Skip to content

Commit

Permalink
Merge branch 'main' of https://github.com/nodejs/node into move_test_…
Browse files Browse the repository at this point in the history 
…to_run_sequentially
  • Loading branch information
@sonimadhuri
sonimadhuri committed Dec 3, 2022
2 parents f3d0b1f + eb62dc8 commit 6ae29c5
Show file tree
Hide file tree
Showing 1,365 changed files with 63,520 additions and 22,542 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/test-asan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ permissions:
jobs:
test-asan:
if: github.event.pull_request.draft == false
runs-on: ubuntu-latest
runs-on: ubuntu-20.04
env:
CC: clang
CXX: clang++
Expand Down
16 changes: 16 additions & 0 deletions .github/workflows/tools.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,22 @@ jobs:
echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
./tools/update-acorn-walk.sh
fi
- id: libuv
subsystem: deps
label: dependencies
run: |
NEW_VERSION=$(gh api repos/libuv/libuv/releases/latest -q '.tag_name|ltrimstr("v")')
VERSION_H="./deps/uv/include/uv/version.h"
CURRENT_MAJOR_VERSION=$(grep "#define UV_VERSION_MAJOR" $VERSION_H | sed -n "s/^.*MAJOR \(.*\)/\1/p")
CURRENT_MINOR_VERSION=$(grep "#define UV_VERSION_MINOR" $VERSION_H | sed -n "s/^.*MINOR \(.*\)/\1/p")
CURRENT_PATCH_VERSION=$(grep "#define UV_VERSION_PATCH" $VERSION_H | sed -n "s/^.*PATCH \(.*\)/\1/p")
CURRENT_SUFFIX_VERSION=$(grep "#define UV_VERSION_SUFFIX" $VERSION_H | sed -n "s/^.*SUFFIX \"\(.*\)\"/\1/p")
SUFFIX_STRING=$([[ -z "$CURRENT_SUFFIX_VERSION" ]] && echo "" || echo "-$CURRENT_SUFFIX_VERSION")
CURRENT_VERSION="$CURRENT_MAJOR_VERSION.$CURRENT_MINOR_VERSION.$CURRENT_PATCH_VERSION$SUFFIX_STRING"
if [ "$NEW_VERSION" != "$CURRENT_VERSION" ]; then
echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
./tools/dep_updaters/update-libuv.sh "$NEW_VERSION"
fi
steps:
- uses: actions/checkout@v3
with:
Expand Down
3 changes: 3 additions & 0 deletions .mailmap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,8 @@ Netto Farah <[email protected]>
Nicholas Kinsey <[email protected]>
Nick Sia <[email protected]> <[email protected]>
Nick Soggin <[email protected]> <[email protected]>
Nicolas Stepien <[email protected]>
Nicolas Stepien <[email protected]> <[email protected]>
Nigel Kibodeaux <[email protected]> <[email protected]>
Nikola Glavina <[email protected]> <[email protected]>
Nikolai Vavilov <[email protected]>
Expand Down Expand Up @@ -485,6 +487,7 @@ Sreepurna Jasti <[email protected]> <[email protected]>
Stanislav Opichal <[email protected]>
Stefan Budeanu <[email protected]> <[email protected]>
Stefan Bühler <[email protected]>
Stefan Stojanovic <[email protected]> <[email protected]>
Stephen Belanger <[email protected]> <[email protected]>
Stephen Belanger <[email protected]> <[email protected]>
Steve Mao <[email protected]> <[email protected]>
Expand Down
10 changes: 8 additions & 2 deletions AUTHORS
View file
Original file line number Diff line number Diff line change
Expand Up @@ -735,7 +735,7 @@ Steven Vercruysse <[email protected]>
Aleksanteri Negru-Vode <[email protected]>
Mathieu Darse <[email protected]>
Connor Peet <[email protected]>
Mayhem <[email protected]>
Nicolas Stepien <[email protected]>
Olov Lassus <[email protected]>
Phillip Lamplugh <[email protected]>
Kohei TAKATA <[email protected]>
Expand Down Expand Up @@ -3517,7 +3517,7 @@ Brian Evans <[email protected]>
falsandtru <[email protected]>
东灯 <[email protected]>
Fabian Meyer <[email protected]>
StefanStojanovic <[email protected].com>
Stefan Stojanovic <stefan.stojanovic@janeasystems.com>
Claudio Wunder <[email protected]>
Shrujal Shah <[email protected]>
Taha-Chaudhry <[email protected]>
Expand Down Expand Up @@ -3575,5 +3575,11 @@ Takuro Sato <[email protected]>
Carter Snook <[email protected]>
Nathanael Ruf <[email protected]>
Vasili Skurydzin <[email protected]>
翠 / green <[email protected]>
Ulises Gascon <[email protected]>
chlorine <[email protected]>
Shi Lei <[email protected]>
Deokjin Kim <[email protected]>
Marco Ippolito <[email protected]>

# Generated by tools/update-authors.mjs
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ release.
</tr>
<tr>
<td valign="top">
<b><a href="doc/changelogs/CHANGELOG_V19.md#19.1.0">19.1.0</a></b><br/>
<b><a href="doc/changelogs/CHANGELOG_V19.md#19.2.0">19.2.0</a></b><br/>
<a href="doc/changelogs/CHANGELOG_V19.md#19.1.0">19.1.0</a><br/>
<a href="doc/changelogs/CHANGELOG_V19.md#19.0.1">19.0.1</a><br/>
<a href="doc/changelogs/CHANGELOG_V19.md#19.0.0">19.0.0</a><br/>
</td>
Expand Down
16 changes: 14 additions & 2 deletions LICENSE
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,18 @@ The externally maintained libraries used by Node.js are:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"""

- ittapi, located at deps/v8/third_party/ittapi, is licensed as follows:
"""
Copyright (c) 2019 Intel Corporation. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
"""

- ICU, located at deps/icu-small, is licensed as follows:
"""
UNICODE, INC. LICENSE AGREEMENT - DATA FILES AND SOFTWARE
Expand Down Expand Up @@ -1040,9 +1052,9 @@ The externally maintained libraries used by Node.js are:
- zlib, located at deps/zlib, is licensed as follows:
"""
zlib.h -- interface of the 'zlib' general purpose compression library
version 1.2.11, January 15th, 2017
version 1.2.13, October 13th, 2022

Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler

This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any damages
Expand Down
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,8 @@ For information about the governance of the Node.js project, see
**Matteo Collina** <<[email protected]>> (he/him)
* [mhdawson](https://github.com/mhdawson) -
**Michael Dawson** <<[email protected]>> (he/him)
* [RafaelGSS](https://github.com/RafaelGSS) -
**Rafael Gonzaga** <<[email protected]>> (he/him)
* [RaisinTen](https://github.com/RaisinTen) -
**Darshan Sen** <<[email protected]>> (he/him)
* [richardlau](https://github.com/richardlau) -
Expand Down
126 changes: 126 additions & 0 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,132 @@ Here is the security disclosure policy for Node.js
the release process above to ensure that the disclosure is handled in a
consistent manner.

## The Node.js threat model

In the Node.js threat model, there are trusted elements such as the
underlying operating system. Vulnerabilities that require the compromise
of these trusted elements are outside the scope of the Node.js threat
model.

For a vulnerability to be eligible for a bug bounty, it must be a
vulnerability in the context of the Node.js threat model. In other
words, it cannot assume that a trusted element (such as the operating
system) has been compromised.

Being able to cause the following through control of the elements that Node.js
does not trust is considered a vulnerability:

* Disclosure or loss of integrity or confidentiality of data protected through
the correct use of Node.js APIs.
* The unavailability of the runtime, including the unbounded degradation of its
performance.

If Node.js loads configuration files or runs code by default (without a
specific request from the user), and this is not documented, it is considered a
vulnerability.
Vulnerabilities related to this case may be fixed by a documentation update.

**Node.js does NOT trust**:

1. The data from network connections that are created through the use of Node.js
APIs and which is transformed/validated by Node.js before being passed to the
application. This includes:
* HTTP APIs (all flavors) client and server APIs.
* DNS APIs.
2. Consumers of data protected through the use of Node.js APIs (for example
people who have access to data encrypted through the Node.js crypto APIs).
3. The file content or other I/O that is opened for reading or writing by the
use of Node.js APIs (ex: stdin, stdout, stderr).

In other words, if the data passing through Node.js to/from the application
can trigger actions other than those documented for the APIs, there is likely
a security vulnerability. Examples of unwanted actions are polluting globals,
causing an unrecoverable crash, or any other unexpected side effects that can
lead to a loss of confidentiality, integrity, or availability.

**Node.js trusts everything else**. As some examples this includes:

1. The developers and infrastructure that runs it.
2. The operating system that Node.js is running under and its configuration,
along with anything under control of the operating system.
3. The code it is asked to run including JavaScript and native code, even if
said code is dynamically loaded, e.g. all dependencies installed from the
npm registry.
The code run inherits all the privileges of the execution user.
4. Inputs provided to it by the code it is asked to run, as it is the
responsibility of the application to perform the required input validations.
5. Any connection used for inspector (debugger protocol) regardless of being
opened by command line options or Node.js APIs, and regardless of the remote
end being on the local machine or remote.
6. The file system when requiring a module.
See <https://nodejs.org/api/modules.html#all-together>.

Any unexpected behavior from the data manipulation from Node.js Internal
functions are considered a vulnerability.

In addition to addressing vulnerabilities based on the above, the project works
to avoid APIs and internal implementations that make it "easy" for application
code to use the APIs incorrectly in a way that results in vulnerabilities within
the application code itself. While we don’t consider those vulnerabilities in
Node.js itself and will not necessarily issue a CVE we do want them to be
reported privately to Node.js first.
We often choose to work to improve our APIs based on those reports and issue
fixes either in regular or security releases depending on how much of a risk to
the community they pose.

### Examples of vulneratibities

#### Improper Certificate Validation (CWE-295)

* Node.js provides APIs to validate handling of Subject Alternative Names (SANs)
in certficates used to connect to a TLS/SSL endpoint. If certificates can be
crafted which result in incorrect validation by the Node.js APIs that is
considered a vulnerability.

#### Inconsistent Interpretation of HTTP Requests (CWE-444)

* Node.js provides APIs to accept http connections. Those APIs parse the
headers received for a connection and pass them on to the application.
Bugs in parsing those headers which can result in request smuggling are
considered vulnerabilities.

#### Missing Cryptographic Step (CWE-325)

* Node.js provides APIs to encrypt data. Bugs that would allow an attacker
to get the original data without requiring the decryption key are
considered vulnerabilities.

#### External Control of System or Configuration Setting (CWE-15)

* If Node.js automatically loads a configuration file which is not documented
and modification of that configuration can affect the confidentiality of
data protected using the Node.js APIs this is considered a vulnerability.

### Examples of non-vulneratibities

#### Malicious Third-Party Modules (CWE-1357)

* Code is trusted by Node.js, therefore any scenario that requires a malicious
third-party module cannot result in a vulnerability in Node.js.

#### Prototype Pollution Attacks (CWE-1321)

* Node.js trusts the inputs provided to it by application code.
It is up to the application to sanitize appropriately, therefore any scenario
that requires control over user input is not considered a vulnerability.

#### Uncontrolled Search Path Element (CWE-427)

* Node.js trusts the file system in the environment accessible to it.
Therefore, it is not a vulnerability if it accesses/loads files from any path
that is accessible to it.

#### External Control of System or Configuration Setting (CWE-15)

* If Node.js automatically loads a configuration file which is documented
no scenario that requires modification of that configuration file is
considered a vulnerability.

## Receiving security updates

Security notifications will be distributed via the following methods.
Expand Down
17 changes: 17 additions & 0 deletions benchmark/v8/serialize.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
'use strict';

const common = require('../common.js');
const v8 = require('v8');

const bench = common.createBenchmark(main, {
len: [256, 1024 * 16, 1024 * 512],
n: [1e6]
});

function main({ n, len }) {
const typedArray = new BigUint64Array(len);
bench.start();
for (let i = 0; i < n; i++)
v8.serialize({ a: 1, b: typedArray });
bench.end(n);
}
2 changes: 1 addition & 1 deletion common.gypi
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.7',
'v8_embedder_string': '-node.5',

##### V8 defaults for Node.js #####

Expand Down
16 changes: 16 additions & 0 deletions configure.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,13 @@
help="Generate an executable with libgcc and libstdc++ libraries. This "
"will not work on OSX when using the default compilation environment")

parser.add_argument("--enable-vtune-profiling",
action="store_true",
dest="enable_vtune_profiling",
help="Enable profiling support for Intel VTune profiler to profile "
"JavaScript code executed in Node.js. This feature is only available "
"for x32, x86, and x64 architectures.")

parser.add_argument("--enable-pgo-generate",
action="store_true",
dest="enable_pgo_generate",
Expand Down Expand Up @@ -1280,6 +1287,15 @@ def configure_node(o):
if flavor == 'aix':
o['variables']['node_target_type'] = 'static_library'

if target_arch in ('x86', 'x64', 'ia32', 'x32'):
o['variables']['node_enable_v8_vtunejit'] = b(options.enable_vtune_profiling)
elif options.enable_vtune_profiling:
raise Exception(
'The VTune profiler for JavaScript is only supported on x32, x86, and x64 '
'architectures.')
else:
o['variables']['node_enable_v8_vtunejit'] = 'false'

if flavor != 'linux' and (options.enable_pgo_generate or options.enable_pgo_use):
raise Exception(
'The pgo option is supported only on linux.')
Expand Down
7 changes: 7 additions & 0 deletions deps/corepack/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# Changelog

## [0.15.2](https://github.com/nodejs/corepack/compare/v0.15.1...v0.15.2) (2022-11-25)


### Features

* update package manager versions ([#211](https://github.com/nodejs/corepack/issues/211)) ([c536c0c](https://github.com/nodejs/corepack/commit/c536c0c27c137c87a14487a2c2a63a1fe6bf88ec))

## [0.15.1](https://github.com/nodejs/corepack/compare/v0.15.0...v0.15.1) (2022-11-04)


Expand Down
Loading

0 comments on commit 6ae29c5

Please sign in to comment.