chore(deps): update node.js to >=v4.9.1

Open renovate[bot] opened this issue 4 years ago • 0 comments

This PR contains the following updates:

Package	Type	Update	Change
node	engines	minor	`>=4.x` -> `>=v4.9.1`

Release Notes

nodejs/node

`v4.9.1`

Compare Source

Notable Changes

No additional commits.

Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based environments. This has been fixed in our infrastructure and we are doing this release to ensure that the hosted binaries are adhering to our platform support contract.

`v4.9.0`

Compare Source

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

CVE-2018-7158
CVE-2018-7159

Notable Changes

Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX an Windows paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.
Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.
Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.

Commits

[497ff3cd4f] - crypto: update root certificates (Ben Noordhuis) #19322
[514709e41f] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836
[5108108606] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389
[d67d0a63d9] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389
[6af057ecc8] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #19638
[b50cd3359d] - deps: upgrade openssl sources to 1.0.2o (Shigeki Ohtsu) #19638
[da6e24c8d6] - deps: reject interior blanks in Content-Length (Ben Noordhuis) nodejs-private/http-parser-private#1
[7ebc9981e0] - deps: upgrade http-parser to v2.8.0 (Ben Noordhuis) nodejs-private/http-parser-private#1
[6fd2cc93a6] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389
[bf00665af6] - path: unwind regular expressions in Windows (Myles Borins)
[4196fcf23e] - path: unwind regular expressions in POSIX (Myles Borins)
[625986b699] - src: drop CNNIC+StartCom certificate whitelisting (Ben Noordhuis) #19322
[ebc46448a4] - tools: update certdata.txt (Ben Noordhuis) #19322

`v4.8.7`

Compare Source

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

CVE-2017-15896
CVE-2017-3738 (from the openssl project)

Notable Changes

deps:
- openssl updated to 1.0.2n (Shigeki Ohtsu) #17526

Commits

[4f8fae3493] - deps: update openssl asm and asm_obsolete files (Shigeki Ohtsu) #17526
[eacd090e7b] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836
[3e6b0b0d13] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389
[b0ed4c52af] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389
[dd6a2dff1e] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #17526
[b3afedfbe9] - deps: upgrade openssl sources to 1.0.2n (Shigeki Ohtsu) #17526
[f7eb162d0d] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389

`v4.8.6`

Compare Source

This Maintenance release comes with 47 commits. This includes 26 commits which are updates to dependencies, 8 which are build / tool related, 4 which are doc related, and 2 which are test related.

This release includes a security update to openssl that has been deemed low severity for the Node.js project.

Notable Changes

crypto:
- update root certificates (Ben Noordhuis) #13279
- update root certificates (Ben Noordhuis) #12402
deps:
- add support for more modern versions of INTL (Bruno Pagani) #13040
- upgrade openssl sources to 1.0.2m (Shigeki Ohtsu) #16691
- upgrade openssl sources to 1.0.2l (Daniel Bevenius) #13233

Commits

[e064ae62e4] - build: fix make test-v8 (Ben Noordhuis) #15562
[a7f7a87a1b] - build: run test-hash-seed at the end of test-v8 (Michaël Zasso) #14219
[05e8b1b7d9] - build: codesign tarball binary on macOS (Evan Lucas) #14179
[e2b6fdf93e] - build: avoid /docs/api and /docs/doc/api upload (Rod Vagg) #12957
[59d35c0775] - build,tools: do not force codesign prefix (Evan Lucas) #14179
[210fa72e9e] - crypto: update root certificates (Ben Noordhuis) #13279
[752b46a259] - crypto: update root certificates (Ben Noordhuis) #12402
[3640ba4acb] - crypto: clear err stack after ECDH::BufferToPoint (Ryan Kelly) #13275
[545235fc4b] - deps: add missing #include "unicode/normlzr.h" (Bruno Pagani) #13040
[ea09a1c3e6] - deps: update openssl asm and asm_obsolete files (Shigeki Ohtsu) #16691
[68661a95b5] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836
[bdcb2525fb] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389
[3f93ffee89] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389
[16fbd9da0d] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #16691
[55e15ec820] - deps: upgrade openssl sources to 1.0.2m (Shigeki Ohtsu) #16691
[9c3e246ffe] - deps: backport 4e18190 from V8 upstream (jshin) #15562
[43d1ac3a62] - deps: backport bff3074 from V8 upstream (Myles Borins) #15562
[b259fd3bd5] - deps: cherry pick d7f813b from V8 upstream (akos.palfi) #15562
[85800c4ba4] - deps: backport e28183b from upstream V8 (karl) #15562
[06eb181916] - deps: update openssl asm and asm_obsolete files (Daniel Bevenius) #13233
[c0fe1fccc3] - deps: update openssl config files (Daniel Bevenius) #13233
[523eb60424] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836
[0aacd5a8cd] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389
[80c48c0720] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389
[bbd92b4676] - deps: copy all openssl header files to include dir (Daniel Bevenius) #13233
[8507f0fb5d] - deps: upgrade openssl sources to 1.0.2l (Daniel Bevenius) #13233
[9bfada8f0c] - deps: add example of comparing OpenSSL changes (Daniel Bevenius) #13234
[71f9cdf241] - deps: cherry-pick 09db540,686558d from V8 upstream (Jesse Rosenberger) #14829
[751f1ac08e] - Revert "deps: backport e093a04, 09db540 from upstream V8" (Jesse Rosenberger) #14829
[ed6298c7de] - deps: cherry-pick 18ea996 from c-ares upstream (Anna Henningsen) #13883
[639180adfa] - deps: update openssl asm and asm_obsolete files (Shigeki Ohtsu) #12913
[9ba73e1797] - deps: cherry-pick 4ae5993 from upstream OpenSSL (Shigeki Ohtsu) #12913
[f8e282e51c] - doc: fix typo in zlib.md (Luigi Pinca) #16480
[532a2941cb] - doc: add missing make command to UPGRADING.md (Daniel Bevenius) #13233
[1db33296cb] - doc: add entry for subprocess.killed property (Rich Trott) #14578
[0fa09dfd77] - doc: change child to subprocess (Rich Trott) #14578
[43bbfafaef] - docs: Fix broken links in crypto.md (Zuzana Svetlikova) #15182
[1bde7f5cef] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389
[e69f47b686] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389
[cb92f93cd5] - test: remove internal headers from addons (Gibson Fahnestock) #7947
[5d9164c315] - test: move test-cluster-debug-port to sequential (Oleksandr Kushchak) #16292
[07c912e849] - tools: update certdata.txt (Ben Noordhuis) #13279
[c40bffcb88] - tools: update certdata.txt (Ben Noordhuis) #12402
[161162713f] - tools: be explicit about including key-id (Myles Borins) #13309
[0c820c092b] - v8: fix stack overflow in recursive method (Ben Noordhuis) #12460
[a1f992975f] - zlib: fix crash when initializing failed (Anna Henningsen) #14666
[31bf595b94] - zlib: fix node crashing on invalid options (Alexey Orlenko) #13098

`v4.8.5`

Compare Source

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ for details on patched vulnerabilities.

Notable Changes

zlib:
- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialized with windowBits set to 8. On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. Node.js will now gracefully set windowBits to 9 replicating the legacy behavior to avoid a DOS vector. nodejs-private/node-private#95

Commits

[f5defa2a7c] - zlib: gracefully set windowBits from 8 to 9 (Myles Borins) nodejs-private/node-private#95

Configuration

📅 Schedule: "before 3am on the first day of the month" (UTC).

🚦 Automerge: Disabled due to failing status checks.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

Jan 01 '22 00:01 renovate[bot]