-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: upgrade npm to 2.7.5 #1337
Conversation
Reviewing. Due to #1323 and the aforementioned fixes I'd like to get a release with this out within the next 48 hours or so. I'll also open a release proposal soon. |
Hey, at least we aren't dealing with Looked over the code. In case anyone is wondering the diff is mostly:
Getting some errors on |
Every npm version bump requires a few patches to be floated on node-gyp for io.js compatibility. These patches are found in 03d1992, 5de334c, and da730c7. This commit squashes them into a single commit. PR-URL: nodejs#990 Reviewed-By: Ben Noordhuis <[email protected]>
On Windows, when node or io.js attempts to dynamically load a compiled addon, the compiled addon tries to load node.exe or iojs.exe again - depending on which import library the module used when it was linked. This causes many compiled addons to break when node.exe or iojs.exe are renamed, because when the binary has been renamed the addon DLL can't find the (right) .exe file to load its imports from. This patch gives compiled addon developers an option to overcome this restriction by compiling a delay-load hook into their binary. The delay-load hook ensures that whenever a module tries to load imports from node.exe/iojs.exe, it'll just look at the process image, thereby making the addon work regardless of what name the node/iojs binary has. To enable this feature, the addon developer must set the 'win_delay_load_hook' option to 'true' in their binding.gyp file, like this: ``` { 'targets': [ { 'target_name': 'ernie', 'win_delay_load_hook': 'true', ... ``` Bug: nodejs#751 Bug: nodejs#965 Upstream PR: nodejs/node-gyp#599 PR-URL: nodejs#1251 Reviewed-By: Rod Vagg <[email protected]> PR-URL: nodejs#1266 Reviewed-By: Ben Noordhuis <[email protected]>
That's due to HFS+ case folding and this line in io.js's
to make git stop following HFS+'s case-folding rules. Defaulting |
Is there a good way to do this without having to externally set more stuff? I don't really understand the issue, but maybe our |
It could probably just be added to the contributor's guide that Anyway, can I get some LGTMs so I can get this merged in time for the next release window? |
LGTM |
PR-URL: #1337 Reviewed-By: Jeremiah Senkpiel <[email protected]>
Landed in 5eb983e, dac903f, and efadffe. Thanks for the review, @Fishrock123! |
This is a workaround for the REPL for a problem when multiple of the entries have the same source text Fixes: nodejs#1337 Refs: https://bugs.chromium.org/p/v8/issues/detail?id=10284
This is a workaround for the REPL for a problem when multiple of the entries have the same source text Fixes: #1337 Refs: https://bugs.chromium.org/p/v8/issues/detail?id=10284 PR-URL: #34372 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Anto Aravinth <[email protected]>
This is a workaround for the REPL for a problem when multiple of the entries have the same source text Fixes: #1337 Refs: https://bugs.chromium.org/p/v8/issues/detail?id=10284 PR-URL: #34372 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Anto Aravinth <[email protected]>
This is a workaround for the REPL for a problem when multiple of the entries have the same source text Fixes: #1337 Refs: https://bugs.chromium.org/p/v8/issues/detail?id=10284 PR-URL: #34372 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Anto Aravinth <[email protected]>
This is a workaround for the REPL for a problem when multiple of the entries have the same source text Fixes: #1337 Refs: https://bugs.chromium.org/p/v8/issues/detail?id=10284 PR-URL: #34372 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Anto Aravinth <[email protected]>
This is a workaround for the REPL for a problem when multiple of the entries have the same source text Fixes: #1337 Refs: https://bugs.chromium.org/p/v8/issues/detail?id=10284 PR-URL: #34372 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Anto Aravinth <[email protected]>
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: nodejs#1337
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: #1337 PR-URL: #49025 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: #1337 PR-URL: #49025 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
Currently, node.js http/2 is limited in sending SETTINGs, that are currently implemented by nghttp2. However, nghttp2 has the ability to send arbitary SETTINGs, that are not known beforehand. This patch adds this feature including a fall back mechanism, if a SETTING is implemented in a later nghttp2 or node version. Fixes: #1337 PR-URL: #49025 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
This release of npm is a little more important than most, because it contains two security fixes:
300834e
[email protected]
: Normalize symbolic links that point to targets outside theextraction root. This prevents packages containing symbolic links from
overwriting targets outside the expected paths for a package. Thanks to Tim
Cuthbertson and the team at Lift
Security for working with the npm team to identify
this issue. (@othiym23)
0dc6875
[email protected]
: Package versions can be no more than 256 characters long.This prevents a situation in which parsing the version number can use
exponentially more time and memory to parse, leading to a potential denial of
service. Thanks to Adam Baldwin at Lift Security for bringing this to our
attention. (@isaacs)
The severity is medium and the impact is low, at least for now. We have no evidence that either of these vulnerabilities were being exploited in the wild. All the same, it would be good to get people upgrading.
This version also contains two important fixes to npm's git / GitHub support:
eab6184
#7766 One last tweak to ensure that
GitHub shortcuts work with private repositories.
(@iarna)
a840a13
#7746 Only fix up git URL paths when
there are paths to fix up. (@othiym23)
Unfortunately,
[email protected]
is missing the final piece of the git puzzle:b747593
#7630 Don't automatically log all
git failures as errors.
maybeGithub
needs to be able to fail withoutlogging to support its fallback logic.
(@othiym23)
In most cases,
[email protected]
will work fine with private GitHub repositories, but it will log an ugly and misleading message about what it's doing. The above change (which is part of[email protected]
) takes care of that, but I still don't think it's a good idea to jump the gun with npm releases. I could maybe be persuaded otherwise.I've applied the two roll-up patches for improved
node-gyp
support already. All I need are some reviewers!R=@piscisaureus
R=@Fishrock123