Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: upgrade to npm 2.14.18 #5245

Closed
wants to merge 71 commits into from
Closed

Conversation

zkat
Copy link
Contributor

@zkat zkat commented Feb 15, 2016

Hey all!

This update includes only https://github.com/npm/npm/releases/tag/v2.14.18

It's mostly dependency updates, but there is one related to security:

r @iarna
r @jasnell
r @thealphanerd
r @Fishrock123

bnoordhuis and others added 30 commits February 11, 2016 11:26
It's possible there is already an existing error on OpenSSL's error
stack that is unrelated to the EVP_DigestInit_ex() operation we just
executed.

Fixes: nodejs#4221
PR-URL: nodejs#4731
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Fedor Indutny <[email protected]>
Fix a segmentation fault when the debug message handler was called from
a context without an associated `node::Environment`.

Fixes: nodejs#4261
Fixes: nodejs#4322
PR-URL: nodejs#4328
Reviewed-By: Evan Lucas <[email protected]>
Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#4194
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Jeremiah Senkpiel <[email protected]>
PR-URL: nodejs#4194
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Jeremiah Senkpiel <[email protected]>
Modify tools/license-builder.sh to restore the Third-Party Software
licenses for ICU.

Also fix arguments to tail to work on Linux.

rvagg: modified sed command for ICU to replace tabs with spaces and
       remove whitespace at the end of lines

PR-URL: nodejs#4762
Reviewed-By: Rod Vagg <[email protected]>
On case-insensitive platorms, the Debug/ rule catches the debug module
under npm and eslint.

PR-URL: nodejs#2286
Reviewed-By: Roman Reiss <[email protected]>
The no-reserved-keys rule doesn't exist anymore and we don't need ES3
compatibility.
escape and unescape are now known by eslint.
--reset flag was removed and it is now the default behavior.

PR-URL: nodejs#2286
Reviewed-By: Roman Reiss <[email protected]>
With an indentation style of two spaces, it is not possible to indent
multiline variable declarations by four spaces. Instead, the var keyword
is used on every new line.
Use const instead of var where applicable for changed lines.

PR-URL: nodejs#2286
Reviewed-By: Roman Reiss <[email protected]>
Replace var keyword with const or let.

PR-URL: nodejs#2286
Reviewed-By: Roman Reiss <[email protected]>
Copy client CA certs and cert store when asynchronously selecting
`SecureContext` during `SNICallback`. We already copy private key,
certificate, and certificate chain, but the client CA certs were
missing.

Fix: nodejs#2772
PR-URL: nodejs#3537
Reviewed-By: Ben Noordhuis <[email protected]>
The exts and trailingSlash variables are only used if the
path isn't cached. This commit moves them further down in the
code, and changes from var to const.

PR-URL: nodejs#3579
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Trevor Norris <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
In some conditions it can happen that the client-side socket is
destroyed before the server-side socket has gracefully closed, thus
causing a 'ECONNRESET' error in this socket. To solve this, also close
gracefully in the client side.

PR-URL: nodejs#3966
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#4244
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Chris Dickinson <[email protected]>
There is no guarantee that the `suicide` property of a worker in the
master process is going to be set when the `disconnect` and `exit`
events are emitted.

To fix it, wait for the ACK of the suicide message from the master
before disconnecting the worker. Also, there's no need to send the
suicide message from the worker if the disconnection has been
initiated in the master.

Add `test-cluster-disconnect-suicide-race` that forks a lot of workers
to consistently reproduce the issue this patch tries to solve.

Modify `test-regress-nodejsGH-3238` so it checks both the `kill` and
`disconnect` cases. Also take into account that the `disconnect` event
may be received after the `exit` event.

PR-URL: nodejs#4349
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Documents the "path" property on fs.WriteStream
and fs.ReadStream. See nodejs#4327

PR-URL: nodejs#4368
Reviewed-By: James M Snell <[email protected]>
Allows more freedom in adding additional headings to addon.markdown,
otherwise it'll try and convert each block under a heading to a test
case. We need to have at least a .js and a .cc in order to have
something to test.

Fixes regression caused by adding a new 3rd-level heading in
d5863bc

PR-URL: nodejs#4411
Reviewed-By: Myles Borins <[email protected]>
instead of doc-*

PR-URL: nodejs#4412
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Johan Bergström <[email protected]>
All the other properties get an h2/## but process.connected gets an
h3/### for no discernible reason. Change it to h2/## like the others.

PR-URL: nodejs#4433
Reviewed-By: Roman Reiss <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Stephan Belanger <[email protected]>
Reviewed-By: Roman Klauke <[email protected]>
Copyedit the documentation for setTimeout() and enforce wrapping at 80
characters in the markdown file for nearby text.

PR-URL: nodejs#4434
Reviewed-By: Trevor Norris <[email protected]>
Reviewed-By: jasnell - James M Snell <[email protected]>
Reviewed-By: Stephan Belanger <[email protected]>
Windows would die with ECONNRESET most times when running
this particular test. This commit makes handling these errors
more tolerable.

PR-URL: nodejs#4442
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Before this commit, it was possible on Windows for the server's
'connection' handler to be called *after* the client socket's
'connect' handler. This caused the 'message' event to be missed
and the test would never end (timing out in CI). This problem
was more easily reproducible on a low resource (slow CPU)
Windows (2012r2) installation.

This commit waits until both handlers have been called before
sending the handle to the master process.

Fixes: nodejs#3957
PR-URL: nodejs#4444
Reviewed-By: Rich Trott <[email protected]>
PR-URL: nodejs#4455
Reviewed-By: Brian White <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Since headers are stored in an empty literal object ({}) instead
of an object created with Object.create(null), care must be taken
with property names inherited from Object. Currently there are
only functions inherited, so we can safely check for existing
strings instead.

Fixes: nodejs#4456
PR-URL: nodejs#4460
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Minwoo Jung <[email protected]>
It avoids the creation of unnecessary handles. This issue is causing
intermitent failures in `test-cluster-disconnect-race` on `FreeBSD`
and `OS X`.

The problem is that the `worker2.disconnect` is being called on the
master before the `queryServer` is handled, causing the worker to
be deleted, then the Server handle is created afterwards. Later on,
when `removeWorker` is called from the `exit` handler, there are no
workers left, but one handle, thus the `AssertionError`.

Add a new `test/sequential/test-cluster-disconnect-leak` based on
`test-cluster-disconnect-race` that creates lots of workers and fails
consistently without this patch.

PR-URL: nodejs#4465
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Johan Bergström <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Wait for worker2 to come online before doing anything that might result
in an EPIPE. Fixes flakiness of test on Windows.

Fixes: nodejs#3956
PR-URL: nodejs#4510
Reviewed-By: Johan Bergström <[email protected]>
Reviewed-By: James M Snell<[email protected]>
It's not guaranteed that the socket data is received in the same chunk
as the upgrade response. Listen for the `data` event to make sure all
the data is received.

PR-URL: nodejs#4520
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: James M Snell <[email protected]>
If one were to set NODE_REPL_HISTORY to a string that contains only a
space (" "), then the history file would be created with that name
which can cause problems are certain systems.

PR-URL: nodejs#4539
Reviewed-By: Sakthipriyan Vairamani <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Jeremiah Senkpiel <[email protected]>
Trott and others added 15 commits February 11, 2016 11:26
Previously, test-cluster-disconnect-suicide-race had two issues:

* Magic numbers: How many times to spawn a worker was determined through
empirical experimentation. This means that as new platforms and new
CPU/RAM configurations are tested, the magic numbers require more
and more refinement. This brings us to...

* Non-determinism: The test seems to fail all the time when the bug
it tests for is present, but it's really a judgment based on sampling.
"Oh, with 8 workers per CPU, it fails about 80% of the time. Let's try
16..."

This revised version of the test takes a different approach. The fix
for the bug that the test was written for means that the disconnect
event will fire on a subsequent tick. So we check for that and the test
still fails when the fix is not in the code base and succeeds when it
is.

Advantages of this approach include:

* The test runs much faster.
* The test should be reliable on any new platform regardless of CPU and
RAM.

PR-URL: nodejs#4739
Ref: nodejs#4674
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: James M Snell <[email protected]>
- Hide the scrollbar on the TOC on all browsers. It was never the
  intention for it to be visible with the scroll indication in place.
  A wrapper element with 20px padding was added to accommodate for
  hopefully all scrollbar widths as well as to avoid overflowing
  content.
- Fixed the scroll indication gradient on Safari, which was caused by
  the wrong from-color, which now matches the to-color.
- Fixed a issue in old IE where the TOC didn't render on the correct
  position through setting `left: 0` and `top: 0` on it.

PR-URL: nodejs#4748
Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#4753
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Evan Lucas <[email protected]>
rust-lang/prev.rust-lang.org#288 landed in the Rust repo
so it seems like a good idea to just bring the updated list in.

We also received a request to do this in nodejs/inclusivity#82
so this should resolve that.

Thanks to [@Charlotteis](https://github.com/Charlotteis) for bringing
up the original issue.

Reviewed-By: Jeremiah Senkpiel <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Сковорода Никита Андреевич <[email protected]>
PR-URL: nodejs#4801
Fixes: nodejs/inclusivity#82
Replace grep with awk to add support for subkeys

PR-URL: nodejs#4807
Reviewed-By: Rod Vagg <[email protected]>
PR-URL: nodejs#4872
Reviewed-By: João Reis <[email protected]>
Reviewed-By: Jeremiah Senkpiel <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Rebecca Turner <[email protected]>
PR-URL: nodejs#4872
Reviewed-By: João Reis <[email protected]>
Reviewed-By: Jeremiah Senkpiel <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Rebecca Turner <[email protected]>
This corresponds to npm/npm@6051a69

PR-URL: nodejs#4872
Reviewed-By: João Reis <[email protected]>
Reviewed-By: Jeremiah Senkpiel <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Rebecca Turner <[email protected]>
PR-URL: nodejs#4960
Reviewed-By: Jeremiah Senkpiel <[email protected]>
Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#4960
Reviewed-By: Jeremiah Senkpiel <[email protected]>
Reviewed-By: James M Snell <[email protected]>
In some conditions it can happen that the client-side socket is destroyed
before the server-side socket has gracefully closed, thus causing a
'ECONNRESET' error in this socket. To solve this, wait in the client-side
socket for the 'end' event before closing it.

PR-URL: nodejs#4043
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
PR-URL: nodejs#5110
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Currently a debug context is created for various calls to util.

If the node debugger is being run the main context is the debug
context. In this case node_contextify was freeing the debug context
and causing everything to explode.

This change moves around the logic and no longer frees the context.

There is a concern about the dangling pointer

The regression test was adapted from code submitted by @3y3 in nodejs#4815

Fixes: nodejs#4440
Fixes: nodejs#4815
Fixes: nodejs#4597
Fixes: nodejs#4952

PR-URL: nodejs#4815

Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
@zkat zkat added npm Issues and PRs related to the npm client dependency or the npm registry. lts-watch-v4.x labels Feb 15, 2016
@ChALkeR
Copy link
Member

ChALkeR commented Feb 15, 2016

hawk — looks like mozilla/hawk@0833f99, most probably not applicable.
is-my-json-valid — looks like mafintosh/is-my-json-valid@eca4beb, most probably also not applicable.

There are other ways for malicious packages to do bad stuff on the system than executing time-consuming regexps, either way.

So this does not look like a security release to me.

@MylesBorins
Copy link
Contributor

Local tests are passing, but we still have the same issues regarding path lengths for windows

LGTM

MylesBorins pushed a commit that referenced this pull request Feb 18, 2016
PR-URL: #5245
Reviewed-By: Myles Borins <[email protected]>
@MylesBorins
Copy link
Contributor

landed in v4.x-staging as 5a34050

MylesBorins pushed a commit that referenced this pull request Feb 18, 2016
PR-URL: #5245
Reviewed-By: Myles Borins <[email protected]>
@MylesBorins MylesBorins mentioned this pull request Feb 18, 2016
MylesBorins pushed a commit that referenced this pull request Feb 18, 2016
Notable changes:

This update to the LTS line includes a number of semver minor changes
that have been staged for a number of months. This includes:

  * deps: backport 9da3ab6 from V8 upstream (Ali Ijaz Sheikh)
    - #3609
  * http: handle errors on idle sockets (José F. Romaniello)
    - #4482
  * src: add BE support to StringBytes::Encode() (Bryon Leung)
    - #3410
  * tls: add `options` argument to createSecurePair (Коренберг Марк)
    - #2441

There are also quite a large number of semver patch changes
including over 20 doc fixes and almost 50 test fixes.

Notable semver patch changes include:

  * deps: upgrade to npm 2.14.18 (Kat Marchán)
    - #5245
  * https: evict cached sessions on error (Fedor Indutny)
    - #4982
  * process: support symbol events (cjihrig)
    - #4798
  * querystring: improve parse() performance (Brian White)
    - #4675

PR-URL: #5301
MylesBorins pushed a commit that referenced this pull request Mar 2, 2016
PR-URL: #5245
Reviewed-By: Myles Borins <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.
Projects
None yet
Development

Successfully merging this pull request may close these issues.