Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

url: forbid certain confusable changes from being introduced by toASCII #38631

Closed
wants to merge 1 commit into from

Conversation

TimothyGu
Copy link
Member

@TimothyGu TimothyGu commented May 11, 2021

The legacy url.parse() function attempts to convert Unicode domains (IDNs) into their ASCII/Punycode form through the use of the toASCII function. However, toASCII can introduce or remove various characters that at best invalidate the parsed URL, and at worst cause hostname spoofing:

url.parse('http://bad.c℀.good.com/').href === 'http://bad.ca/c.good.com/'
// (from https://hackerone.com/reports/678487)

url.parse('http://\u00AD/bad.com').href === 'http:///bad.com/'

While changes to the legacy URL parser are discouraged in general, the security implications here outweigh the desire for strict compatibility. This is since this commit only changes behavior when non-ASCII characters appear in the hostname, an unusual situation for most use cases. Additionally, despite the availability of the WHATWG URL API, url.parse remain widely deployed in the Node.js ecosystem, as exemplified by the recent un-deprecation of the legacy API.

This change is similar in spirit to CPython 3.8's change (python/cpython@16e6f7d) fixing bpo-36216 aka CVE-2019-9636, which also occurred despite potential compatibility concerns.

See also: #23694, #31279, https://hackerone.com/reports/678487, and https://hackerone.com/reports/738333

cc @nodejs/url

@TimothyGu TimothyGu requested a review from jasnell May 11, 2021 09:20
@github-actions github-actions bot added needs-ci PRs that need a full CI run. url Issues and PRs related to the legacy built-in url module. labels May 11, 2021
// spoofing. Rather than moving the non-host part to the pathname as
// we've done in getHostname, throw an exception to convey its
// severity.
throw new ERR_INVALID_URL(url);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error code is up for debate here. url.parse itself previously never threw any exception, so there's no precedent. ERR_INVALID_URL is what's used in the WHATWG URL API, but is confusingly extended from TypeError. Another option ERR_INVALID_URI is extended from URIError, but doesn't have the nice err.input property that ERR_INVALID_URL has.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fwiw, the TypeError bit for WHATWG URL is actually required by the spec ... see https://url.spec.whatwg.org/#url-class

I'm fine with using ERR_INVALID_URL here and adding the error.

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@TimothyGu TimothyGu added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. semver-major PRs that contain breaking changes and should be released in the next major version. labels May 12, 2021
@TimothyGu TimothyGu changed the title url: forbid certain confusable characters from being introduced by toASCII url: forbid certain confusable changes from being introduced by toASCII May 12, 2021
@TimothyGu

This comment has been minimized.

@TimothyGu
Copy link
Member Author

Hello @nodejs/tsc, this is technically a breaking change so your reviews would be appreciated. A description and rationale for this change can be found in the PR description: #38631 (comment).

lib/url.js Outdated Show resolved Hide resolved
Copy link
Member

@Trott Trott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with or without comment clarification

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

The legacy url.parse() function attempts to convert Unicode domains
(IDNs) into their ASCII/Punycode form through the use of the toASCII
function. However, toASCII can introduce or remove various characters
that at best invalidate the parsed URL, and at worst cause hostname
spoofing:

  url.parse('http://bad.c℀.good.com/').href === 'http://bad.ca/c.good.com/'
  (from [1])
  url.parse('http://\u00AD/bad.com').href === 'http:///bad.com/'

While changes to the legacy URL parser are discouraged in general, the
security implications here outweigh the desire for strict compatibility.
This is since this commit only changes behavior when non-ASCII
characters appear in the hostname, an unusual situation for most use
cases. Additionally, despite the availability of the WHATWG URL API,
url.parse remain widely deployed in the Node.js ecosystem, as
exemplified by the recent un-deprecation of the legacy API.

This change is similar in spirit to CPython 3.8's change [2] fixing
bpo-36216 [3] aka CVE-2019-9636, which also occurred despite potential
compatibility concerns.

[1]: https://hackerone.com/reports/678487
[2]: python/cpython@16e6f7d
[3]: https://bugs.python.org/issue36216
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@TimothyGu
Copy link
Member Author

Landed in 70157b9

@TimothyGu TimothyGu closed this May 14, 2021
@TimothyGu TimothyGu deleted the url-punycode branch May 14, 2021 06:04
TimothyGu added a commit that referenced this pull request May 14, 2021
The legacy url.parse() function attempts to convert Unicode domains
(IDNs) into their ASCII/Punycode form through the use of the toASCII
function. However, toASCII can introduce or remove various characters
that at best invalidate the parsed URL, and at worst cause hostname
spoofing:

  url.parse('http://bad.c℀.good.com/').href === 'http://bad.ca/c.good.com/'
  (from [1])
  url.parse('http://\u00AD/bad.com').href === 'http:///bad.com/'

While changes to the legacy URL parser are discouraged in general, the
security implications here outweigh the desire for strict compatibility.
This is since this commit only changes behavior when non-ASCII
characters appear in the hostname, an unusual situation for most use
cases. Additionally, despite the availability of the WHATWG URL API,
url.parse remain widely deployed in the Node.js ecosystem, as
exemplified by the recent un-deprecation of the legacy API.

This change is similar in spirit to CPython 3.8's change [2] fixing
bpo-36216 [3] aka CVE-2019-9636, which also occurred despite potential
compatibility concerns.

[1]: https://hackerone.com/reports/678487
[2]: python/cpython@16e6f7d
[3]: https://bugs.python.org/issue36216

PR-URL: #38631
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Joyee Cheung <[email protected]>
BethGriggs added a commit that referenced this pull request Oct 15, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- v8: remove --harmony-top-level-await
  (Geoffrey Booth) [#40226]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support. For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for th `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
BethGriggs added a commit that referenced this pull request Oct 15, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- v8: remove --harmony-top-level-await
  (Geoffrey Booth) [#40226]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support. For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
  cause exit
  (Divlo) [#38332]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
BethGriggs added a commit that referenced this pull request Oct 16, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support. For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
  cause exit
  (Divlo) [#38332]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
BethGriggs added a commit that referenced this pull request Oct 18, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support.

While OpenSSL 3.0 APIs should be mostly compatible with those provided
by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to
tightened restrictions on the allowed algorithms and key sizes.

If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with
Node.js 17, it’s likely that your application or a module you’re using
is attempting to use an algorithm or key size which is no longer allowed
by default with OpenSSL 3.0. A command-line option,
`--openssl-legacy-provider`, has been added to revert to the legacy
provider as a temporary workaround for these tightened restrictions.

For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

Contributed in #38512, #40478

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
  cause exit
  (Divlo) [#38332]
- deps: upgrade npm to 8.1.0
  (npm team) [#40463]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
BethGriggs added a commit that referenced this pull request Oct 18, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support.

While OpenSSL 3.0 APIs should be mostly compatible with those provided
by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to
tightened restrictions on the allowed algorithms and key sizes.

If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with
Node.js 17, it’s likely that your application or a module you’re using
is attempting to use an algorithm or key size which is no longer allowed
by default with OpenSSL 3.0. A command-line option,
`--openssl-legacy-provider`, has been added to revert to the legacy
provider as a temporary workaround for these tightened restrictions.

For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

Contributed in #38512, #40478

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
  cause exit
  (Divlo) [#38332]
- deps: upgrade npm to 8.1.0
  (npm team) [#40463]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
BethGriggs added a commit that referenced this pull request Oct 19, 2021
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
  options
  (Antoine du Hamel) [#39793]
- doc: deprecate (doc-only) http abort related
  (dr-js) [#36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]

OpenSSL 3.0:

Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support.

While OpenSSL 3.0 APIs should be mostly compatible with those provided
by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to
tightened restrictions on the allowed algorithms and key sizes.

If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with
Node.js 17, it’s likely that your application or a module you’re using
is attempting to use an algorithm or key size which is no longer allowed
by default with OpenSSL 3.0. A command-line option,
`--openssl-legacy-provider`, has been added to revert to the legacy
provider as a temporary workaround for these tightened restrictions.

For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [#38512]

Contributed in #38512, #40478

V8 9.5:

The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [#40178]

Readline Promise API:

The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [#37947]

Other Notable Changes:

- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
  cause exit
  (Divlo) [#38332]
- deps: upgrade npm to 8.1.0
  (npm team) [#40463]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
  (James M Snell) [#39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]

Semver-Major Commits:

- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
  (Richard Lau) [#38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
  (Michaël Zasso) [#40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
  (Daniel Bevenius) [#38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
  (Voltrex) [#39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
  (Antoine du Hamel) [#39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
  (treysis) [#39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
  (Michaël Zasso) [#40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
  (Divlo) [#38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
  (Nitzan Uziely) [#38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
  (Nitzan Uziely) [#38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
  (Ethan Arrowood) [#39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
  (Khaidi Chu) [#39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
  (Guy Bedford) [#40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
  (Guy Bedford) [#40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
  (Antoine du Hamel) [#37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
  (Daniel Bevenius) [#37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
  (Darshan Sen) [#39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
  (Shelley Vohr) [#38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
  (Rongjian Zhang) [#38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
  (Robert Nagy) [#39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
  (Szymon Marczak) [#39607]
- (SEMVER-MAJOR) stream: forward errored to callback
  (Robert Nagy) [#39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
  (Robert Nagy) [#39342]
- (SEMVER-MAJOR) stream: validate abort signal
  (Robert Nagy) [#39346]
- (SEMVER-MAJOR) stream: unify stream utils
  (Robert Nagy) [#39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
  (Darshan Sen) [#39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
  (Robert Nagy) [#39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
  (Robert Nagy) [#34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
  (Robert Nagy) [#38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
  (James M Snell) [#39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
  (Timothy Gu) [#38631]

PR-URL: #40119
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. needs-ci PRs that need a full CI run. semver-major PRs that contain breaking changes and should be released in the next major version. url Issues and PRs related to the legacy built-in url module.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants