo Collina)
  • [3c79bbda47] - doc: fix typo in child_process documentation (Evan Lucas) #5474
  • [8d8fef09ee] - doc: add note for binary safe string reading (Anton Andesen) #5155
  • [f0c06147b3] - doc: improvements to crypto.markdown copy (Alexander Makarenko) #5230
  • [5298c81f42] - doc: require behavior on case-insensitive systems (Hugo Wood)
  • [1411e0b648] - doc: document base64url encoding support (Tristan Slominski) #5243
  • [c6ae7d00c6] - doc: improve httpVersionMajor / httpVersionMajor (Jackson Tian) #5296
  • [1c30d606b1] - doc: fix relative links in net docs (Evan Lucas) #5358
  • [a67d5c1034] - doc: fix crypto function indentation level (Brian White) #5460
  • [4e77a7ce29] - doc: link to man pages (dcposch@dcpos.ch) #5073
  • [9894c026f5] - doc: add missing property in cluster example (Rafael Cepeda) #5305
  • [1913909fce] - doc: corrected name of argument in socket.send (Chris Dew) #5449
  • [acee594b6e] - doc: fix links in tls, cluster docs (Alexander Makarenko) #5364
  • [513133c936] - (SEMVER-MINOR) doc: correct name of engine methods (Sam Roberts) #5463
  • [1d7c37018f] - doc: explicit about VS 2015 support in readme (Phillip Johnsen) #5406
  • [611b4641d9] - doc: remove out-of-date matter from internal docs (Rich Trott) #5421
  • [6e6ce09861] - doc: copyedit util doc (Rich Trott) #5399
  • [7e51966b32] - doc: fix typo in pbkdf2Sync code sample (Marc Cuva) #5306
  • [8b1af2f8d4] - doc: fix buf.readInt16LE output (Chinedu Francis Nwafili) #5282
  • [54cbf2826b] - doc: note util.isError() @@toStringTag limitations (cjihrig) #5414
  • [581606a5fd] - doc: clarify error handling in net.createServer (Dirceu Pereira Tiegs) #5353
  • [45789027ac] - doc: document fs.datasync(Sync) (Ron Korving) #5402
  • [0dc216f89d] - doc: add Evan Lucas to the CTC (Rod Vagg) #5275
  • [dae5bf0127] - doc: add Rich Trott to the CTC (Rod Vagg) #5276
  • [97dc810d46] - doc: add Ali Ijaz Sheikh to the CTC (Rod Vagg) #5277
  • [b484c2e907] - doc: add Сковорода Никита Андреевич to the CTC (Rod Vagg) #5278
  • [65c0feb5fe] - doc: add "building node with ninja" guide (Jeremiah Senkpiel) #4767
  • [10f55b0aae] - doc: mention prototype check in deepStrictEqual() (cjihrig) #5367
  • [3e3d941495] - doc,tools,test: lint doc-based addon tests (Rich Trott) #5427
  • [a7e49c886f] - http_parser: use MakeCallback (Trevor Norris) #5419
  • [f296a7f16f] - path: fix path.relative() for prefixes at root (Owen Smith) #5490
  • [4717ea9186] - path: fix win32 parse() (Zheng Chaoping) #5484
  • [e326950498] - path: fix win32 relative() for UNC paths (Owen Smith) #5456
  • [b33879d9e2] - path: fix win32 relative() when "to" is a prefix (Owen Smith) #5456
  • [3a331b66f8] - path: fix verbose relative() output (Brian White) #5389
  • [40d57b714e] - repl: fix stack trace column number in strict mode (Prince J Wesley) #5416
  • [ee7754be47] - (SEMVER-MINOR) repl: accept no arguments to start() (cjihrig) #5388
  • [33e51fe18c] - src,tools: remove null sentinel from source array (Ben Noordhuis) #5418
  • [96adbe9503] - src,tools: drop nul byte from built-in source code (Ben Noordhuis) #5418
  • [cdc7e025e0] - src,tools: allow utf-8 in built-in js source code (Ben Noordhuis) #5418
  • [93bacfd00f] - test: remove unneeded bind() and related comments (Aayush Naik) #5023
  • [98b721ed26] - test: fix flaky child-process-fork-regr-Segfault in node::StreamBase::GetFD #2847 (Santiago Gimeno) #5422
  • [4d6b4c30dd] - test: remove flaky designation from fixed tests (Rich Trott) #5459
  • [7fc6645982] - test: add test-cases for posix path.relative() (Owen Smith) #5456
  • [c98d159ed3] - test: fix test runner arg regression (Stefan Budeanu) #5446
  • [88728408e0] - test: refactor test-dgram-send-callback-recursive (Santiago Gimeno) #5079
  • [dff01d10c5] - test: refactor test-dgram-udp4 (Santiago Gimeno) #5339
  • [23a584d517] - test: allow passing args to executable (Stefan Budeanu) #5376
  • [8bcb174d03] - test: fix test-timers.reliability on OS X (Rich Trott) #5379
  • [bbf4621548] - test: mitigate flaky test-http-agent (Rich Trott) #5346
  • [65cd2a0f96] - test: increase timeouts on some unref timers tests (Jeremiah Senkpiel) #5352
  • [67963c8c66] - timers: greatly improve code comments (Jeremiah Senkpiel) #4007
  • [60f8c1acf4] - timers: refactor timers (Jeremiah Senkpiel) #4007
  • [d26417f123] - tools: apply custom buffer lint rule to /lib only (Rich Trott) #5371
  • [9534f6dfd5] - tools: enable additional lint rules (Rich Trott) #5357
  • [dcfda1007b] - tools,benchmark: increase lint compliance (Rich Trott) #5429
  • [610bd8d567] - url: group slashed protocols by protocol name (nettofarah) #5380
  • [8b16ba3bbf] - url: fix off-by-one error with parse() (Brian White) #5394

@rvagg
Copy link
Member Author

rvagg commented Mar 1, 2016

I've been avoiding semver-minor and the timers patch for this release, hence 5.7.1, so it's an easier (if just mental, but likely a little lower risk) upgrade for existing users.

@rvagg
Copy link
Member Author

rvagg commented Mar 1, 2016

@Fishrock123 also, we didn't have anything ready last week and the path fixes couldn't really be rushed so I don't think there's a whole lot we could have changed.

@Fishrock123
Copy link
Contributor

Pretty sure #5389 (comment) (the important patch) was. We should have just landed and released imo. My fault for forgetting about it on Thursday. :/

@Fishrock123
Copy link
Contributor

Pushed commits to v5.x; CI (think I ran it right) https://ci.nodejs.org/job/node-test-pull-request/1814/

Notable changes:

* governance: The Core Technical Committee (CTC) added four new members
to help guide Node.js core development: Evan Lucas, Rich Trott, Ali
Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).

* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis)
#5507
  - Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is likely
to be very difficult to use this defect for a practical attack and is
therefore considered low severity for Node.js users. More info is
available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
  - Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code paths
that use these functions so practical attacks via Node.js using this
defect are _unlikely_ to be possible. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
  - Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading to the
potential recovery of entire RSA private keys. It only affects the
Intel Sandy Bridge (and possibly older) microarchitecture when using
hyper-threading. Newer microarchitectures, including Haswell, are
unaffected. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702

* Fixed several regressions that appeared in v5.7.0:
  - path.relative():
    - Output is no longer unnecessarily verbose (Brian White)
#5389
    - Resolving UNC paths on Windows now works correctly (Owen Smith)
#5456
    - Resolving paths with prefixes now works correctly from the root
directory (Owen Smith) #5490
  - url: Fixed an off-by-one error with `parse()` (Brian White)
#5394
  - dgram: Now correctly handles a default address case when offset and
length are specified (Matteo Collina)
#5407

PR-URL: #5464
@Fishrock123
Copy link
Contributor

CITGM before merging https://ci.nodejs.org/job/thealphanerd-smoker/100/

@Fishrock123
Copy link
Contributor

@Fishrock123 Fishrock123 merged commit 3643670 into v5.x Mar 2, 2016
Fishrock123 added a commit that referenced this pull request Mar 2, 2016
Fishrock123 added a commit to Fishrock123/node that referenced this pull request Mar 2, 2016
Notable changes:

* governance: The Core Technical Committee (CTC) added four new members
to help guide Node.js core development: Evan Lucas, Rich Trott, Ali
Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).

* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis)
nodejs#5507
  - Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is likely
to be very difficult to use this defect for a practical attack and is
therefore considered low severity for Node.js users. More info is
available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
  - Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code paths
that use these functions so practical attacks via Node.js using this
defect are _unlikely_ to be possible. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
  - Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading to the
potential recovery of entire RSA private keys. It only affects the
Intel Sandy Bridge (and possibly older) microarchitecture when using
hyper-threading. Newer microarchitectures, including Haswell, are
unaffected. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702

* Fixed several regressions that appeared in v5.7.0:
  - path.relative():
    - Output is no longer unnecessarily verbose (Brian White)
nodejs#5389
    - Resolving UNC paths on Windows now works correctly (Owen Smith)
nodejs#5456
    - Resolving paths with prefixes now works correctly from the root
directory (Owen Smith) nodejs#5490
  - url: Fixed an off-by-one error with `parse()` (Brian White)
nodejs#5394
  - dgram: Now correctly handles a default address case when offset and
length are specified (Matteo Collina)
nodejs#5407

PR-URL: nodejs#5464

### Notable changes

* **governance**: The Core Technical Committee (CTC) added four new members to help guide Node.js core development: Evan Lucas, Rich Trott, Ali Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is really odd in here. If you look at how this displays at https://nodejs.org/en/blog/ it seems like it is related to the Version 5.7.1 release.

Shouldn't this go in a "Weekly Update"?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
meta Issues and PRs related to the general management of the project.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants