v3.2.3

Compare Source

Bugfixes

• When Corepack is enabled Yarn will now use the current CLI to prepare external Yarn classic projects, matching the behaviour of when Corepack is disabled.

Compatibility

• Updates the PnP compatibility layer for TypeScript 4.8.1-rc
• The ESM loader now supports unflagged JSON modules.

v3.2.2

Compare Source

Compatibility

• The patched filesystem now supports ftruncate.
• The patched filesystem now supports fchmod.
• The patched filesystem now supports throwIfNoEntry.
• The PnP filesystem now handles most of the FileHandle methods
• Updates the PnP compatibility layer for TypeScript 4.8 Beta
• The npm_package_json environment variable is now set by Yarn.

v3.2.1

Compare Source

Installs

• The pnpm linker no longer tries to remove node_modules directory, when node-modules linker is active
• The node-modules linker does not fail anymore if portal dependency points to an external project with multiple interdependent workspaces
• The node-modules linker has received various improvements:
  • applies hoisting algorithm on aliased dependencies
  • reinstalls modules that have their directories removed from node_modules by the user
  • improves portal hoisting
  • supports supportedArchitectures

Bugfixes

• The PnP ESM loader is now able to handle symlinked extensionless entrypoints.

v3.2.0

Compare Source

Various improvements have been made in the core to improve performance. Additionally:

Commands

• The yarn workspaces foreach run command is now able to run binaries.
• The yarn npm info command now supports displaying information about a tagged version of a package (e.g. yarn npm info vue@next).
• A new yarn explain command has been added. It can be used to explain an error code, or list all available error codes.
  • For example, try to run yarn explain YN0002.
• The yarn npm publish command now accepts a new --otp option, to set the One-Time Password from the CLI.
  • A better error message will also be shown when a query fails due to an invalid OTP.
• yarn upgrade-interactive now has improved paging:
  • Yarn will display as many suggestions as can fit in the viewport (rather than a fixed-size list).
  • The suggestions that fit in the viewport will be fetched in the foreground and will load one-by-one.
  • The suggestions that don't will be fetched in the background and will be loaded in batches to increase responsiveness and reduce input lag.
  • Most notably, you won't have to wait for all of the suggestions to be fetched (which took a very long time before on large monorepos) before you can start navigating through the list.

Installs

• The node-modules linker now tolerates if node_modules is a symbolic link, and doesn't recreate it.
• On top of the cpu and arch fields, Yarn now support a new libc field which can be used in tandem with optionalDependencies to avoid downloading packages that have been linked against incompatible standard libraries (we currently support two values: glibc and musl).
• The pnpm linker has received various improvements:
  • It will now remove the node_modules/.store and node_modules folders if they are empty.
  • It now supports running binaries of soft links.
  • It will now create self-references for packages that don't depend on other versions of themselves.
  • It will now remove scope folders (e.g. node_modules/@​yarnpkg) if they are empty or after removing a scoped dependency.
• All .pnp.cjs files with inlined data will now store the data in a JSON string literal instead of an object literal to improve startup performance.

Compatibility

• The shell now treats backslashes same as Bash (so it mostly ignore them).
  • Could potentially be a breaking change, but the old behavior caused portability issues with a few packages, so we had to make this change (especially since the portable shell is intended to help portability).
• The shell now supports ${FOO:+}.
• The PnP filesystem now handles read and readSync using options.
• The PnP filesystem now handles UNC paths using forward slashes.
• The PnP filesystem now sets the proper path property on streams created by createReadStream() and obtained from zip archives.
• The PnP runtime now throws an ERR_REQUIRE_ESM error when attempting to require an ES Module, matching the default Node.js behaviour.
• Updates the PnP compatibility layer for TypeScript 4.6 Beta (it's possible we'll need to publish another patch update once the 4.6 enters stable).

Bugfixes

• @yarnpkg/pnpify now escapes paths correctly.
• The ESM loader is now enabled regardless of the entrypoint module type, this fixes support for dynamic imports in commonjs modules when the entrypoint is also commonjs.
• The ESM loader is now able to resolve relative imports with search parameters.
• The node field inside the npm_config_user_agent Yarn sets will now include a leading v.
• Yarn is now able to recover from a corrupted install state.
• Yarn is now able to migrate classic lockfiles containing unconventional tarball URLs.
• The nm linker hoists portals after hoisting their dependencies first.
• Fixed a crash caused by a bad interaction between aliased packages and peer dependencies.
• The ESBuild plugin will no longer allow access to Node.js builtins if the platform isn't set to Node.
• SemVer ranges with build metadata can now be resolved.
• The YARN_IGNORE_NODE environment variable will now be parsed using the same mechanism as env variable configuration settings (i.e. both 1/0 and true/false will be accepted)

ZipFS Extension

• You can now unmount zip folders by right-clicking on their workspaces.

Miscellaneous Features

• Reporting for Git errors has been improved.
• The resolution step now has a progress indicator.
• The experimental ESM loader warning emitted by Node.js is now suppressed.
• Private registries can now be authenticated using private keys and certificates.
• A new wrapNetworkRequest hook now lets you wrap network requests (for example to log them).

v1.0.0-rc.8

Compare Source

v1.0.0-rc.7

Compare Source

v1.0.0-rc.5

Compare Source

v1.0.0-rc.4

Compare Source

v1.0.0-rc.2

Compare Source

v1.0.0-rc.1

Compare Source

v1.0.0-rc.0

v1.0.0-beta-rc.1

v1.0.0-beta-rc.0

v1.0.0-rc.5

Compare Source

v1.0.0-rc.4

Compare Source

v1.0.0-rc.3

Compare Source

v1.0.0-rc.2

Compare Source

v1.0.0-rc.1

Compare Source

v1.0.0-rc.0

Compare Source

v1.0.0-beta-rc.1

Compare Source

v1.0.0-beta-rc.0

Compare Source

v1.0.0-rc.6

Compare Source

v1.0.0-rc.5

Compare Source

v1.0.0-rc.4

Compare Source

v1.0.0-rc.3

Compare Source

v1.0.0-rc.2

Compare Source

v1.0.0-rc.1

Compare Source

v1.0.0-rc.0

Compare Source

v1.0.0-beta-rc.4

Compare Source

v1.0.0-beta-rc.3

Compare Source

v1.0.0-beta-rc.2

Compare Source

v1.0.0-beta-rc.0

Compare Source

v1.0.0-rc.3

v1.0.0-rc.2

Compare Source

v1.0.0-rc.1

Compare Source

v1.0.0-rc.0

v1.0.0-beta-rc.1

v1.0.0-beta-rc.0

v16.13.2

Compare Source

This is a security release.

Notable changes

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44531 after publication.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44532 after publication.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.

Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

More details will be available at CVE-2021-44533 after publication.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.

Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.

More details will be available at CVE-2022-21824 after publication.

Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.

Commits

• [8dd4ca4537] - console: fix prototype pollution via console.table (Tobias Nießen) nodejs-private/node-private#​307
• [e52882da4c] - crypto,tls: implement safe x509 GeneralName format (Tobias Nießen) nodejs-private/node-private#​300
• [9a0a189b0b] - src: add cve reverts and associated tests (Michael Dawson) nodejs-private/node-private#​300
• [4a262d42bc] - src: remove unused x509 functions (Tobias Nießen) nodejs-private/node-private#​300
• [965536fe3d] - tls: fix handling of x509 subject and issuer (Tobias Nießen) nodejs-private/node-private#​300
• [a2cbfa95ff] - tls: drop support for URI alternative names (Tobias Nießen) nodejs-private/node-private#​300

v2

Compare Source

| File | Before | After | Percent reduction | |:--|:--|:--|:--| | /misskey-app/src-tauri/icons/icon.png | 13.85kb | 6.10kb | 55.95% | | /misskey-app/src-tauri/icons/Square310x310Logo.png | 8.39kb | 3.81kb | 54.55% | | /misskey-app/src-tauri/icons/Square284x284Logo.png | 7.56kb | 3.44kb | 54.48% | | /misskey-app/src-tauri/icons/[email protected] | 6.85kb | 3.17kb | 53.76% | | /misskey-app/src-tauri/icons/Square142x142Logo.png | 3.77kb | 1.94kb | 48.63% | | /misskey-app/src-tauri/icons/Square150x150Logo.png | 3.87kb | 2.00kb | 48.39% | | /misskey-app/src-tauri/icons/128x128.png | 3.43kb | 1.84kb | 46.30% | | /misskey-app/src-tauri/icons/Square107x107Logo.png | 2.80kb | 1.57kb | 43.97% | | /misskey-app/src-tauri/icons/Square89x89Logo.png | 2.41kb | 1.41kb | 41.69% | | /misskey-app/src-tauri/icons/Square71x71Logo.png | 1.96kb | 1.23kb | 37.54% | | /misskey-app/src-tauri/icons/StoreLogo.png | 1.49kb | 1.06kb | 28.69% | | /misskey-app/src-tauri/icons/Square44x44Logo.png | 1.27kb | 0.98kb | 22.71% | | /misskey-app/src-tauri/icons/32x32.png | 0.95kb | 0.84kb | 11.19% | | /misskey-app/src-tauri/icons/Square30x30Logo.png | 0.88kb | 0.80kb | 9.08% | | | | | | | Total : | 59.47kb | 30.18kb | 49.25% |

v18.12.1: 2022-11-04, Version 18.12.1 'Hydrogen' (LTS), @​juanarbol

Compare Source

This is a security release.

Notable changes

The following CVEs are fixed in this release:

• CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow (High)
• CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow (High)
• CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium)

More detailed information on each of the vulnerabilities can be found in November 2022 Security Releases blog post.

Commits

• [39f8a672e3] - deps: update archs files for quictls/openssl-3.0.7+quic nodejs/node#​45286
• [80218127c8] - deps: upgrade openssl sources to quictls/openssl-3.0.7+quic nodejs/node#​45286
• [165342beac] - inspector: harden IP address validation again (Tobias Nießen) nodejs-private/node-private#​354

v18.12.0: 2022-10-25, Version 18.12.0 'Hydrogen' (LTS), @​ruyadorno and @​RafaelGSS

Compare Source

Notable Changes

This release marks the transition of Node.js 18.x into Long Term Support (LTS) with the codename 'Hydrogen'. The 18.x release line now moves into "Active LTS" and will remain so until October 2023. After that time, it will move into "Maintenance" until end of life in April 2025.

v18.11.0: 2022-10-13, Version 18.11.0 (Current), @​danielleadams

Compare Source

Notable changes

watch mode (experimental)

Running in 'watch' mode using node --watch restarts the process when an imported file is changed.

Contributed by Moshe Atlow in #​44366

Other notable changes

• fs:
  • (SEMVER-MINOR) add FileHandle.prototype.readLines (Antoine du Hamel) #​42590
• http:
  • (SEMVER-MINOR) add writeEarlyHints function to ServerResponse (Wing) #​44180
• http2:
  • (SEMVER-MINOR) make early hints generic (Yagiz Nizipli) #​44820
• lib:
  • (SEMVER-MINOR) refactor transferable AbortSignal (flakey5) #​44048
• src:
  • (SEMVER-MINOR) add detailed embedder process initialization API (Anna Henningsen) #​44121
• util:
  • (SEMVER-MINOR) add default value option to parsearg (Manuel Spigolon) #​44631

Commits

• [27b4b782ce] - benchmark: add vm context global proxy benchmark (Joyee Cheung) #​44796
• [4e82521af1] - bootstrap: update comments in bootstrap/node.js (Joyee Cheung) #​44726
• [725be0ea50] - buffer: initialize TextDecoder once on blob.text() (Yagiz Nizipli) #​44787
• [653c3b1f62] - buffer,lib: update atob to align wpt's base64.json (Khaidi Chu) #​43901
• [37808b3355] - build: convert V8 test JSON to JUnit XML (Keyhan Vakil) #​44049
• [f92871a52b] - build: update timezone-update.yml (Alex) #​44717
• [f85d3471ee] - child_process: remove lookup of undefined property (Colin Ihrig) #​44766
• [2f5f41c315] - (SEMVER-MINOR) cli: add --watch (Moshe Atlow) #​44366
• [7fb9cc70f3] - cluster: use inspector utils (Moshe Atlow) #​44592
• [99a2c16040] - crypto: add causes to applicable webcrypto's OperationError (Filip Skokan) #​44890
• [e0fbba0939] - crypto: use EVP_PKEY_CTX_set_dsa_paramgen_q_bits when available (David Benjamin) #​44561
• [a90386b0a1] - deps: update undici to 5.11.0 (Node.js GitHub Bot) #​44929
• [aa68d40fbf] - deps: update corepack to 0.14.2 (Node.js GitHub Bot) #​44775
• [c892f35815] - deps: V8: fix debug build (Ben Noordhuis) #​44392
• [91514393dc] - dns: support dns module in the snapshot (Joyee Cheung) #​44633
• [ce3cb29319] - doc: add fsPromises.readFile() example (Tierney Cyren) #​40237
• [97df9b84a2] - doc: improve building doc for Android (BuShe Pie) #​44888
• [8c69da893b] - doc: mention corepack prepare supports tag or range (Michael Rienstra) #​44646
• [842bc64833] - doc: remove Legacy status from querystring (Rich Trott) #​44912
• [ddb5402f5f] - doc: fix label name in collaborator guide (Rich Trott) #​44920
• [d08b024a3d] - doc: fix typo in Node.js 12 changelog (Lorand Horvath) #​42880
• [b6b9c427c5] - doc: move release keys we don't use anymore in README (Rich Trott) #​44899
• [e92b074b32] - doc: fix grammar in dns docs (#​44850) (Colin Ihrig) #​44850
• [780144c339] - doc: remove unnecessary leading commas (Colin Ihrig) #​44854
• [6ae9bc8fbc] - doc: add extra step for reporter pre-approval (Rafael Gonzaga) #​44806
• [ccf31d8bca] - doc: add anchor link for --preserve-symlinks (Kohei Ueno) #​44858
• [7c5c19ee54] - doc: update node prefix require.cache example (Simone Busoli) #​44724
• [2a5bce6318] - doc: include last security release date (Vladimir de Turckheim) #​44794
• [4efaf4265c] - doc: remove "currently" and comma splice from child_process.md (Rich Trott) #​44789
• [3627616b40] - doc,crypto: mark experimental algorithms more visually (Filip Skokan) #​44892
• [3c653cf23a] - doc,crypto: add missing CFRG curve algorithms to supported lists (Filip Skokan) #​44876
• [70f55020d3] - doc,crypto: add null length to crypto.subtle.deriveBits (Filip Skokan) #​44876
• [910fbd0ece] - esm: fix duplicated test (Geoffrey Booth) #​44779
• [bc00f3bde1] - fs: fix opts.filter issue in cp async (Tho) #​44922
• [11d1c23fa0] - (SEMVER-MINOR) fs: add FileHandle.prototype.readLines (Antoine du Hamel) #​42590
• [67fb76519a] - fs: improve promise based readFile performance for big files (Ruben Bridgewater) #​44295
• [dc6379bdc2] - fs: don't hard code name in validatePosition() (Colin Ihrig) #​44767
• [eb19b1e97c] - http: be more aggressive to reply 400, 408 and 431 (ywave620) #​44818
• [4c869c8d9e] - (SEMVER-MINOR) http: add writeEarlyHints function to ServerResponse (Wing) #​44180
• [9c7e66478c] - (SEMVER-MINOR) http2: make early hints generic (Yagiz Nizipli) #​44820
• [3f20e5b15c] - (SEMVER-MINOR) lib: refactor transferable AbortSignal (flakey5) #​44048
• [ada7d82b16] - lib: require JSDoc in internal validators code (Rich Trott) #​44896
• [67eaa303af] - lib: add cause to DOMException (flakey5) #​44703
• [0db86ee98e] - meta: update AUTHORS (Node.js GitHub Bot) #​44930
• [2efe4d985b] - meta: label test.js and test.md with test_runner label (Moshe Atlow) #​44863
• [fd9feb3a6c] - meta: update AUTHORS (Node.js GitHub Bot) #​44857
• [a854bb39c9] - node-api: create reference only when needed (Gerhard Stöbich) #​44827
• [fd5c26b8db] - path: change basename() argument from ext to suffix (Rich Trott) #​44774
• [803fbfb168] - process: fix uid/gid validation to avoid crash (Tobias Nießen) #​44910
• [9f2dd48fc3] - src: remove uid_t/gid_t casts (Tobias Nießen) #​44914
• [3abb607f3a] - src: remove UncheckedMalloc(0) workaround (Tobias Nießen) #​44543
• [0606f9298f] - src: deduplicate setting RSA OAEP label (Tobias Nießen) #​44849
• [daf3152f7e] - src: implement GetDetachedness() in MemoryRetainerNode (Joyee Cheung) #​44803
• [7ca77dd4ef] - src: avoid X509_free in loops in crypto_x509.cc (Tobias Nießen) #​44855
• [781ad96227] - src: use OnScopeLeave instead of multiple free() (Tobias Nießen) #​44852
• [b27b336a7a] - src: remove ParseIP() in cares_wrap.cc (Tobias Nießen) #​44771
• [f99f5d3c01] - (SEMVER-MINOR) src: add detailed embedder process initialization API (Anna Henningsen) #​44121
• [281fd7a09a] - src,stream: improve DoWrite() and Write() (ywave620) #​44434
• [a33cc22bf7] - src,worker: fix race of WorkerHeapSnapshotTaker (ywave620) #​44745
• [f300f197da] - stream: handle enqueuing chunks when a pending BYOB pull request exists (Daeyeon Jeong) #​44770
• [9ac029ea11] - test: bump memory limit for abort fatal error (Danielle Adams) #​44984
• [b9b671f25f] - test: debug watch mode inspect (Moshe Atlow) #​44861
• [2308b71d09] - test: don't clobber RegExp.$_ on startup (Ben Noordhuis) #​44864
• [fe91bebb67] - test: loosen test for negative timestamps in test-fs-stat-date (Livia Medeiros) #​44707
• [a080608552] - test: check --test is disallowed in NODE_OPTIONS (Kohei Ueno) #​44846
• [dc2af265d7] - test: improve lib/internal/source_map/source_map.js coverage (MURAKAMI Masahiko) #​42771
• [60a05d6dea] - test: skip some binding tests on IBMi PASE (Richard Lau) #​44810
• [8dacedaa3d] - test: remove unused variable in addon test (Joyee Cheung) #​44809
• [c54cee1c3f] - test: check server status in test-tls-psk-client (Richard Lau) #​44824
• [ee3c6a4dc5] - test: use async/await in test-debugger-exceptions (pete3249) #​44690
• [9f14625fe5] - test: use async/await in test-debugger-help (Chandana) #​44686
• [8033ad846b] - test: update test-debugger-scripts to use await/async (mmeenapriya) #​44692
• [f4f08be384] - test: use await in test-debugger-invalid-json (Anjana Krishnakumar Vellore) #​44689
• [d2f36169f3] - test: use async/await in test-debugger-random-port-with-inspect-port (Monu-Chaudhary) #​44695
• [ddf029725b] - test: use async/await in test-debugger-heap-profiler (Brinda Ashar) #​44693
• [117f068250] - test: use async/await in test-debugger-auto-resume (samyuktaprabhu) #​44675
• [143c428cae] - test: migrated from Promise chains to Async/Await (Rathi N Das) #​44674
• [e609a3309c] - test: change promises to async/await in test-debugger-backtrace.js (Juliet Zhang) #​44677
• [eeabd23ca6] - test: use async/await in test-debugger-sb-before-load (Hope Olaidé) #​44697
• [5c63d1464e] - test: add extra tests for basename with ext option (Connor Burton) #​44772
• [f8b2d7a059] - test: refactor to async/await (Divya Mohan) #​44694
• [9864bde9ab] - test: modify test-debugger-custom-port.js to use async-await (Priya Shastri) #​44680
• [af30823881] - test: upgrade all 1024 bit RSA keys to 2048 bits (Momtchil Momtchev) #​44498
• [0fb669e31f] - test: update test-debugger-breakpoint-exists.js to use async/await (Archana Kamath) #​44682
• [cca253503e] - test: use async/await in test-debugger-preserve-breaks (poorvitusam) #​44696
• [0b2e8b1681] - test: use async/await in test-debugger-profile (surbhirjain) #​44684
• [4db72a65cf] - test: change the promises to async/await in test-debugger-exec-scope.js (Ankita Khiratkar) #​44685
• [56c9c98963] - test: fix test-runner-inspect (Moshe Atlow) #​44620
• [36227ed862] - test: fix watch mode test flake (Moshe Atlow) #​44739
• [3abd71a0ea] - test: deflake watch mode tests (Moshe Atlow) #​44621
• [0c9f38f2be] - test: split watch mode inspector tests to sequential (Moshe Atlow) #​44551
• [d762a34128] - test_runner: add --test-name-pattern CLI flag (Colin Ihrig)
• [c7ece464a1] - test_runner: remove runtime experimental warning (Colin Ihrig) #​44844
• [3c1e9d41c8] - test_runner: support using --inspect with --test (Moshe Atlow) #​44520
• [4bdef48732] - tools: remove faulty early termination logic from update-timezone.mjs (Darshan Sen) #​44870
• [19d8574996] - tools: fix timezone update tool (Darshan Sen) #​44870
• [ad8b8ae7d3] - tools: update eslint to 8.25.0 (Node.js GitHub Bot) #​44931
• [fd99b17a4d] - tools: make utils.SearchFiles deterministic (Bruno Pitrus) #​44496
• [131adece37] - tools: fix typo in tools/update-authors.mjs (Darshan Sen) #​44780
• [ab22777e65] - tools: refactor deprecated format in no-unescaped-regexp-dot (Madhuri) #​44763
• [3ad0fae89d] - tools: update eslint-check.js to object style (andiemontoyeah) #​44706
• [e9d572a9bd] - tools: update eslint to 8.24.0 (Node.js GitHub Bot) #​44778
• [984b0b4a6c] - tools: update lint-md-dependencies to [email protected] (Node.js GitHub Bot) #​44776
• [db5aeed702] - (SEMVER-MINOR) util: add default value option to parsearg (Manuel Spigolon) #​44631
• [576ccdf125] - util: increase robustness with primordials (Jordan Harband) #​41212

v18.10.0: 2022-09-28, Version 18.10.0 (Current), @​RafaelGSS

Compare Source

Notable changes

• doc:
  • (SEMVER-MINOR) deprecate modp1, modp2, and modp5 groups (Tobias Nießen) #​44588
  • add legendecas to TSC list (Michael Dawson) #​44662
  • move policy docs to the permissions scope (Rafael Gonzaga) #​44222
• gyp:
  • libnode for ios app embedding (chexiongsheng) #​44210
• http:
  • (SEMVER-MINOR) throw error on content-length mismatch (sidwebworks) #​44588
• stream:
  • (SEMVER-MINOR) add ReadableByteStream.tee() (Daeyeon Jeong) #​44505

Commits

• [f497368679] - benchmark: fix startup benchmark (Evan Lucas) #​44727
• [0c9a94684e] - benchmark: add stream destroy benchmark (SindreXie) #​44533
• [9c5c1459a8] - bootstrap: clean up inspector console methods during serialization (Joyee Cheung) #​44279
• [19f67dba8a] - bootstrap: remove unused global parameter in per-context scripts (Joyee Cheung) #​44472
• [9da11426f6] - build: remove redundant entry in crypto (Jiawen Geng) #​44604
• [70898b4e67] - build: rewritten the Android build system (BuShe Pie) #​44207
• [a733f7faac] - Revert "build: go faster, drop -fno-omit-frame-pointer" (Ben Noordhuis) #​44566
• [1315a83333] - build: fix bad upstream merge (Stephen Gallagher) #​44642
• [993bd9b134] - crypto: restrict PBKDF2 args to signed int (Tobias Nießen) #​44575
• [ca5fb67b4e] - deps: update to ngtcp2 0.8.1 and nghttp3 0.7.0 (Tobias Nießen) #​44622
• [8da1d6ebc4] - deps: update corepack to 0.14.1 (Node.js GitHub Bot) #​44704
• [d36c4a3088] - deps: update ngtcp2 update instructions (Tobias Nießen) #​44619
• [7129106aa0] - deps: upgrade npm to 8.19.2 (npm team) #​44632
• [3cc8f4bb56] - deps: update to uvwasi 0.0.13 (Colin Ihrig) #​44524
• [4686579d4b] - dns: remove unnecessary parameter from validateOneOf (Yagiz Nizipli) #​44635
• [729dd95f1f] - dns: refactor default resolver (Joyee Cheung) #​44541
• [6dc038262a] - doc: mention git node backport (RafaelGSS) #​44764
• [fd971f5176] - doc: ensure to revert node_version changes (Rafael Gonzaga) #​44760
• [f274b08f8e] - doc: fix description for napi_get_cb_info() in n-api.md (Daeyeon Jeong) #​44761
• [2502f2353d] - doc: update the deprecation for exit code to clarify its scope (Daeyeon Jeong) #​44714
• [064543d0ae] - doc: update guidance for adding new modules (Michael Dawson) #​44576
• [33a2f17534] - doc: add registry number for Electron 22 (Keeley Hammond) #​44748
• [10a0d75c26] - doc: include code examples for webstreams consumers (Lucas Santos) #​44387
• [4dbe4a010c] - doc: mention where to push security commits (RafaelGSS) #​44691
• [82cb8151ad] - doc: remove extra space on threadpool usage (Connor Burton) #​44734
• [6ef9af2748] - doc: make legacy banner slightly less bright (Rich Trott) #​44665
• [b209c83e66] - doc: improve building doc for Windows Powershell (Brian Muenzenmeyer) #​44625
• [05b17e9250] - doc: maintain only one list of MODP groups (Tobias Nießen) #​44644
• [ec1cbdb69b] - doc: add legendecas to TSC list (Michael Dawson) #​44662
• [9341fb4446] - doc: remove comma in README.md (Taha-Chaudhry) #​44599
• [3dabb44dda] - doc: use serial comma in report docs (Daeyeon Jeong) #​44608
• [226d90a95a] - doc: use serial comma in stream docs (Daeyeon Jeong) #​44609
• [3f710fa636] - doc: remove empty line in YAML block (Claudio Wunder) #​44617
• [4ad1b0abc3] - (SEMVER-MINOR) doc: deprecate modp1, modp2, and modp5 groups (Tobias Nießen) #​44588
• [2d92610525] - doc: remove old OpenSSL ENGINE constants (Tobias Nießen) #​44589
• [03705639c4] - doc: fix heading levels for test runner hooks (Fabian Meyer) #​44603
• [6c557346a7] - doc: fix errors in http.md (Luigi Pinca) #​44587
• [48d944b71c] - doc: fix vm.Script createCachedData example (Chengzhong Wu) #​44487
• [2813323120] - doc: mention how to get commit release (Rafael Gonzaga) #​44572
• [ea7b44d474] - doc: fix link in process.md (Antoine du Hamel) #​44594
• [39b65d2fb7] - doc: do not use weak MODP group in example (Tobias Nießen) #​44585
• [f5549afd90] - doc: remove ebpf from supported tooling list (Rafael Gonzaga) #​44549
• [a3360b1f4f] - doc: emphasize that createCipher is never secure (Tobias Nießen) #​44538
• [4e6f7862ba] - doc: document attribute Script.cachedDataRejected (Chengzhong Wu) #​44451
• [01e584ecab] - doc: move policy docs to the permissions scope (Rafael Gonzaga) #​44222
• [57dac53c22] - doc,crypto: cleanup removed pbkdf2 behaviours (Filip Skokan) #​44733
• [c209bd6fb9] - doc,inspector: document changes of inspector.close (Chengzhong Wu) #​44628
• [9b3b7d6978] - esm,loader: tidy ESMLoader internals (Jacob Smith) #​44701
• [daf63d2fa3] - fs: fix typo in mkdir example (SergeyTsukanov) #​44791
• [85ab2f857f] - fs: remove unused option in fs.fstatSync() (Livia Medeiros) #​44613
• [a6091f5496] - gyp: libnode for ios app embedding (chexiongsheng) #​44210
• [f158656e4c] - (SEMVER-MINOR) http: throw error on content-length mismatch (sidwebworks) #​44378
• [1b160517f5] - inspector: expose inspector.close on workers (Chengzhong Wu) #​44489
• [a2eb55a2c9] - lib: don't match sourceMappingURL in strings (Alan Agius) #​44658
• [2baf532518] - lib: fix reference leak (falsandtru) #​44499
• [d8d34ae6bc] - lib: reset RegExp statics before running user code (Antoine du Hamel) #​44247
• [eb3635184b] - lib,test: fix bug in InternalSocketAddress (Tobias Nießen) #​44618
• [74dc4d198f] - meta: update AUTHORS (Node.js GitHub Bot) #​44777
• [97d2ed7296] - meta: add mailmap entry for dnlup (Rich Trott) #​44716
• [35fbd2cc14] - meta: update AUTHORS (Node.js GitHub Bot) #​44705
• [c5c1bc40a2] - meta: move dnlup to emeriti (dnlup) #​44667
• [c62dfe0427] - meta: update test_runner in label-pr-config (Shrujal Shah) #​44615
• [fe56efd0bc] - meta: update AUTHORS (Node.js GitHub Bot) #​44591
• [4436ffb536] - module: open stat/readPackage to mutations (Maël Nison) #​44537
• [f8ec946c82] - module: exports & imports map invalid slash deprecation (Guy Bedford) #​44477
• [64cb43a2b6] - node-api: add deprecation code of uncaught exception (Chengzhong Wu) #​44624
• [ce1704c2c7] - src: avoid using v8 on Isolate termination (Santiago Gimeno) #​44669
• [3036b85d71] - src: remove <unistd.h> from node_os.cc (Tobias Nießen) #​44668
• [29f57b7899] - src: avoid copy when creating Blob (Tobias Nießen) #​44616
• [75cfb13ea6] - src: make ReqWrap weak (Rafael Gonzaga) #​44074
• [c12abb5ece] - src: make NearHeapLimitCallback() more robust (Joyee Cheung) #​44581
• [81ea507e8e] - src: dump isolate stats when process exits (daomingq) #​44534
• [687844822f] - src: consolidate environment cleanup queue (Chengzhong Wu) #​44379
• [3d42aaaac0] - stream: handle a pending pull request from a released reader (Daeyeon Jeong) #​44702
• [73ad9db6c5] - stream: refactor use es2020 statement (SindreXie) #​44533
• [0af6e420b3] - stream: remove abortReason from WritableStreamDefaultController (Daeyeon Jeong) #​44540
• [2f2f8d5821] - (SEMVER-MINOR) stream: add ReadableByteStream.tee() (Daeyeon Jeong) #​44505
• [667e8bf3fb] - stream: fix writableStream.abort() (Daeyeon Jeong) #​44327
• [3112d5dae0] - test: verify napi_remove_wrap with napi_delete_reference (Chengzhong Wu) #​44754
• [b512436841] - test: change promises to async/await (Madhulika Sharma) #​44683
• [858631f720] - test: use async/await in test-debugger-invalid-args (Nupur Chauhan) #​44678
• [6c9ded810c] - test: update test-debugger-low-level to use await/async (Meghana Ramesh) #​44688
• [945aa74e57] - test: check that sysconf returns a positive value (Tobias Nießen) #​44666
• [79f0f48a6f] - test: change promise to async/await in debugger-watcher (“Pooja) #​44687
• [a56cb65bd6] - test: fix addon tests compilation with OpenSSL 1.1.1 (Adam Majer) #​44725
• [8a68a80a06] - test: fix test-performance-measure (smitley) #​44637
• [55de0136b3] - test: improve lib/readline.js coverage (MURAKAMI Masahiko) #​42686
• [a3095d217f] - test: fix test-repl not validating leaked globals properly (Antoine du Hamel) #​44640
• [7db2974692] - test: ignore stale process cleanup failures on Windows (Joyee Cheung) #​44480
• [6c35f338c3] - test: use python3 instead of python (Luigi Pinca) #​44545
• [20e04c6d44] - test: fix DebugSymbolsTest.ReqWrapList on PPC64LE (Daniel Bevenius) #​44341
• [eb25fe73b0] - test: add more cases for parse-encoding (Tony Gorez) #​44427
• [5ab3bc9419] - test_runner: include stack of uncaught exceptions (Moshe Atlow) #​44614
• [752e1472e1] - tls: fix out-of-bounds read in ClientHelloParser (Tobias Nießen) #​44580
• [0cddb0af99] - tools: add update-llhttp.sh (Paolo Insogna) #​44652
• [ef0dc47df9] - tools: fix typo in update-nghttp2.sh (Luigi Pinca) #​44664
• [0df181a5a1] - tools: add timezone update workflow (Lenvin Gonsalves) #​43988
• [dd4348900d] - tools: update eslint to 8.23.1 (Node.js GitHub Bot) #​44639
• [b9cfb71e12] - tools: update lint-md-dependencies to @​rollup/plugin-node-resolve@​14.1.0 (Node.js GitHub Bot) #​44638
• [5ae142d7ad] - tools: update gyp-next to v0.13.0 (Jiawen Geng) #​44605
• [5dd86c3faf] - tools: update lint-md-dependencies to @​rollup/plugin-node-resolve@​14.0.1 (Node.js GitHub Bot) #​44590
• [caad4748cf] - tools: increase timeout of running WPT (Joyee Cheung) #​44574
• [5db9779f14] - tools: fix shebang to use python3 by default (Himself65) #​44531
• [9aa6a560e9] - v8: add setHeapSnapshotNearHeapLimit (theanarkh) #​44420
• [360b74e94f] - win: fix fs.realpath.native for long paths (StefanStojanovic) #​44536

v18.9.1: 2022-09-23, Version 18.9.1 (Current), @​RafaelGSS

Compare Source

This is a security release.

Notable changes

The following CVEs are fixed in this release:

• CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
  • Insufficient fix for macOS devices on v18.5.0
• CVE-2022-32222: Node 18 reads openssl.cnf from /home/iojs/build/ upon startup on MacOS (Medium)
• CVE-2022-32213: HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)
  • Insufficient fix on v18.5.0
• CVE-2022-32215: HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)
  • Insufficient fix on v18.5.0
• CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)
• CVE-2022-35255: Weak randomness in WebCrypto keygen

More detailed information on each of the vulnerabilities can be found in September 22nd 2022 Security Releases blog post.

llhttp updated to 6.0.10

llhttp is updated to 6.0.10 which includes fixes for the following vulnerabilities.

• HTTP Request Smuggling - CVE-2022-32213 bypass via obs-fold mechanic (Medium)(CVE-2022-32213 ): The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
• HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215): The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
• HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)(CVE-35256): The llhttp parser in the http does not correctly handle header fields that are not terminated with CLRF. This can lead to HTTP Request Smuggling (HRS).

Commits

• [0c2a5723be] - crypto: fix weak randomness in WebCrypto keygen (Ben Noordhuis) nodejs-private/node-private#
• [ffb6f4d51d] - deps: MacOS - fix location of OpenSSL config file (Michael Dawson) nodejs-private/node-private#​345
• [01bffcdd93] - http: disable chunked encoding when OBS fold is used (Paolo Insogna) nodejs-private/node-private#​341
• [2c379d341d] - src: fix IPv4 non routable validation (RafaelGSS) nodejs-private/node-private#​337

v18.9.0: 2022-09-08, Version 18.9.0 (Current), @​RafaelGSS

Compare Source

Notable changes

• doc
  • add daeyeon to collaborators (Daeyeon Jeong) #​44355
• lib
  • (SEMVER-MINOR) add diagnostics channel for process and worker (theanarkh) #​44045
• os
  • (SEMVER-MINOR) add machine method (theanarkh) #​44416
• report
  • (SEMVER-MINOR) expose report public native apis (Chengzhong Wu) #​44255
• src
  • (SEMVER-MINOR) expose environment RequestInterrupt api (Chengzhong Wu) #​44362
• vm
  • include vm context in the embedded snapshot (Joyee Cheung) #​44252

Commits

• [e27e709d3c] - build: add --libdir flag to configure (Stephen Gallagher) #​44361
• [30da2b4d89] - build: added NINJA env to customize ninja binary (Jeff Dickey) #​44293
• [3c5354869e] - cluster: fix cluster rr distribute error (theanarkh) #​44202
• [5cefd02618] - crypto: handle invalid prepareAsymmetricKey JWK inputs (Filip Skokan) #​44475
• [c868e36385] - crypto: add digest name to INVALID_DIGEST errors (Tobias Nießen) #​44468
• [35cbe1ad85] - crypto: use actual option name in error message (Tobias Nießen) #​44455
• [c3dbe18e4c] - crypto: simplify control flow in HKDF (Tobias Nießen) #​44272
• [28781a1f7e] - crypto: improve RSA-PSS digest error messages (Tobias Nießen) #​44307
• [b1eafe14fd] - debugger: decrease timeout used to wait for the port to be free (Joyee Cheung) #​44359
• [8ef5c40a83] - deps: update corepack to 0.14.0 (Node.js GitHub Bot) #​44509
• [cf19a79dfc] - deps: upgrade npm to 8.19.1 (npm team) #​44486
• [c5630ad1a7] - deps: V8: backport ff8d67c (Michaël Zasso) #​44423
• [255e7fbd08] - deps: update Acorn to v8.8.0 (Michaël Zasso) #​44437
• [754d26a53e] - deps: patch V8 to 10.2.154.15 (Michaël Zasso) #​44294
• [1b50ff2600] - deps: update icu tzdata to 2022b (Matías Zúñiga) #​44283
• [1e451dca99] - deps: upgrade llhttp to 6.0.9 (Paolo Insogna) #​44344
• [57da3db522] - deps: update undici to 5.9.1 (Node.js GitHub Bot) #​44319
• [1c87a7e8f6] - doc: add missing parenthesis in TLSSocket section (Tobias Nießen) #​44512
• [05006eddb2] - doc: do not use "Returns:" for crypto.constants (Tobias Nießen) #​44481
• [54b6ed58bc] - doc: use serial comma in addons docs (Tobias Nießen) #​44482
• [11452a97b3] - doc: add --update-assert-snapshot to node.1 (Colin Ihrig) #​44429
• [ae028e8ac3] - doc: improve assert.snapshot() docs (Colin Ihrig) #​44429
• [71c869688a] - doc: add missing imports in events sample code (Brian Evans) #​44337
• [92046e8027] - doc: apply scroll-margin-top to h2, h3 elements (metonym) #​44414
• [3e6cde5931] - doc: fix spacing issue in --build-snapshot help text (Shohei YOSHIDA) #​44435
• [8e41dbb81b] - doc: mention cherry-pick edge-case on release (RafaelGSS) #​44408
• [cef30f9afc] - doc: note on release guide to update main branch (Ruy Adorno) #​44384
• [21437f7a7f] - doc: fix release guide example consistency (Ruy Adorno) #​44385
• [ed52bd0a18] - doc: fix style of n-api.md (theanarkh) #​44377
• [65c1f4015f] - doc: add history for net.createServer() options (Luigi Pinca) #​44326
• [4a0f750a6c] - doc: add daeyeon to collaborators (Daeyeon Jeong) #​44355
• [8cc5556f76] - doc: fix typo in test runner code examples (Moshe Atlow) #​44351
• [b660b7467d] - doc,worker: document resourceLimits overrides (Keyhan Vakil) #​43992
• [2ed3b30696] - inspector: prevent integer overflow in open() (Tobias Nießen) #​44367
• [b8f08e5e7e] - lib: codify findSourceMap return value when not

v3.3.0

Compare Source

v3.2.4

Compare Source

Compatibility

• The patched filesystem now supports fchown.
• PnP now handles private import mappings.
• Updates the PnP compatibility layer for TypeScript v4.8.4 and v4.9.1-beta.
• PnP now reports loaded modules when in watch mode.

v3.2.3

Compare Source

Bugfixes

• When Corepack is enabled Yarn will now use the current CLI to prepare external Yarn classic projects, matching the behaviour of when Corepack is disabled.

Compatibility

• Updates the PnP compatibility layer for TypeScript 4.8.1-rc
• The ESM loader now supports unflagged JSON modules.

v3.2.2

Compare Source

Compatibility

• The patched filesystem now supports ftruncate.
• The patched filesystem now supports fchmod.
• The patched filesystem now supports throwIfNoEntry.
• The PnP filesystem now handles most of the FileHandle methods
• Updates the PnP compatibility layer for TypeScript 4.8 Beta
• The npm_package_json environment variable is now set by Yarn.

v3.2.1

Compare Source

Installs

• The pnpm linker no longer tries to remove node_modules directory, when node-modules linker is active
• The node-modules linker does not fail anymore if portal dependency points to an external project with multiple interdependent workspaces
• The node-modules linker has received various improvements:
  • applies hoisting algorithm on aliased dependencies
  • reinstalls modules that have their directories removed from node_modules by the user
  • improves portal hoisting
  • supports supportedArchitectures

Bugfixes

• The PnP ESM loader is now able to handle symlinked extensionless entrypoints.

v3.2.0

Compare Source

Various improvements have been made in the core to improve performance. Additionally:

Commands

• The yarn workspaces foreach run command is now able to run binaries.
• The yarn npm info command now supports displaying information about a tagged version of a package (e.g. yarn npm info vue@next).
• A new yarn explain command has been added. It can be used to explain an error code, or list all available error codes.
  • For example, try to run yarn explain YN0002.
• The yarn npm publish command now accepts a new --otp option, to set the One-Time Password from the CLI.
  • A better error message will also be shown when a query fails due to an invalid OTP.
• yarn upgrade-interactive now has improved paging:
  • Yarn will display as many suggestions as can fit in the viewport (rather than a fixed-size list).
  • The suggestions that fit in the viewport will be fetched in the foreground and will load one-by-one.
  • The suggestions that don't will be fetched in the background and will be loaded in batches to increase responsiveness and reduce input lag.
  • Most notably, you won't have to wait for all of the suggestions to be fetched (which took a very long time before on large monorepos) before you can start navigating through the list.

Installs

• The node-modules linker now tolerates if node_modules is a symbolic link, and doesn't recreate it.
• On top of the cpu and arch fields, Yarn now support a new libc field which can be used in tandem with optionalDependencies to avoid downloading packages that have been linked against incompatible standard libraries (we currently support two values: glibc and musl).
• The pnpm linker has received various improvements:
  • It will now remove the node_modules/.store and node_modules folders if they are empty.
  • It now supports running binaries of soft links.
  • It will now create self-references for packages that don't depend on other versions of themselves.
  • It will now remove scope folders (e.g. node_modules/@​yarnpkg) if they are empty or after removing a scoped dependency.
• All .pnp.cjs files with inlined data will now store the data in a JSON string literal instead of an object literal to improve startup performance.

Compatibility

• The shell now treats backslashes same as Bash (so it mostly ignore them).
  • Could potentially be a breaking change, but the old behavior caused portability issues with a few packages, so we had to make this change (especially since the portable shell is intended to help portability).
• The shell now supports ${FOO:+}.
• The PnP filesystem now handles read and readSync using options.
• The PnP filesystem now handles UNC paths using forward slashes.
• The PnP filesystem now sets the proper path property on streams created by createReadStream() and obtained from zip archives.
• The PnP runtime now throws an ERR_REQUIRE_ESM error when attempting to require an ES Module, matching the default Node.js behaviour.
• Updates the PnP compatibility layer for TypeScript 4.6 Beta (it's possible we'll need to publish another patch update once the 4.6 enters stable).

Bugfixes

• @yarnpkg/pnpify now escapes paths correctly.
• The ESM loader is now enabled regardless of the entrypoint module type, this fixes support for dynamic imports in commonjs modules when the entrypoint is also commonjs.
• The ESM loader is now able to resolve relative imports with search parameters.
• The node field inside the npm_config_user_agent Yarn sets will now include a leading v.
• Yarn is now able to recover from a corrupted install state.
• Yarn is now able to migrate classic lockfiles containing unconventional tarball URLs.
• The nm linker hoists portals after hoisting their dependencies first.
• Fixed a crash caused by a bad interaction between aliased packages and peer dependencies.
• The ESBuild plugin will no longer allow access to Node.js builtins if the platform isn't set to Node.
• SemVer ranges with build metadata can now be resolved.
• The YARN_IGNORE_NODE environment variable will now be parsed using the same mechanism as env variable configuration settings (i.e. both 1/0 and true/false will be accepted)

ZipFS Extension

• You can now unmount zip folders by right-clicking on their workspaces.

Miscellaneous Features

• Reporting for Git errors has been improved.
• The resolution step now has a progress indicator.
• The experimental ESM loader warning emitted by Node.js is now suppressed.
• Private registries can now be authenticated using private keys and certificates.
• A new wrapNetworkRequest hook now lets you wrap network requests (for example to log them).

How often will the code scanning analysis run?

By default, code scanning will trigger a scan with the CodeQL engine on the following events:

• On every pull request — to flag up potential security problems for you to investigate before merging a PR.
• On every push to your default branch and other protected branches — this keeps the analysis results on your repository’s Security tab up to date.
• Once a week at a fixed time — to make sure you benefit from the latest updated security analysis even when no code was committed or PRs were opened.

What will this cost?

Nothing! The CodeQL engine will run inside GitHub Actions, making use of your unlimited free compute minutes for public repositories.

What types of problems does CodeQL find?

The CodeQL engine that powers GitHub code scanning is the exact same engine that powers LGTM.com. The exact set of rules has been tweaked slightly, but you should see almost exactly the same types of alerts as you were used to on LGTM.com: we’ve enabled the security-and-quality query suite for you.

How do I upgrade my CodeQL engine?

No need! New versions of the CodeQL analysis are constantly deployed on GitHub.com; your repository will automatically benefit from the most recently released version.

The analysis doesn’t seem to be working

If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please follow the instructions here to debug the analysis.

How do I disable LGTM.com?

If you have LGTM’s automatic pull request analysis enabled, then you can follow these steps to disable the LGTM pull request analysis. You don’t actually need to remove your repository from LGTM.com; it will automatically be removed in the next few months as part of the deprecation of LGTM.com (more info here).

Which source code hosting platforms does code scanning support?

GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub.

How do I know this PR is legitimate?

This PR is filed by the official LGTM.com GitHub App, in line with the deprecation timeline that was announced on the official GitHub Blog. The proposed GitHub Action workflow uses the official open source GitHub CodeQL Action. If you have any other questions or concerns, please join the discussion here in the official GitHub community!

I have another question / how do I get in touch?

Please join the discussion here to ask further questions and send us suggestions!

v1.2.0: tauri v1.2.0

Updating crates.io index

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 469 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (453 crate dependencies)
Crate:     xml-rs
Version:   0.8.4
Warning:   unmaintained
Title:     xml-rs is Unmaintained
Date:      2022-01-26
ID:        RUSTSEC-2022-0048
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0048
Dependency tree:
xml-rs 0.8.4
└── plist 1.3.1
    └── tauri-codegen 1.2.0
        ├── tauri-macros 1.2.0
        │   └── tauri 1.2.0
        │       ├── tauri 1.2.0
        │       ├── restart 0.1.0
        │       └── app-updater 0.1.0
        └── tauri-build 1.2.0
            └── app-updater 0.1.0

warning: 1 allowed warning found

[1.2.0]

• Add accept_first_mouse option for macOS windows.
  • 95f467ad feat(core): add window accept_first_mouse option, closes #​5347 (#​5374) on 2022-10-17
• Add new app-specific BaseDirectory enum variants AppConfig, AppData, AppLocalData, AppCache and AppLog along with equivalent functions in path module and deprecated ambiguous variants Log and App along with their equivalent functions in path module.
  • 5d89905e feat(api): add app-specific directory APIs, closes #​5263 (#​5272) on 2022-09-28
• Set the correct mimetype when streaming files through asset: protocol
  • 39443b43 fix(core): set correct mimetype for asset protocol streams, closes #​5203 (#​5210) on 2022-09-30
  • 2d9c2b47 Revert "fix(core): set correct mimetype for asset protocol streams, closes #​5203 (#​5210)" on 2022-09-30
  • 9b1a6a1c fix(core): set correct mimetype for asset protocol streams, #​5203 (#​5536) on 2022-11-04
• Disable automatic window tabbing on macOS when the tabbing_identifier option is not defined, the window is transparent or does not have decorations.
  • 4137ab44 feat(macos): add tabbing_identifier option, closes #​2804, #​3912 (#​5399) on 2022-10-19
• The custom protocol now validates the request URI. This has implications when using the asset protocol without the convertFileSrc helper, the URL must now use the asset://localhost/$filePath format.
  • 357480f4 feat(core): custom protocol headers on Linux, closes #​4496 (#​5421) on 2022-10-17
• Escape glob special characters in files/directories when dropping files or using the open/save dialogs.
  • 4cbdf0fb fix(core): escape glob characters in drop/dialogs , closes #​5234 (#​5237) on 2022-10-05
• Properly emit events with object payload.
  • 79dd6e16 fix(core): properly emit events with object payload, closes #​5482 (#​5492) on 2022-10-27
• Fixes access to the WebviewWindow.getByLabel function in a tauri://window-created event listener.
  • e00b1e5f fix(core): update metadata before window-created listeners, closes #​5191 (#​5458) on 2022-10-22
• Fixes resource reading being always rejected by the scope.
  • a06dc699 fix(core): canonicalize resource dir to fix scope check, closes #​5196 (#​5218) on 2022-09-29
• Fixes __TAURI_PATTERN__ object freeze.
  • 49f06ca4 fix: deepfreeze check by prop (#​5407) on 2022-10-17
• Readd the option to create an unfocused window via the focused method. The focus function has been deprecated.
  • 4036e15f feat(core): reimplement window initial focus flag, closes #​5120 (#​5338) on 2022-10-08
• Add hidden_title option for macOS windows.
  • 321f3fed feat(macos): title_bar_style and hidden_title window options, closes #​2663 (#​3965) on 2022-09-30
• Custom protocol headers are now implemented on Linux when running on webkit2gtk 2.36 or above.
  • 357480f4 feat(core): custom protocol headers on Linux, closes #​4496 (#​5421) on 2022-10-17
• Add App::show(), AppHandle::show(), App::hide() and AppHandle::hide() for hiding/showing the entire application on macOS.
  • 39bf895b feat(macOS): Add application show and hide methods (#​3689) on 2022-10-03
• Fix a deadlock when modifying the menu in the on_menu_event closure.
  • ae65951b fix(core): fix deadlock in on_menu_event, closes #​5254 (#​5257) on 2022-09-28
• • 7d9aa398 feat: bump MSRV to 1.59 (#​5296) on 2022-09-28
• Resolve base system directory in shell scope.
  • 99fe1c56 fix(core): resolve base dir in shell scope, closes #​5480 (#​5508) on 2022-11-04
• Added tabbing_identifier to the window builder on macOS.
  • 4137ab44 feat(macos): add tabbing_identifier option, closes #​2804, #​3912 (#​5399) on 2022-10-19
• Add title_bar_style option for macOS windows.
  • 321f3fed feat(macos): title_bar_style and hidden_title window options, closes #​2663 (#​3965) on 2022-09-30
• Added methods to set the system tray title on macOS.
  • 8f1ace77 feat: expose set_title for MacOS tray (#​5182) on 2022-09-30
• Added the user_agent option when creating a window.
  • a6c94119 feat(core): expose user_agent to window config (#​5317) on 2022-10-02

Updating crates.io index
   Packaging tauri v1.2.0 (/home/runner/work/tauri/tauri/core/tauri)
   Verifying tauri v1.2.0 (/home/runner/work/tauri/tauri/core/tauri)
 Downloading crates ...
  Downloaded siphasher v0.3.10
  Downloaded serde_repr v0.1.9
  Downloaded rand_chacha v0.2.2
  Downloaded serialize-to-javascript-impl v0.1.1
  Downloaded serde_with_macros v1.5.2
  Downloaded socket2 v0.4.7
  Downloaded rand_core v0.6.4
  Downloaded unicode-segmentation v1.10.0
  Downloaded uuid v0.8.2
  Downloaded version-compare v0.0.11
  Downloaded webkit2gtk v0.18.2
  Downloaded xattr v0.2.3
  Downloaded serde_with v1.14.0
  Downloaded proc-macro-crate v1.2.1
  Downloaded version-compare v0.1.0
  Downloaded pango-sys v0.15.10
  Downloaded matches v0.1.9
  Downloaded pango v0.15.10
  Downloaded glib-sys v0.15.10
  Downloaded gio-sys v0.15.10
  Downloaded gio v0.15.12
  Downloaded gdkx11-sys v0.15.1
  Downloaded http-range v0.1.5
  Downloaded phf_codegen v0.8.0
  Downloaded phf_macros v0.8.0
  Downloaded phf v0.10.1
  Downloaded phf_shared v0.8.0
  Downloaded x11 v2.20.0
  Downloaded tauri-runtime-wry v0.12.0
  Downloaded gtk3-macros v0.15.4
  Downloaded tokio-macros v1.8.0
  Downloaded utf-8 v0.7.6
  Downloaded treediff v3.0.2
  Downloaded tendril v0.4.3
  Downloaded tar v0.4.38
  Downloaded walkdir v2.3.2
  Downloaded pest v2.4.1
  Downloaded darling v0.13.4
  Downloaded remove_dir_all v0.5.3
  Downloaded ucd-trie v0.1.5
  Downloaded phf_shared v0.10.0
  Downloaded uuid v1.2.1
  Downloaded semver v0.11.0
  Downloaded infer v0.7.0
  Downloaded tauri-codegen v1.2.0
  Downloaded state v0.5.3
  Downloaded thin-slice v0.1.1
  Downloaded same-file v1.0.6
  Downloaded rand_core v0.5.1
  Downloaded tauri-utils v1.2.0
  Downloaded selectors v0.22.0
  Downloaded tauri-runtime v0.12.0
  Downloaded rustc_version v0.4.0
  Downloaded rand_pcg v0.2.1
  Downloaded cssparser-macros v0.6.0
  Downloaded tauri-macros v1.2.0
  Downloaded slab v0.4.7
  Downloaded flate2 v1.0.24
  Downloaded futures-core v0.3.25
  Downloaded cssparser v0.27.2
  Downloaded futf v0.1.5
  Downloaded tempfile v3.3.0
  Downloaded raw-window-handle v0.5.0
  Downloaded digest v0.10.5
  Downloaded cty v0.2.2
  Downloaded ctor v0.1.26
  Downloaded fastrand v1.8.0
  Downloaded typenum v1.15.0
  Downloaded wry v0.22.0
  Downloaded tao v0.15.0
  Downloaded encoding_rs v0.8.31
  Downloaded brotli v3.3.4
  Downloaded javascriptcore-rs v0.16.0
  Downloaded gtk v0.15.5
  Downloaded cpufeatures v0.2.5
  Downloaded atk-sys v0.15.1
  Downloaded glib-macros v0.15.11
  Downloaded glib v0.15.12
  Downloaded convert_case v0.4.0
  Downloaded rand v0.8.5
  Downloaded rand v0.7.3
  Downloaded png v0.17.7
  Downloaded http v0.2.8
  Downloaded gtk-sys v0.15.3
  Downloaded deflate v0.7.20
  Downloaded system-deps v6.0.3
  Downloaded png v0.11.0
  Downloaded javascriptcore-rs-sys v0.4.0
  Downloaded ignore v0.4.18
  Downloaded gdk v0.15.4
  Downloaded string_cache_codegen v0.5.2
  Downloaded stable_deref_trait v1.2.0
  Downloaded kuchiki v0.8.1
  Downloaded inflate v0.3.4

v1.1.0

v1.0.2

Compare Source

v1.0.1

Compare Source

v1.0.0

Compare Source

v1.0.0-rc.7

Compare Source

v1.0.0-rc.6

Compare Source

v1.0.0-rc.5

Compare Source

v1.0.0-rc.2

Compare Source

v1.0.0-rc.1

Compare Source

v1.0.0-beta-rc.1: tauri-build v1.0.0-beta-rc.1

Updating crates.io index

Cargo Audit

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 289 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (401 crate dependencies)
Crate:         difference
Version:       2.0.0
Warning:       unmaintained
Title:         difference is unmaintained
Date:          2020-12-20
ID:            RUSTSEC-2020-0095
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0095
Dependency tree: 
difference 2.0.0
└── mockito 0.30.0
    └── tauri 1.0.0-beta-rc.4
        ├── updater-example 0.1.0
        ├── tauri 1.0.0-beta-rc.4
        ├── multiwindow 0.1.0
        ├── helloworld 0.1.0
        └── api 0.1.0

warning: 1 allowed warning found

[1.0.0-beta-rc.1]

• The package info APIs now checks the package object on tauri.conf.json.
  • Bumped due to a bump in tauri-codegen.
  • 8fd1baf fix(core): pull package info from tauri.conf.json if set (#​1581) on 2021-04-22
  • f575aaa fix: change files not referencing core packages (#​1619) on 2021-04-25

Cargo Publish

Updating crates.io index
   Packaging tauri-build v1.0.0-beta-rc.1 (/home/runner/work/tauri/tauri/core/tauri-build)
   Uploading tauri-build v1.0.0-beta-rc.1 (/home/runner/work/tauri/tauri/core/tauri-build)

v3

Compare Source

• Use @​actions/core saveState and getState
• Add github-server-url input

v3

Compare Source