Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: allow CAP_NET_BIND_SERVICE in SafeGetenv #37727

Closed
wants to merge 2 commits into from

Conversation

danbev
Copy link
Contributor

@danbev danbev commented Mar 12, 2021

This commit updates SafeGetenv to check if the current process has the
effective capability cap_net_bind_service set, and if so allows
environment variables to be read.

The motivation for this change is a use-case where Node is run in a
container, and the is a requirement to be able to listen to ports
below 1024. This is done by setting the capability of
cap_net_bind_service. In addition there is a need to set the
environment variable NODE_EXTRA_CA_CERTS. But currently this
environment variable will not be read when the capability has been set
on the executable.


Manual tests

No caps or setuid

$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
Warning: Ignoring extra certs from `something`, load failed: error:02001002:system library:fopen:No such file or directory
17.0.0-pre                                                                   

Environment variables should be readable, hence the warning.

With multiple caps

$ sudo setcap cap_net_broadcast,cap_net_bind_service+p out/Release/node        
$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
17.0.0-pre                                                                      

Environment variables are not readable (no warning).

With only cap_net_bind_service cap

$ sudo setcap cap_net_bind_service+p out/Release/node                          
$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
Warning: Ignoring extra certs from `something`, load failed: error:02001002:system library:fopen:No such file or directory
17.0.0-pre                                                                      

Environment variables should be readable, hence the warning.

With setuid with no caps

$ sudo setcap -r out/Release/node                                               
$ getcap out/Release/node                                                       
$ su -                                                                          
[root@localhost ~]# cd /home/danielbevenius/work/nodejs/node                    
[root@localhost node]# chown root:root out/Release/node                         
[root@localhost node]# chmod u+s out/Release/node                               
[root@localhost node]# exit                                                     
$ ls -l out/Release/node                                                        
-rwsrwxr-x. 1 root root 78713256 Mar 29 11:04 out/Release/node                  
$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
17.0.0-pre                                                                      

Environment variables are not readable (no warning).

With setuid with multiple caps

$ sudo setcap cap_net_broadcast,cap_net_bind_service+p out/Release/node        
$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
17.0.0-pre                                                                      

Environment variables are not readable (no warning).

With setuid and only cap_net_bind_service cap

$ sudo setcap cap_net_bind_service+ep out/Release/node                          
$ env NODE_EXTRA_CA_CERTS="something" out/Release/node -p 'process.versions.node'
17.0.0-pre                                                                      

Environment variables are not readable (no warning).

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. labels Mar 12, 2021
Copy link
Member

@addaleax addaleax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a separate function so that it does not affect and JavaScript methods that currently use SafeGetenv.

Could you maybe add some guidance documentation on the situations in which when one would use SafeCapGetenv over SafeGetenv or vice versa? My impression is that they seem to serve the same purpose, and that we should stick with one, unless there’s a fundamental difference in semantics here (especially since capabilities on Linux can be very far-reaching, to the point where there is little difference between having them and being in a setuid environment). That would make the logical conclusion here for me that we should either a) stick with SafeGetenv() if loading NODE_EXTRA_CA_CERTS from a setuid/elevated-capability binary or b) use plain getenv() in this scenario if not.

src/node_credentials.cc Outdated Show resolved Hide resolved
@danbev
Copy link
Contributor Author

danbev commented Mar 15, 2021

Could you maybe add some guidance documentation on the situations in which when one would use SafeCapGetenv over SafeGetenv or vice versa?

The use-case we have is that we have a requirement that when running in a container to run the process as a non-root user. In addition the container in question also needs to be able to listen to privileged ports, hence it is setting a capability on the node executable (per_process::linux_at_secure will be true).

There is also a requirement to set the environment variable NODE_EXTRA_CA_CERTS which is currently not possible due to the way SafeGetenv works.

UseExtraCaCerts is only called once upon startup and and is the only time that NODE_EXTRA_CA_CERTS is potentially read. Adding SafeCapGetenv would allow this environment variable to take effect even if a capability is set on node executable, but not allow JavaScript code to call it.

It would be really nice if it was possible to allow the usage of NODE_EXTRA_CA_CERTS in situations like the above and perhaps we could just call getenv() in this case like you suggested. I'd be fine with that but was not sure if I had a clear understanding of all the implications of doing that, which was the reason for this PR.

@addaleax
Copy link
Member

@danbev Yeah, I understand all that, but … the problem is that “capabilities” in general is very broad and effectively equivalent to a setuid setting. I’m not sure if it’s feasible to check for only specific capabilities (I assume that would be CAP_NET_BIND_SERVICE here) and allow the regular SafeGetenv() to proceed when only that capability (or similarly harmless ones) are set.

It would be really nice if it was possible to allow the usage of NODE_EXTRA_CA_CERTS in situations like the above and perhaps we could just call getenv() in this case like you suggested. I'd be fine with that but was not sure if I had a clear understanding of all the implications of doing that, which was the reason for this PR.

I’d be worried about things like excerpts from the specified file showing up in error messages, for example, which would give users an opportunity to read (at least pieces of) files that they would not otherwise have access to.

@danbev
Copy link
Contributor Author

danbev commented Mar 15, 2021

I’d be worried about things like excerpts from the specified file showing up in error messages, for example, which would give users an opportunity to read (at least pieces of) files that they would not otherwise have access to.

Ah right, I had not considered that. I was mainly thinking about how setting this value could be abused at the time of setting it. This sounds like a risk and while I initially thought this would be a good idea I'm seeing that is is not 😞

Thanks for taking the time to review and comment, I appreciate it.

@danbev danbev closed this Mar 15, 2021
@addaleax
Copy link
Member

@danbev Fwiw, I think it would be a feasible approach to adjust SafeGetenv() to verify whether CAP_NET_BIND_SERVICE is the only capability that’s set, in which case it should be fine to proceed with returning the environment variables.

@danbev
Copy link
Contributor Author

danbev commented Mar 15, 2021

@addaleax I'll take a look at doing that, thanks!

@danbev danbev reopened this Mar 15, 2021
@danbev danbev changed the title src: add SafeCapGetenv function src: allow CAP_NET_BIND_SERVICE in SafeGetenv Mar 17, 2021
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

src/node_credentials.cc Outdated Show resolved Hide resolved
src/node_credentials.cc Outdated Show resolved Hide resolved
@danbev danbev force-pushed the safecapgetenv branch 4 times, most recently from bb3b6bc to 0a07565 Compare March 29, 2021 13:08
@danbev danbev added the semver-major PRs that contain breaking changes and should be released in the next major version. label Mar 29, 2021
Copy link
Member

@addaleax addaleax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think this makes sense 👍

@danbev
Copy link
Contributor Author

danbev commented Mar 31, 2021

@addaleax @targos Thanks for the reviews!

@mhdawson
Copy link
Member

The code looks ok to me, but I was wondering about this addition:

      [ 'OS in "linux"', {
        'ldflags': [ '-Wl,-Bstatic -Wl,--whole-archive -lcap -Wl,--no-whole-archive -Wl,-Bdynamic' ],
      }],

Is there anywhere else that we've done something similar?

@danbev
Copy link
Contributor Author

danbev commented Apr 6, 2021

Is there anywhere else that we've done something similar?

Not that I'm aware of.

@danbev danbev requested a review from addaleax September 6, 2021 03:47
@nodejs-github-bot
Copy link
Collaborator

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@danbev danbev removed the request for review from addaleax September 21, 2021 06:03
This commit updates SafeGetenv to check if the current process has the
effective capability cap_net_bind_service set, and if so allows
environment variables to be read.

The motivation for this change is a use-case where Node is run in a
container, and the is a requirement to be able to listen to ports
below 1024. This is done by setting the capability of
cap_net_bind_service. In addition there is a need to set the
environment variable `NODE_EXTRA_CA_CERTS`. But currently this
environment variable will not be read when the capability has been set
on the executable.
This commit updates the capabilities check to use the permitted set
instead of the effective. And it also checks the second element of
cap_data which can contain 64 bit capability masks.
@nodejs-github-bot
Copy link
Collaborator

danbev added a commit that referenced this pull request Sep 24, 2021
This commit updates SafeGetenv to check if the current process has the
effective capability cap_net_bind_service set, and if so allows
environment variables to be read.

The motivation for this change is a use-case where Node is run in a
container, and the is a requirement to be able to listen to ports
below 1024. This is done by setting the capability of
cap_net_bind_service. In addition there is a need to set the
environment variable `NODE_EXTRA_CA_CERTS`. But currently this
environment variable will not be read when the capability has been set
on the executable.

PR-URL: #37727
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
@danbev
Copy link
Contributor Author

danbev commented Sep 24, 2021

Landed in 3f61940.

@danbev danbev closed this Sep 24, 2021
@danbev danbev deleted the safecapgetenv branch September 24, 2021 04:07
BethGriggs added a commit that referenced this pull request Oct 15, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- v8: remove --harmony-top-level-await
  (Geoffrey Booth) [#40226]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support. For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for th `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
BethGriggs added a commit that referenced this pull request Oct 15, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- v8: remove --harmony-top-level-await
  (Geoffrey Booth) [#40226]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support. For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
  cause exit
  (Divlo) [#38332]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
BethGriggs added a commit that referenced this pull request Oct 16, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support. For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
  cause exit
  (Divlo) [#38332]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
BethGriggs added a commit that referenced this pull request Oct 18, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support.

While OpenSSL 3.0 APIs should be mostly compatible with those provided
by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to
tightened restrictions on the allowed algorithms and key sizes.

If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with
Node.js 17, it’s likely that your application or a module you’re using
is attempting to use an algorithm or key size which is no longer allowed
by default with OpenSSL 3.0. A command-line option,
`--openssl-legacy-provider`, has been added to revert to the legacy
provider as a temporary workaround for these tightened restrictions.

For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

Contributed in #38512, #40478

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
  cause exit
  (Divlo) [#38332]
- deps: upgrade npm to 8.1.0
  (npm team) [#40463]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
BethGriggs added a commit that referenced this pull request Oct 18, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support.

While OpenSSL 3.0 APIs should be mostly compatible with those provided
by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to
tightened restrictions on the allowed algorithms and key sizes.

If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with
Node.js 17, it’s likely that your application or a module you’re using
is attempting to use an algorithm or key size which is no longer allowed
by default with OpenSSL 3.0. A command-line option,
`--openssl-legacy-provider`, has been added to revert to the legacy
provider as a temporary workaround for these tightened restrictions.

For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

Contributed in #38512, #40478

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
  cause exit
  (Divlo) [#38332]
- deps: upgrade npm to 8.1.0
  (npm team) [#40463]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
BethGriggs added a commit that referenced this pull request Oct 19, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support.

While OpenSSL 3.0 APIs should be mostly compatible with those provided
by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to
tightened restrictions on the allowed algorithms and key sizes.

If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with
Node.js 17, it’s likely that your application or a module you’re using
is attempting to use an algorithm or key size which is no longer allowed
by default with OpenSSL 3.0. A command-line option,
`--openssl-legacy-provider`, has been added to revert to the legacy
provider as a temporary workaround for these tightened restrictions.

For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

Contributed in #38512, #40478

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
  cause exit
  (Divlo) [#38332]
- deps: upgrade npm to 8.1.0
  (npm team) [#40463]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. semver-major PRs that contain breaking changes and should be released in the next major version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants