Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: add scrypt() and scryptSync() methods #20816

Merged
merged 8 commits into from Jun 13, 2018

Conversation

bnoordhuis
Copy link
Member

@bnoordhuis bnoordhuis commented May 18, 2018

Scrypt is a password-based key derivation function that is designed to
be expensive both computationally and memory-wise in order to make
brute-force attacks unrewarding.

OpenSSL has had support for the scrypt algorithm since v1.1.0. Add a
Node.js API modeled after crypto.pbkdf2() and crypto.pbkdf2Sync().

Changes:

  • Introduce helpers for copying buffers, collecting openssl errors, etc.

  • Add new infrastructure for offloading crypto to a worker thread.

  • Add a AsyncWrap JS class to simplify pbkdf2(), randomBytes() and
    scrypt().

CI: https://ci.nodejs.org/job/node-test-pull-request/14953/
CI: https://ci.nodejs.org/job/node-test-pull-request/14956/

@nodejs-github-bot nodejs-github-bot added the lib / src Issues and PRs related to general changes in the lib or src directory. label May 18, 2018
@bnoordhuis
Copy link
Member Author

Interesting how GH messes up the order of the commits...

@bnoordhuis bnoordhuis added the semver-minor PRs that contain new features and should be released in the next minor version. label May 18, 2018
@addaleax addaleax added the crypto Issues and PRs related to the crypto subsystem. label May 18, 2018
salt = checkIsArrayBufferView('salt', salt);
// FIXME(bnoordhuis) The error message is in fact wrong since |iterations|
// cannot be > INT_MAX. Adjust in the next major release.
iterations = checkIsUint('iterations', iterations, 'a non-negative number');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m not sure we’d actually have to consider this semver-major anymore.

@@ -1465,7 +1465,7 @@ rapidly.

In line with OpenSSL's recommendation to use PBKDF2 instead of
[`EVP_BytesToKey`][] it is recommended that developers derive a key and IV on
their own using [`crypto.pbkdf2()`][] and to use [`crypto.createDecipheriv()`][]
their own using [`crypto.scrypt()`][] and to use [`crypto.createDecipheriv()`][]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 lines above this change and the previous one there there’s still recommendation to use PBKDF2, I assume we’d want to change that too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, probably a rebase that went wrong. Good catch, I'll fix that.

- `N` {number} CPU/memory cost parameter. Must be a power of two greater
than one. **Default:** `16384`
- `r` {number} Block size parameter. **Default:** `8`
- `p` {number} Parallelization parameter. **Default:** `1`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we spell these names out in the options object? E.g. cost, blockSize, parallelization?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For better or worse, they're the "official" names of the algorithm's parameters. I'd say straying from the established nomenclature is not a good thing.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bnoordhuis I don’t think the typical consumer of these APIs would be familiar with the ‘official’ nomenclature, though – it would be good to mention the names N, r, p in the docs, but I do think that our API should have names that make sense to most developers rather than crypto people?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did consider more expressive names but if you survey scrypt bindings in other languages (java, python, php, etc.), they all use N, r and p. We'd be the outlier.

To be fair, the perl binding doesn't call them that but it uses CPU time as the bound, not algorithmic complexity.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'd be the outlier.

I don’t think that’s necessarily a bad thing. If we mention the formal “names” in the documentation, it’s still easy enough to look up what corresponds to what – reading/writing JS code directly is probably more common that comparing to code in other languages or porting code over.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be honest, I am doing the same thing in my PQC implementations in C, but I feel like node's crypto API could be more accessible if we use more intuitive names. On the other hand, I can understand @bnoordhuis opinion, I have barely ever seen other names for these parameters.

errors_array->Set(env->context(), i, errors[i]).FromJust();
for (auto const& string : *this) {
auto index = &string - &front();
auto value =
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tbh, I’m not a huge fan of using auto when it comes to types that are not too complex to fully write out – that too often makes adds an extra round-trip of “what type was $x again?” for my taste…

@@ -4556,6 +4575,43 @@ bool ECDH::IsKeyPairValid() {
}


struct CryptoJob : public ThreadPoolWork {
Environment* const env;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There’s already env_ on the ThreadPoolWork class, could we just expose that instead?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not as a method, I tried. Diamond problem: it conflicts with env() from AsyncWrap / BaseObject.

inline void AfterThreadPoolWork(int status) final;
virtual void AfterThreadPoolWork() = 0;
static inline void Run(std::unique_ptr<CryptoJob> job, Local<Value> wrap);
};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any specific advantage to having the separate AsyncWrap JS class as opposed to what we currently do, making the individual request objects (in this case CryptoJob) inherit from AsyncWrap?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Separation of concerns, mainly. I initially mashed them together like you suggest but I didn't like how it looked and worked.

(There's a lot I don't like about how AsyncWrap currently works but I'll save that for another issue.)

std::unique_ptr<RandomBytesJob> job(new RandomBytesJob(env));
job->data = reinterpret_cast<unsigned char*>(Buffer::Data(args[0])) + offset;
job->size = size;
if (args[3]->IsObject()) return RandomBytesJob::Run(std::move(job), args[3]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also not a huge fan of same-line returns – if nothing else, having separate lines makes line coverage data a bit more accurate :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason I like it is that it makes code grepping a bit easier.

Apropos code coverage, I thought gcov works in terms of 'spans' (can't think of the right word) rather than 'lines'?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least the way we have coverage set up it does track line coverage + branch coverage for conditionals. I don’t feel too strongly about this and the point about grepping is valid. :)

@bnoordhuis
Copy link
Member Author

I'm reasonably sure the test failures are all flakes that have happened before (http2, tls verify) but here is another run just in case: https://ci.nodejs.org/job/node-test-pull-request/14956/

const {
scrypt,
scryptSync
} = require('internal/crypto/scrypt');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to actually lazy load this as it is definitely not always required when loading crypto.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could say the same thing for pbkdf2 and others. Comment noted but I'd like to save that for another PR.

throw new ERR_OUT_OF_RANGE(name, errmsg, value);

return value;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a validators file that already contains a check like this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

validateInt32 doesn't do quite the same thing but take a look at the second-to-last commit. This is with #20816 (comment) in mind.

- `r` {number} Block size parameter. **Default:** `8`
- `p` {number} Parallelization parameter. **Default:** `1`
- `maxmem` {number} Memory upper bound. It is an error when (approximately)
`128*N*p*r > maxmem` **Default:** `32 * 1024 * 1024`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to self: typo, should be 128*N*r. Happens in another place in this file and in the test.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: missing period after `128*N*p*r > maxmem`.

- `N` {number} CPU/memory cost parameter. Must be a power of two greater
than one. **Default:** `16384`
- `r` {number} Block size parameter. **Default:** `8`
- `p` {number} Parallelization parameter. **Default:** `1`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be honest, I am doing the same thing in my PQC implementations in C, but I feel like node's crypto API could be more accessible if we use more intuitive names. On the other hand, I can understand @bnoordhuis opinion, I have barely ever seen other names for these parameters.

<a id="ERR_CRYPTO_SCRYPT_NOT_SUPPORTED"></a>
### ERR_CRYPTO_SCRYPT_NOT_SUPPORTED

Node.js was compiled without `scrypt` support. Not possible with the official
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Double space.

- `keylen` {number}
- `options` {Object}
- `N` {number} CPU/memory cost parameter. Must be a power of two greater
than one. **Default:** `16384`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit (here and in other lines in added stuff): it seems we usually use periods after **Default:** phrase if it follows a full sentence.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I knew you were going to bring that up but I copied the style from the surrounding documentation. Local consistency > global consistency.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But all previous cases in this doc differ: **Default:** phrases do not follow full sentences.

- `r` {number} Block size parameter. **Default:** `8`
- `p` {number} Parallelization parameter. **Default:** `1`
- `maxmem` {number} Memory upper bound. It is an error when (approximately)
`128*N*p*r > maxmem` **Default:** `32 * 1024 * 1024`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: missing period after `128*N*p*r > maxmem`.

An exception is thrown when any of the input arguments specify invalid values
or types.

Example:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: IIRC, we eliminate such explicit intro for examples lately.

- `r` {number} Block size parameter. **Default:** `8`
- `p` {number} Parallelization parameter. **Default:** `1`
- `maxmem` {number} Memory upper bound. It is an error when (approximately)
`128*N*p*r > maxmem` **Default:** `32 * 1024 * 1024`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: missing period after `128*N*p*r > maxmem`.

An exception is thrown when any of the input arguments specify invalid values
or types.

Example:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto.

release binaries but can happen with custom builds, including distro builds.

<a id="ERR_CRYPTO_SCRYPT_INVALID_PARAMETER"></a>
### ERR_CRYPTO_SCRYPT_INVALID_PARAMETER
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: should go before ERR_CRYPTO_SCRYPT_NOT_SUPPORTED ABC-wise?

@@ -1363,7 +1363,7 @@ rapidly.

In line with OpenSSL's recommendation to use PBKDF2 instead of
[`EVP_BytesToKey`][] it is recommended that developers derive a key and IV on
their own using [`crypto.pbkdf2()`][] and to use [`crypto.createCipheriv()`][]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we preferring scrypt over pbkdf2? This is the first I've heard of the recommendation

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, I'd prefer "scrypt or pbkdf2". Scrypt kind of includes PBKDF2 by design, and is supposed to also increase the memory requirements to make brute-forcing harder, but that might not be desirable in all cases.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It needs to a simple recommendation - just do this, not do this OR do that - because otherwise you need to explain the trade-offs to readers that aren't cryptographers and probably only glance at the documentation anyway.

When it's between scrypt and pbkdf2, I hope we can agree scrypt > pbkdf2.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When it's between scrypt and pbkdf2, I hope we can agree scrypt > pbkdf2.

I think we can agree that scrypt > pbkdf2 for people who don't have highly specific requirements.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope we can agree scrypt > pbkdf2.

I'm literally asking why because I don't know, so why?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@benjamingr As scrypt involves a specific (non-customizable) instance of PBKDF2 which is believed to be secure, we can assume that it is at least as computationally secure as PBKDF2 itself, with the "benefit" of preventing any security-violating modifications by the user (e.g. using SHA1 and the like). One "problem" with PBKDF2 is that it can in theory be cracked using enough parallelization (e.g. using GPUs which tend to have many parallel cores), whereas scrypt requires a non-trivial amount of memory to derive a key which heavily limits parallel computation on such devices.

@targos
Copy link
Member

targos commented May 22, 2018

I reopened #8417. It will be properly closed by this PR :)

@targos targos mentioned this pull request May 22, 2018
@BridgeAR
Copy link
Member

Ping @bnoordhuis

@bnoordhuis
Copy link
Member Author

Rebased and incorporated feedback. New CI: https://ci.nodejs.org/job/node-test-pull-request/15166/

I kept the short variable names, though.

Copy link
Member

@tniessen tniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM either way.

@bnoordhuis
Copy link
Member Author

Factor out some common code.  The `checkUint()` function will also be
used in a follow-up commit that adds scrypt support to core.

PR-URL: nodejs#20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Scrypt is a password-based key derivation function that is designed to
be expensive both computationally and memory-wise in order to make
brute-force attacks unrewarding.

OpenSSL has had support for the scrypt algorithm since v1.1.0.  Add a
Node.js API modeled after `crypto.pbkdf2()` and `crypto.pbkdf2Sync()`.

Changes:

* Introduce helpers for copying buffers, collecting openssl errors, etc.

* Add new infrastructure for offloading crypto to a worker thread.

* Add a `AsyncWrap` JS class to simplify pbkdf2(), randomBytes() and
  scrypt().

Fixes: nodejs#8417
PR-URL: nodejs#20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Use the scrypt() infrastructure to reimplement pbkdf2() in a simpler
manner.

PR-URL: nodejs#20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Use the scrypt() infrastructure to reimplement randomBytes() and
randomFill() in a simpler manner.

PR-URL: nodejs#20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
PR-URL: nodejs#20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Add scrypt functions to the list of exported openssl symbols.

PR-URL: nodejs#20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
PR-URL: nodejs#20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Rename it to validateArrayBufferView() to align with validateInt32()
and friends.

Swap the name and the value in the argument list for consistency,
although any reasonable person will agree it's a crime against
humanity to put the value before the name.

PR-URL: nodejs#20816
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
@joepie91
Copy link
Contributor

I'm... not really sure how this got merged like this. This is an incredibly dangerous API design that is going to cause a ton of security issues.

The specific issues here:

  1. The API design expects the user to supply the salt. Any modern password hashing implementation (which, realistically, is what this function will be primarily used for) should handle this automatically behind the scenes, because there is no valid reason for a developer to specify a custom salt; it should just always be initialized to random data, and included in a composite output format.

    As it stands, this API will lead to developers hard-coding certain values or using poor random sources because they do not understand the requirements for a salt. That is going to effectively break the security of scrypt.

  2. There is no safe verification API; the developer is seemingly expected to manually juggle the various components of the hash generation process (settings, salt, etc.) and then reproduce the same hash and use timingSafeEqual to verify the hashes.

    Realistically, no developer is going to do that. They're all going to use === and introduce timing attacks, because they are not aware of the existence of timing attacks (and why should they, given that they're not cryptographers?).

A safe API would look something like what I've done in scrypt-for-humans: a single hash method, a single verifyHash method, no manual salt specification, and a composite output format. If you use it in the obvious way, it is safe to use.

If the intention is to provide scrypt as a more customizable primitive for other cryptographic applications, then it's fine to have an additional low-level API; but the default API really should be safe-by-default and optimized for the most common case (password hashing).

I would strongly recommend to remove this API again until a safer API has been hashed out, now that its addition is still fairly recent and there's very little chance that it has made it into production systems. Leaving the current API in place will produce a mess of security issues that will take years to clean up even if it does eventually get replaced by a different API.


Aside from the above specific issues, there doesn't seem to have been any review of the API whatsoever, despite this being security-critical code where a safe API is absolutely crucial, to prevent reoccurrence of incidents like the Buffer incident (and the subsequent fallout that I and others in the ecosystem are still cleaning up on a regular basis).

Is there not an API review process for changes to the crypto module and other security-sensitive code? If not, why not?

@paragonie-scott
Copy link

This is how PHP does password hashing:

// All in one go:
$hash = password_hash($userProvidedPassword, PASSWORD_DEFAULT);

// Later:
if (password_verify($userProvidedPassword, $hash)) {
    // Everything works out. Optionally, do this too:
    if (password_needs_rehash($userProvidedPassword, PASSWORD_DEFAULT)) {
        // Someone upgraded PHP and there's a new default algorithm. We should rehash the password.
    }
}

This is almost an optimal UX for PHP developers for password storage: Salts are explicitly generated by the kernel's CSPRNG, encoded, and included in the password hash.

A step further would be making PASSWORD_DEFAULT--, well, the default.

You should only need one input for generating a new password hash: The password.
You should only need two inputs for verification: The challenge and the attempt (or the hash and password, respectively).

All other parameters should be optional.

Note: Key derivation is a separate concern, where you don't want the salt stored alongside the password hash, but that's a smaller corner of the cryptography usability market than password hashing.

Let's look at how another library handles both corner cases:

Key Derivation

#define PASSWORD "Correct Horse Battery Staple"
#define KEY_LEN crypto_box_SEEDBYTES

unsigned char salt[crypto_pwhash_SALTBYTES];
unsigned char key[KEY_LEN];

randombytes_buf(salt, sizeof salt);

if (crypto_pwhash
    (key, sizeof key, PASSWORD, strlen(PASSWORD), salt,
     crypto_pwhash_OPSLIMIT_INTERACTIVE, crypto_pwhash_MEMLIMIT_INTERACTIVE,
     crypto_pwhash_ALG_DEFAULT) != 0) {
    /* out of memory */
}

Password Hashing

#define PASSWORD "Correct Horse Battery Staple"

char hashed_password[crypto_pwhash_STRBYTES];

if (crypto_pwhash_str
    (hashed_password, PASSWORD, strlen(PASSWORD),
     crypto_pwhash_OPSLIMIT_SENSITIVE, crypto_pwhash_MEMLIMIT_SENSITIVE) != 0) {
    /* out of memory */
}

if (crypto_pwhash_str_verify
    (hashed_password, PASSWORD, strlen(PASSWORD)) != 0) {
    /* wrong password */
}

Usable cryptography API design is a nontrivial undertaking, and getting it wrong will mean years (or even decades) of clean-up.

I would propose, at minimum, an alternative API that has a similar user experience to PHP's password_hash() that transparently wraps scrypt as part of the Node.js core, and then recommend that API for users who want to store password hashes (which is roughly 98% of the use case when someone reaches for bcrypt, scrypt, or Argon2).

Or you could always just incorporate @joepie91's scrypt-for-humans into the Node.js core. Designing cryptography APIs for humans is a good idea.

@joepie91
Copy link
Contributor

Or you could always just incorporate @joepie91's scrypt-for-humans into the Node.js core. Designing cryptography APIs for humans is a good idea.

To be clear, scrypt-for-humans is a thin wrapper to resolve the API design issues in node-scrypt (which are nevertheless less severe than the ones here). It wouldn't make sense to merge the implementation of either scrypt-for-humans or node-scrypt into Node core; but reusing the API design would.

@ChALkeR
Copy link
Member

ChALkeR commented Jul 11, 2018

@joepie91 This can not be removed from v10.x due to stability concerns (putting aside everything else).

It could, nevertheless, have documentation updated, noting that this is a low-level API aimed at people who are absolutely sure what they are doing with it, and that direct usage for password hashing could be dangereous, noting common mistakes.

Probably the example code should be updated to use real salt, not a hard-coded one.

I suggest to file another issue about this instead of discussing it in a closed PR.

@paragonie-scott
Copy link

Issue filed: #21766

@joepie91
Copy link
Contributor

I'll be moving over to that issue thread as well.

addaleax added a commit to addaleax/node that referenced this pull request Jul 16, 2018
Make parameter names available in a human-readable way, for
more accessible/self-documenting usage of the `scrypt` functions.

This implements a review comment from the original PR that has
not been addressed.

Refs: nodejs#20816 (comment)
addaleax added a commit that referenced this pull request Jul 18, 2018
Make parameter names available in a human-readable way, for
more accessible/self-documenting usage of the `scrypt` functions.

This implements a review comment from the original PR that has
not been addressed.

Refs: #20816 (comment)

PR-URL: #21525
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
@ChALkeR
Copy link
Member

ChALkeR commented Jul 18, 2018

Labelling as dont-land on 8.x and 6.x due to the ongoging discussion of security concerns.

targos pushed a commit that referenced this pull request Aug 7, 2018
Make parameter names available in a human-readable way, for
more accessible/self-documenting usage of the `scrypt` functions.

This implements a review comment from the original PR that has
not been addressed.

Refs: #20816 (comment)

PR-URL: #21525
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
rvagg pushed a commit that referenced this pull request Aug 13, 2018
Make parameter names available in a human-readable way, for
more accessible/self-documenting usage of the `scrypt` functions.

This implements a review comment from the original PR that has
not been addressed.

Refs: #20816 (comment)

PR-URL: #21525
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
tniessen added a commit to tniessen/node that referenced this pull request Sep 4, 2018
@tniessen tniessen mentioned this pull request Sep 4, 2018
2 tasks
danbev pushed a commit that referenced this pull request Sep 7, 2018
PR-URL: #22687
Refs: #20816
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
targos pushed a commit that referenced this pull request Sep 7, 2018
PR-URL: #22687
Refs: #20816
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
bnoordhuis added a commit to bnoordhuis/io.js that referenced this pull request Jun 20, 2019
The comment refers to an exception type that JS land throws on the C++
code's behalf but apparently I changed the JS name before landing the
pull request and forgot to update the comment.

Refs: nodejs#20816
Trott pushed a commit to Trott/io.js that referenced this pull request Jul 23, 2019
The comment refers to an exception type that JS land throws on the C++
code's behalf but apparently I changed the JS name before landing the
pull request and forgot to update the comment.

Refs: nodejs#20816

PR-URL: nodejs#28320
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
gntem pushed a commit to gntem/node that referenced this pull request Jul 27, 2019
The comment refers to an exception type that JS land throws on the C++
code's behalf but apparently I changed the JS name before landing the
pull request and forgot to update the comment.

Refs: nodejs#20816

PR-URL: nodejs#28320
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
targos pushed a commit that referenced this pull request Aug 2, 2019
The comment refers to an exception type that JS land throws on the C++
code's behalf but apparently I changed the JS name before landing the
pull request and forgot to update the comment.

Refs: #20816

PR-URL: #28320
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
vikashk1 added a commit to vikashk1/node that referenced this pull request Aug 13, 2019
* report: modify getReport() to return an Object

It's likely that anyone using `process.report.getReport()` will be
processing the return value thereafter (e.g., filtering fields or
redacting secrets). This change eliminates boilerplate by calling
`JSON.parse()` on the return value.

Also modified the `validateContent()` and `validate()` test helpers in
`test/common/report.js` to be somewhat more obvious and helpful. Of
note, a report failing validation will now be easier (though still not
_easy_) to read when prepended to the stack trace.

- Refs: https://github.com/nodejs/diagnostics/issues/315

PR-URL: https://github.com/nodejs/node/pull/28630
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* src: replace already elevated Object, Local v8 namespace

PR-URL: https://github.com/nodejs/node/pull/28611
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

* src, tools: replace raw ptr with smart ptr

NodeMainInstance::Create will now returrn
an instance of NodeMainInstance in a
unique_ptr.

PR-URL: https://github.com/nodejs/node/pull/28577
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* doc: add example on how to create __filename, __dirname for esm

PR-URL: https://github.com/nodejs/node/pull/28282
Fixes: https://github.com/nodejs/node/issues/28114
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* src: simplify --debug flags

Any use of --debug, --debug=, --debug-brk, or --debug-brk=
now triggers an error. That means we can eliminate their
aliases with --inspect counterparts and simplify the code.

PR-URL: https://github.com/nodejs/node/pull/28615
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>

* doc: drop 'for more details' in deprecations

The deprecations documentation links to the GitHub issue
tracker in several places. This commit makes the text
around those links consistent.

PR-URL: https://github.com/nodejs/node/pull/28617
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

* readline: use named constant for surrogate checks

This commit defines a named constant instead of using a mix of
2 ** 16 and 0x10000 throughout the code.

PR-URL: https://github.com/nodejs/node/pull/28638
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>

* readline: remove IIFE in SIGCONT handler

This commit removes an IIFE in the readline SIGCONT handler
that was previously being used to bind `this`.

PR-URL: https://github.com/nodejs/node/pull/28639
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>

* readline: simplify isFullWidthCodePoint()

The non-ICU-based isFullWidthCodePoint() can be simplified to
a single `return` statement. This commit removes the extra
branching logic.

PR-URL: https://github.com/nodejs/node/pull/28640
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>

* doc: remove superfluous MDN link in assert.md

PR-URL: https://github.com/nodejs/node/pull/28246
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

* readline: expose stream API in clearScreenDown()

This commit adds an optional callback to clearScreenDown(),
which is passed to the stream's write() method. It also
exposes the return value of write().

PR-URL: https://github.com/nodejs/node/pull/28641
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

* path: using .relative() should not return a trailing slash

Resolving a path against root with `path.relative()` should not
include a trailing slash.

Fixes: https://github.com/nodejs/node/issues/28549

PR-URL: https://github.com/nodejs/node/pull/28556
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>

* path: move branch to the correct location

This code branch only makes sense when i === length. Otherwise it'll
already be handled.

PR-URL: https://github.com/nodejs/node/pull/28556
Fixes: https://github.com/nodejs/node/issues/28549
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Weijia Wang <starkwang@126.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>

* doc: mark process.report as experimental

Everything under process.report is experimental. This commit
adds the missing stability index entries.

PR-URL: https://github.com/nodejs/node/pull/28653
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>

* doc: mark N-API thread-safe function stable

The various TSFN APIs are marked as stable, but the TSFN heading itself
is still marked as experimental.

PR-URL: https://github.com/nodejs/node/pull/28643
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

* zlib: do not coalesce multiple `.flush()` calls

This is an approach to address the issue linked below. Previously,
when `.write()` and `.flush()` calls to a zlib stream were interleaved
synchronously (i.e. without waiting for these operations to finish),
multiple flush calls would have been coalesced into a single flushing
operation.

This patch changes behaviour so that each `.flush()` all corresponds
to one flushing operation on the underlying zlib resource, and the
order of operations is as if the `.flush()` call were a `.write()`
call.

One test had to be removed because it specifically tested the previous
behaviour.

As a drive-by fix, this also makes sure that all flush callbacks are
called. Previously, that was not the case.

Fixes: https://github.com/nodejs/node/issues/28478

PR-URL: https://github.com/nodejs/node/pull/28520
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

* src: add cleanup hook for ContextifyContext

Otherwise there’s a memory leak left by the context when the Isolate
tears down without having run the weak callback.

PR-URL: https://github.com/nodejs/node/pull/28631
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>

* deps: update acorn to 6.2.0

Includes support for bigint syntax so we can remove the acorn-bigint
plugin.

PR-URL: https://github.com/nodejs/node/pull/28649
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>

* http2: report memory allocated by nghttp2 to V8

This helps the JS engine have a better understanding of the memory
situation in HTTP/2-heavy applications, and avoids situations that
behave like memory leaks due to previous underestimation of memory
usage which is tied to JS objects.

Refs: https://github.com/nodejs/node/issues/28088#issuecomment-509965105

PR-URL: https://github.com/nodejs/node/pull/28645
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

* tools: add coverage to ignored files

This adds the coverage directory to the .gitignore file.

PR-URL: https://github.com/nodejs/node/pull/28626
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Masashi Hirano <shisama07@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* build,v8: support IBM i

Some libraries do not exist on IBM i (OS400).
Commit 417c18e introduces these missing libraries.
Need to differentiate `AIX` and `OS400`(IBM i).

PR-URL: https://github.com/nodejs/node/pull/28607
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

* test: fix pty test hangs on aix

Some pty tests persistently hung on the AIX CI buildbots. Fix that by
adding a helper script that properly sets up the pty before spawning
the script under test.

On investigation I discovered that the test runner hung when it tried
to close the slave pty's file descriptor, probably due to a bug in
AIX's pty implementation. I could reproduce it with a short C program.
The test runner also leaked file descriptors to the child process.

I couldn't convince python's `subprocess.Popen()` to do what I wanted
it to do so I opted to move the logic to a helper script that can do
fork/setsid/etc. without having to worry about stomping on state in
tools/test.py.

In the process I also uncovered some bugs in the pty module of the
python distro that ships with macOS 10.14, leading me to reimplement
a sizable chunk of the functionality of that module.

And last but not least, of course there are differences between ptys
on different platforms and the helper script has to paper over that.
Of course.

Really, this commit took me longer to put together than I care to admit.

Caveat emptor: this commit takes the hacky ^D feeding to the slave out
of tools/test.py and puts it in the *.in input files. You can also feed
other control characters to tests, like ^C or ^Z, simply by inserting
them into the corresponding input file. I think that's nice.

Fixes: https://github.com/nodejs/build/issues/1820
Fixes: https://github.com/nodejs/node/issues/28489

PR-URL: https://github.com/nodejs/node/pull/28600
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

* stream: simplify `.pipe()` and `.unpipe()` in Readable

Now we are using `pipes` and `pipesCount` in Readable state and the
`pipes` value can be a stream or an array of streams. This change
reducing them into one `pipes` value, which is an array of streams.

PR-URL: https://github.com/nodejs/node/pull/28583
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

* src: lint #defines in src/node.h

A few #defines in src/node.h had inconsistent spacing
and tabbing. This commit changes the spacing to be
the same style as the rest of the project.

PR-URL: https://github.com/nodejs/node/pull/28547
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Michaël Zasso <targos@protonmail.com>

* build: remove broken intel vtune support

Support for VTune profiling was added in commit a881b53 from November
2015 but has since bitrotted. Remove it.

Fixes: https://github.com/nodejs/node/issues/28310
Refs: https://github.com/nodejs/node/pull/3785

PR-URL: https://github.com/nodejs/node/pull/28522
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

* src: add missing option parser template for the DebugOptionsParser

This allows embedders to run `node::options_parser::Parse` for a
`node::DebugOptions`.

PR-URL: https://github.com/nodejs/node/pull/28543
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

* test: increase limit for network space overhead test

This test imposes a limit on the average bytes of space per chunk
for network traffic. However this number depends on VM
implementation details, and upcoming changes to V8's
array buffer management require a small bump to this
limit in this test.

PR-URL: https://github.com/nodejs/node/pull/28492
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

* http: fix test where aborted should not be emitted

PR-URL: https://github.com/nodejs/node/pull/20077
Fixes: https://github.com/nodejs/node/issues/20107
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>

* stream: use readableEncoding public api for child_process

PR-URL: https://github.com/nodejs/node/pull/28548
Refs: https://github.com/nodejs/node/issues/445
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* doc: add documentation for createDiffieHellmanGroup

PR-URL: https://github.com/nodejs/node/pull/28585
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* deps: cherry-pick 13a04aba from V8 upstream

Original commit message:
  fix: move V8_EXPORT_PRIVATE marks to prevent unresolvable references

  This change fixes missing symbol errors in the Windows 10 on ARM build
  of Node.js.

  When a whole class is marked for export, all of its members are marked
  as well. This can be a problem when inline members call undefined yet
  inline members of other classes: the exported function will contain a
  reference to the undefined inline function that should be satisfied at
  link time, but because the other function is inline no symbol will be
  produced that will satisfy that reference.

  Clang gets around this by masking inlined class members from export
  using /Fc:dllexportInlines-. This is why b0a2a567 worked.

  Node.js' Windows builds use MSVC and so do not have access to this
  flag. This results in unresolved symbols at link time.

  Bug: v8:9465
  Change-Id: Ief9c7ab6ba35d22f995939eb62a64d6f1992ed85
  Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1696771
  Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
  Reviewed-by: Jakob Gruber <jgruber@chromium.org>
  Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
  Cr-Commit-Position: refs/heads/master@{#62660}

Refs: https://github.com/v8/v8/commit/13a04abacd6a15b0b06c9ad08e237af703a57dec
PR-URL: https://github.com/nodejs/node/pull/28602
Reviewed-By: João Reis <reis@janeasystems.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>

* deps: cherry-pick 721dc7d from node-gyp upstream

This change cherry-picks a small set of node-gyp v5.0.0 changes needed
to enable Node.js ARM64 Windows builds.

Original commit message:
  Add ARM64 to MSBuild /Platform logic

  PR-URL: https://github.com/nodejs/node-gyp/pull/1655
  Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  Reviewed-By: João Reis <reis@janeasystems.com>

Refs: https://github.com/nodejs/node-gyp/commit/721dc7d3148ab71ee283d9cb15df84d9b87b7efc
PR-URL: https://github.com/nodejs/node/pull/28604
Reviewed-By: Christian Clauss <cclauss@me.com>
Reviewed-By: João Reis <reis@janeasystems.com>

* deps: cherry-pick 91744bf from node-gyp upstream

This change cherry-picks a small set of node-gyp v5.0.0 changes needed
to enable Node.js ARM64 Windows builds.

Original commit message:
  gyp: add support for Windows on Arm

  Cherry-pick of https://github.com/refack/GYP/pull/33, supersedes
  https://github.com/nodejs/node-gyp/pull/1678 until GYP3 is merged.

  `npm test` passes

  Change-Id: I2b1e1e03e378b4812d34afa527087793864d1576

  PR-URL: https://github.com/nodejs/node-gyp/pull/1739
  Reviewed-By: Refael Ackermann <refack@gmail.com>
  Reviewed-By: João Reis <reis@janeasystems.com>

Refs: https://github.com/nodejs/node-gyp/commit/91744bfecc67fda7db58e2a1c7aa72f196d6da4f
PR-URL: https://github.com/nodejs/node/pull/28604
Reviewed-By: Christian Clauss <cclauss@me.com>
Reviewed-By: João Reis <reis@janeasystems.com>

* Revert "http: fix test where aborted should not be emitted"

This reverts commit 461bf36d701f3f7c669e2d916d5a5bc17fc447bf.

PR-URL: https://github.com/nodejs/node/pull/28699
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>

* doc: small grammar correction

This commit improves the grammar of one sentence in the ESM
documentation.

PR-URL: https://github.com/nodejs/node/pull/28669
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>

* inspector: do not change async call stack depth if the worker is done

Fixes: https://github.com/nodejs/node/issues/28528
PR-URL: https://github.com/nodejs/node/pull/28613
Reviewed-By: Aleksei Koziatinskii <ak239spb@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

* doc: add missing version metadata for Readable.from

Fixes: https://github.com/nodejs/node/issues/28693

PR-URL: https://github.com/nodejs/node/pull/28695
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

* doc: update js-native-api example

Update example that shows how to separate N-API code which is not
Node.js-specific from code which defines a Node.js N-API addon. In its
existing state the example uses the pattern

```C
assert(napi_*() == napi_ok);
```

However, this would result in no N-API calls when building with
`-DNDEBUG`.

This change moves away from assert and uses a macro `NAPI_CALL()` which
throws the string corresponding to the non-`napi_ok` status as a JS
exception and short-circuits the binding by returning `NULL`.

PR-URL: https://github.com/nodejs/node/pull/28657
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* doc: fix minor typo

PR-URL: https://github.com/nodejs/node/pull/28148
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* deps: V8: backport d2ccc59

Original commit message:

    [snapshot] print reference stack for JSFunctions in the isolate snapshot

    This helps debugging incorrect usage of the SnapshotCreator API in
    debug mode.

    Change-Id: Ibd9db76a5f460cdf7ea6d14e865592ebaf69aeef
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648240
    Reviewed-by: Yang Guo <yangguo@chromium.org>
    Commit-Queue: Yang Guo <yangguo@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#62095}

Refs: https://github.com/v8/v8/commit/d2ccc599c7a31838752350ae927e41bc386df414

PR-URL: https://github.com/nodejs/node/pull/28648
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

* src: large pages option: FreeBSD support proposal

Enabling on amd64 and as Linux, are 2MB large.
The ELF section linkage script is compatible only with GNU ld.

PR-URL: https://github.com/nodejs/node/pull/28331
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* module: increase code coverage of cjs loader

Add test cases to cover uncovered wrap and wrapper getters.

Refs: https://coverage.nodejs.org/coverage-99268b1e996d13a0/lib/internal/modules/cjs/loader.js.html#L153

PR-URL: https://github.com/nodejs/node/pull/27898
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jan Krems <jan.krems@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* test: use openssl_is_fips instead of hasFipsCrypto

Currently, when dynamically linking against a FIPS enabled OpenSSL
library test-process-env-allowed-flags-are-documented will fail with
the following error:
assert.js:89
throw new AssertionError(obj);
^

AssertionError [ERR_ASSERTION]:
The following options are not documented as allowed in NODE_OPTIONS in
/root/node/doc/api/cli.md: --enable-fips --force-fips
at Object.<anonymous>
(/test/parallel/test-process-env-allowed-flags-are-documented.js:82:8)
at Module._compile (internal/modules/cjs/loader.js:779:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:790:10)
at Module.load (internal/modules/cjs/loader.js:642:32)
at Function.Module._load (internal/modules/cjs/loader.js:555:12)
at Function.Module.runMain (internal/modules/cjs/loader.js:842:10)
at internal/main/run_main_module.js:17:11 {
generatedMessage: false,
code: 'ERR_ASSERTION',
actual: 2,
expected: 0,
operator: 'strictEqual'
}

This commit updates the test to use
process.config.variables.openssl_is_fips instead of common.hasFipsCrypto
as hasFipsCrypto only returns true if the OpenSSL library that is
shipped with node was configured with FIPS enabled.

PR-URL: https://github.com/nodejs/node/pull/28507
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

* test: update hasFipsCrypto in test/common/README

PR-URL: https://github.com/nodejs/node/pull/28507
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

* http: expose headers on an http.ClientRequest "information" event

1xx intermediate status responses are allowed to have headers; so
expose the "httpVersion", "httpVersionMajor", "httpVersionMinor",
"headers", "rawHeaders", and "statusMessage" properties on this
event.

PR-URL: https://github.com/nodejs/node/pull/28459
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* readline: expose stream API in clearLine()

This commit adds an optional callback to clearLine(), which
is passed to the stream's write() method. It also exposes the
return value of write().

PR-URL: https://github.com/nodejs/node/pull/28674
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

* readline: expose stream API in moveCursor()

This commit adds an optional callback to moveCursor(), which is
passed to the stream's write() method. It also exposes the
return value of write().

PR-URL: https://github.com/nodejs/node/pull/28674
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

* readline: expose stream API in cursorTo()

This commit adds an optional callback to cursorTo(), which is
passed to the stream's write() method. It also exposes the
return value of write().

PR-URL: https://github.com/nodejs/node/pull/28674
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

* http: add response.writableFinished

response.writableFinished is true if all data has been flushed to the
underlying system.

PR-URL: https://github.com/nodejs/node/pull/28681
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* gyp: cherrypick more Python3 changes from node-gyp

PR-URL: https://github.com/nodejs/node/pull/28563
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* n-api: correct bug in napi_get_last_error

napi_get_last_error returns incorrect napi_status.

PR-URL: https://github.com/nodejs/node/pull/28702
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gabriel Schulhof <gabriel.schulhof@intel.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

* build: specify Python version once for all tests

Extracted from #28537 for shorter review cycle.  This makes it easier to
experiment with new versions of Python as they become available on the
Travis CI platform.

PR-URL: https://github.com/nodejs/node/pull/28694
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

* test: improve variable names in pty_helper.py

Using names like `parent_fd` and `child_fd` is more accurate here,
and doesn’t come with unnecessary negative connotations, even if
the previous naming is somewhat common terminology here.

PR-URL: https://github.com/nodejs/node/pull/28688
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

* test: fix race condition in test-worker-process-cwd.js

This simplifies the test logic and fixes the race condition that
could happen right now.

PR-URL: https://github.com/nodejs/node/pull/28609
Refs: https://github.com/nodejs/node/issues/28193
Closes: https://github.com/nodejs/node/pull/28477
Fixes: https://github.com/nodejs/node/issues/27669
Fixes: https://github.com/nodejs/node/issues/28477
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* test: make repl tests more resilient

This refactors two tests to ignore line numbers in stack traces. That
way changed line numbers do not have any impact on the test outcome
anymore.

PR-URL: https://github.com/nodejs/node/pull/28608
Fixes: https://github.com/nodejs/node/issues/28546
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Lance Ball <lball@redhat.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>

* repl: fix autocomplete while using .load

This makes sure that complete functions work as expected after using
the REPL's `.load` command.

It also fixes the corresponding test. So far the assertion where
swallowed and the test passed even though it should not have.

Fixes: https://github.com/nodejs/node/issues/28546
PR-URL: https://github.com/nodejs/node/pull/28608
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Lance Ball <lball@redhat.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>

* repl: fix some repl context issues

This partially fixes contexts like `{} instanceof Object === false`
in the REPL. This does not fix all cases, since it's something
fundamental from the REPL's design that things like these can happen.

Refs: https://github.com/nodejs/node/issues/27859

PR-URL: https://github.com/nodejs/node/pull/28561
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

* doc: add examples at assert.strictEqual

PR-URL: https://github.com/nodejs/node/pull/28092
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* doc: improve os.homedir() docs

PR-URL: https://github.com/nodejs/node/pull/28401
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

* doc: add example for zlib.createGzip()

PR-URL: https://github.com/nodejs/node/pull/28136
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Masashi Hirano <shisama07@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

* doc: add example for beforeExit event

PR-URL: https://github.com/nodejs/node/pull/28430
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

* test: use consistent test naming

To conform with other test names, move
test/async-hooks/test-httparser-reuse.js to
test/async-hooks/test-httpparser-reuse.js.

PR-URL: https://github.com/nodejs/node/pull/28744
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

* test: propagate napi_status to JS

Re: https://github.com/nodejs/node/pull/27945#discussion_r288833979

This commit regards reporting to the JS level an actual event
that happens when using suspected improper null arguments. It is better
to report the exact reason from N-API to the JS level.

PR-URL: https://github.com/nodejs/node/pull/28505
Reviewed-By: Gabriel Schulhof <gabriel.schulhof@intel.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* tty: expose stream API from readline methods

This commit exposes the return value and callback of the
underlying readline APIs from the tty module.

PR-URL: https://github.com/nodejs/node/pull/28721
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

* test,win: cleanup exec-timeout processes

When CMD is used to launch a process and CMD is killed too quickly,
the process can stay behind running in suspended state, never
completing. This only happens in Windows Server 2008R2.

Refs: https://github.com/nodejs/build/issues/1829

PR-URL: https://github.com/nodejs/node/pull/28723
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

* esm: implement "pkg-exports" proposal

Refs: https://github.com/jkrems/proposal-pkg-exports/issues/36

PR-URL: https://github.com/nodejs/node/pull/28568
Reviewed-By: Anna Henningsen <anna@addaleax.net>

* deps: upgrade npm to 6.10.0

PR-URL: https://github.com/nodejs/node/pull/28525
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>

* http: avoid extra listener

PR-URL: https://github.com/nodejs/node/pull/28705
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

* vm: remove usage of public util module

PR-URL: https://github.com/nodejs/node/pull/28460
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Masashi Hirano <shisama07@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

* zlib: remove usage of public util module

PR-URL: https://github.com/nodejs/node/pull/28454
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>

* build: fix building with d8

PR-URL: https://github.com/nodejs/node/pull/28733
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* test: changed function to arrow function

Convert callback functions that are anonymous
to arrow functions for better readability.
Also adjusted the `this` object in places
where that was required.

PR-URL: https://github.com/nodejs/node/pull/28726
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Masashi Hirano <shisama07@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* build: update of the large page option error

Now large pages is also supported by FreeBSD.

PR-URL: https://github.com/nodejs/node/pull/28729
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* deps: V8: backport b33af60

Original commit message:

    [api] Get ScriptOrModule from CompileFunctionInContext

    Adds a new out param which allows accessing the ScriptOrModule
    of a function, which allows an embedder such as Node.js to use
    the function's i::Script lifetime.

    Refs: https://github.com/nodejs/node-v8/issues/111
    Change-Id: I34346d94d76e8f9b8377c97d948673f4b95eb9d5
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1699698
    Reviewed-by: Yang Guo <yangguo@chromium.org>
    Commit-Queue: Yang Guo <yangguo@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#62830}

Refs: https://github.com/v8/v8/commit/b33af60dd9e7e5b2557b9fbf3fdb80209f6db844

PR-URL: https://github.com/nodejs/node/pull/28671
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Guy Bedford <guybedford@gmail.com>

* vm: fix gc bug with modules and compiled functions

PR-URL: https://github.com/nodejs/node/pull/28671
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Guy Bedford <guybedford@gmail.com>

* build: skip test-ci doc targets if no crypto

PR-URL: https://github.com/nodejs/node/pull/28747
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* lib: rename lib/internal/readline.js

This commit moves lib/internal/readline.js to
lib/internal/readline/utils.js. This is in preparation of
adding a readline.promises implementation.

PR-URL: https://github.com/nodejs/node/pull/28753
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>

* doc: amplify warning for execute callback

Add specific recommendation not to use the
to the napi-env parameter in napi_async_execute_callback

PR-URL: https://github.com/nodejs/node/pull/28738
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* doc: add information for heap snapshot flag

It's nice to have usage examples, especially since the flag requires the
`SIG` version of the signal name, unlike `kill`.

PR-URL: https://github.com/nodejs/node/pull/28754
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

* doc: add code example to subprocess.stdout

PR-URL: https://github.com/nodejs/node/pull/28402
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* policy: add policy-integrity to mitigate policy tampering

PR-URL: https://github.com/nodejs/node/pull/28734
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* inspector: do not spin-wait while waiting for the initial connection

Fixes: https://github.com/nodejs/node/issues/28741

PR-URL: https://github.com/nodejs/node/pull/28756
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Aleksei Koziatinskii <ak239spb@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

* src: add public virtual destructor for KVStore

As KVStore has derived classes, it is essential to
declare a public virtual destructor in the base
KVStore class. Otherwise, deleting derived class
instances using base class pointers would
potentially cause undefined behaviour.

Additionally, since we are implementing a non-default
destructor, the special member functions have also
been implemented in order to abide by the rule of five.

PR-URL: https://github.com/nodejs/node/pull/28737
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* http2: compat req.complete

PR-URL: https://github.com/nodejs/node/pull/28627
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* inspector: add inspector.waitForDebugger()

This method blocks current node process until a client sends
Runtime.runifWaitingForDebugger.

It can be useful when we need to report inspector.url() before
waiting for connection:
```
inspector.open(0, undefined, false);
fs.writeFileSync(someFileName, inspector.url());
inspector.waitForDebugger();
```

PR-URL: https://github.com/nodejs/node/pull/28453
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* stream: add null push transform in async_iterator

when the readable side of a transform ends any for await
loop on that transform stream should also complete. This
fix prevents for await loop on a transform stream
from hanging indefinitely.

PR-URL: https://github.com/nodejs/node/pull/28566
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* test: fix assertion argument order in test-esm-namespace

PR-URL: https://github.com/nodejs/node/pull/28474
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* src: expose TraceEventHelper with NODE_EXTERN

As node requires a tracing controller to be initialized embedders need
access to the TraceEventHelper so that we can actually set the tracing
controller.

Refs: https://github.com/electron/electron/commit/0e5b6f93000e4718c9e35332ddbd0f6b76cdd585/#diff-89b287b2edd0a02dddae60cb26157f47

PR-URL: https://github.com/nodejs/node/pull/28724
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* deps: update nghttp2 to 1.39.1

PR-URL: https://github.com/nodejs/node/pull/28448
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

* doc: claim NODE_MODULE_VERSION=75 for Electron 7

PR-URL: https://github.com/nodejs/node/pull/28774
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>

* src: silence compiler warning

This commit fixes the following warning:

warning: missing field 'exports' initializer

PR-URL: https://github.com/nodejs/node/pull/28764
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>

* doc: update env default on child_process functions

PR-URL: https://github.com/nodejs/node/pull/28776
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* tools: remove unused pkgsrc directory

The pkgsrc Makefile target was removed in 2015

Refs: https://github.com/nodejs/node/pull/1938

PR-URL: https://github.com/nodejs/node/pull/28783
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* src: make `CompiledFnEntry` a `BaseObject`

In particular:

- Move the class definition to the relevant header file,
  i.e. `node_contextify.h`.
- Make sure that class instances are destroyed on
  `Environment` teardown.
- Make instances of the key object traceable in heap dumps. This is
  particularly relevant here because our C++ script → map key mapping
  could introduce memory leaks when the import function metadata refers
  back to the script in some way.

Refs: https://github.com/nodejs/node/pull/28671

PR-URL: https://github.com/nodejs/node/pull/28782
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* src: do not include partial AsyncWrap instances in heap dump

Heap dumps can be taken either through the inspector or the public API
for it during an async_hooks init() hook, but at that point the
AsyncWrap in question is not done initializing yet and virtual methods
cannot be called on it.

Address this issue (somewhat hackily) by excluding `AsyncWrap`
instances which have not yet executed their `init()` hook fully
from heap dumps.

Fixes: https://github.com/nodejs/node/issues/28786

PR-URL: https://github.com/nodejs/node/pull/28789
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* tools: update ESLint to 6.1.0

Update ESLint to 6.1.0

PR-URL: https://github.com/nodejs/node/pull/28793
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>

* dns: fix unsigned record values

Fixes: https://github.com/nodejs/node/issues/28790

PR-URL: https://github.com/nodejs/node/pull/28792
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

* deps: float 15d7e79 from openssl

The upstream commit fixes an incorrect initialization of memory in
rand_lib.c. This fixes all errors that are reported by valgrind during
startup.

Origin: https://github.com/openssl/openssl/commit/15d7e7997e219fc

PR-URL: https://github.com/nodejs/node/pull/28796
Fixes: https://github.com/nodejs/node/issues/28739
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>

* src: fix type name in comment

The comment refers to an exception type that JS land throws on the C++
code's behalf but apparently I changed the JS name before landing the
pull request and forgot to update the comment.

Refs: https://github.com/nodejs/node/pull/20816

PR-URL: https://github.com/nodejs/node/pull/28320
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>

* 2019-07-23, Version 12.7.0 (Current)

Notable changes:

* deps:
  * Updated nghttp2 to 1.39.1. https://github.com/nodejs/node/pull/28448
  * Updated npm to 6.10.0. https://github.com/nodejs/node/pull/28525
* esm:
  * Implemented experimental "pkg-exports" proposal. A new `"exports"`
    field can be added to a module's `package.json` file to provide
    custom subpath aliasing. See
    https://github.com/jkrems/proposal-pkg-exports/ for more
    information. https://github.com/nodejs/node/pull/28568
* http:
  * Added `response.writableFinished`.
    https://github.com/nodejs/node/pull/28681
  * Exposed `headers`, `rawHeaders` and other fields on an
    `http.ClientRequest` `"information"` event.
    https://github.com/nodejs/node/pull/28459
* inspector:
  * Added `inspector.waitForDebugger()`.
    https://github.com/nodejs/node/pull/28453
* policy:
  * Added `--policy-integrity=sri` CLI option to mitigate policy
    tampering. If a policy integrity is specified and the policy does
    not have that integrity, Node.js will error prior to running any
    code. https://github.com/nodejs/node/pull/28734
* readline,tty:
  * Exposed stream API from various methods which write characters.
    https://github.com/nodejs/node/pull/28674
    https://github.com/nodejs/node/pull/28721
* src:
  * Use cgroups to get memory limits. This improves the way we set
    the memory ceiling for a Node.js process. Previously we would use
    the physical memory size to estimate the necessary V8
    heap sizes. The physical memory size is not necessarily the correct
    limit, e.g. if the process is running inside a docker container or
    is otherwise constrained. This change adds the ability to get a
    memory limit set by linux cgroups, which is used by docker
    containers to set resource constraints.
    https://docs.docker.com/config/containers/resource_constraints/
    https://github.com/nodejs/node/pull/27508

PR-URL: https://github.com/nodejs/node/pull/28817

* lib: support min/max values in validateInteger()

This commit updates validateInteger() in two ways:

- Number.isInteger() is used instead of Number.isSafeInteger().
  This ensures that all integer values are supported.
- Minimum and maximum values are supported. They default to
  the min and max safe integer values, but can be customized.

PR-URL: https://github.com/nodejs/node/pull/28810
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

* module: implement "exports" proposal for CommonJS

Refs: https://github.com/jkrems/proposal-pkg-exports/issues/36
Refs: https://github.com/nodejs/node/pull/28568

PR-URL: https://github.com/nodejs/node/pull/28759
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Bradley Farias <bradley.meck@gmail.com>

* doc: api/stream.md typo from writeable to writable

PR-URL: https://github.com/nodejs/node/pull/28822
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>

* crypto: increase maxmem range from 32 to 53 bits

Fixes: https://github.com/nodejs/node/issues/28755

PR-URL: https://github.com/nodejs/node/pull/28799
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* tools: update certdata.txt

This is the certdata.txt[0] from NSS 3.45, released on 2019-07-05.

This is the version of NSS that will ship in Firefox 69 on
2019-09-03.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_45_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: https://github.com/nodejs/node/pull/28808
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

* crypto: update root certificates

Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added: (none)

Certificates removed:
- Certinomis - Root CA

PR-URL: https://github.com/nodejs/node/pull/28808
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

* doc: fix type in NSS update instructions

The perl script must be fully named, correct so that the command can be
copy-pasted-run from the docs.

PR-URL: https://github.com/nodejs/node/pull/28808
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

* build: `uname -m` is amd64 on freebsd, not x86_64

Fixes: https://github.com/nodejs/node/issues/13150

PR-URL: https://github.com/nodejs/node/pull/28804
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* src : elevate v8 namespaces

Leverage `using` semantics for repeated usage of
v8 artifacts.

PR-URL: https://github.com/nodejs/node/pull/28801
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>

* doc: add documentation for response.flushHeaders()

PR-URL: https://github.com/nodejs/node/pull/28807
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* doc: claim NODE_MODULE_VERSION=76 for Electron 8

PR-URL: https://github.com/nodejs/node/pull/28809
Refs: https://github.com/electron/electron/projects/20#card-24099810
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

* deps: backport b107214 from upstream V8

Original commit message:

    [code-serializer] Handlify in CodeSerializer::Deserialize

    This section potentially contains allocations and thus gc, all object
    references should be handlified.

    Bug: v8:9333
    Change-Id: I5814e66e8b9b75a8bd952afecae7a3a27b42a642
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1647695
    Auto-Submit: Jakob Gruber <jgruber@chromium.org>
    Commit-Queue: Simon Zünd <szuend@chromium.org>
    Reviewed-by: Simon Zünd <szuend@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#62012}

(This required resolution of a few merge conflicts, so it’s essentially
a manual backport.)

Refs: https://github.com/v8/v8/commit/b10721426503b87d013ecf314ca139fa5334ebb7
Refs: https://github.com/nodejs/node/pull/28847

PR-URL: https://github.com/nodejs/node/pull/28850
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Jan Krems <jan.krems@gmail.com>

* domain: use strong reference to domain while active

When an uncaught exception is thrown inside a domain, the domain is
removed from the stack as of 43a51708589ac789ce08beaeb49d6d778dfbdc49.
This means that it might not be kept alive as an object anymore,
and may be garbage collected before the `after()` hook can run,
which tries to exit it as well.

Resolve that by making references to the domain strong while it is
active.

Fixes: https://github.com/nodejs/node/issues/28275

PR-URL: https://github.com/nodejs/node/pull/28313
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* build: re-enable openssl arm for arm64

In #23913 it looked like arm64 testing was flaky, and as a result a
number of changes were made including disabling openssl asm for that
architecture.

This PR is limited to re-enabling the one change to turn on openssl asm
for arm64, in the hopes that either it works now, or that this specific
change introduces a reproducible condition.

See: https://github.com/nodejs/node/pull/23913

PR-URL: https://github.com/nodejs/node/pull/28180
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

* doc: describe why new Buffer() is problematic

Existing docs weren't clear on the actual problem. In addition, the text
described 8.0.0 as being a future Node.js release, so adjust language
to reflect that 8.0.0 is in the past (while not losing important
information about what the pre-8.x behaviour was).

PR-URL: https://github.com/nodejs/node/pull/28825
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

* n-api: add APIs for per-instance state management

Adds `napi_set_instance_data()` and `napi_get_instance_data()`, which
allow native addons to store their data on and retrieve their data from
`napi_env`. `napi_set_instance_data()` accepts a finalizer which is
called when the `node::Environment()` is destroyed.

This entails rendering the `napi_env` local to each add-on.

Fixes: https://github.com/nodejs/abi-stable-node/issues/378
PR-URL: https://github.com/nodejs/node/pull/28682
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

* doc: fix incorrect name in report docs

In diagnostic reports, the CPUs are listed in a "cpus" field.
This commit fixes the docs, which refer to the field as "osCpus"

PR-URL: https://github.com/nodejs/node/pull/28830
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>

* report: loop over uv_cpu_info() results

The code currently loops over the results, but only the
first result is accessed.

PR-URL: https://github.com/nodejs/node/pull/28829
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* assert: avoid potentially misleading reference to object identity

Often, the word “identical” when referring to JS objects will
be read as referring to having the same object identity (which is
called “reference equality” here), but what the error message is
trying to say here is that the objects are different but yield the
same `util.inspect()` output.

Since `util.inspect()` output represents the structure rather than
the identity of objects, (hopefully) clarify the error message to
reflect that.

PR-URL: https://github.com/nodejs/node/pull/28824
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

* crypto: add outputLength option to crypto.createHash

This change adds an outputLength option to crypto.createHash which
allows users to produce variable-length hash values using XOF hash
functons.

Fixes: https://github.com/nodejs/node/issues/28757
PR-URL: https://github.com/nodejs/node/pull/28805
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* crypto: fix handling of malicious getters (scrypt)

It is possible to bypass parameter validation in crypto.scrypt and
crypto.scryptSync by crafting option objects with malicious getters as
demonstrated in the regression test. After bypassing validation, any
value can be passed to the C++ layer, causing an assertion to crash
the process.

Fixes: https://github.com/nodejs/node/issues/28836

PR-URL: https://github.com/nodejs/node/pull/28838
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

* policy: add dependencies map for resources

Adds a "dependencies" field to resources in policy manifest files.
In order to ease development and testing while using manifests,
wildcard values for both "dependencies" and "integrity" have been
added using the boolean value "true" in the policy manifest.

PR-URL: https://github.com/nodejs/node/pull/28767
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Jan Krems <jan.krems@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* doc: add documentation for stream.destroyed

PR-URL: https://github.com/nodejs/node/pull/28815
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>

* n-api: refactor a previous commit

This is a refactoring of https://github.com/nodejs/node/issues/27628
following https://github.com/nodejs/node/pull/28505.

This change factors out functions `add_last_status()` and
`add_returned_status()` so they may be reused in the tests for passing
information about the last error status and/or a returned `napi_status`
to JavaScript.

PR-URL: https://github.com/nodejs/node/pull/28848
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gabriel Schulhof <gabriel.schulhof@intel.com>

* stream: resolve perf regression introduced by V8 7.3

This commit contains two fixes:
1. use instanceof instead of Object.getPrototypeOf, as checking an
   object prototype with Object.getPrototypeOf is slower
   than an instanceof check.
2. avoid parseInt(undefined, 10) to get NaN as it regressed.

PR-URL: https://github.com/nodejs/node/pull/28842
Fixes: https://github.com/nodejs/node/issues/28586
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* build,tools: support building with Visual Studio 2019

Add a `vs2019` option to `vcbuild.bat` to use VS 2019 instead of VS 2017

PR-URL: https://github.com/nodejs/node/pull/28781
Reviewed-By: João Reis <reis@janeasystems.com>
Reviewed-By: Refael Ackermann (רפאל פלחי) <refack@gmail.com>

* test: specialize OOM check for AIX

Assumption that if memory can be malloc()ed it can be used is not true
on AIX. Later access of the allocated pages can trigger SIGKILL if there
are insufficient VM pages.

Use psdanger() to better estimate available memory.

Fixes: https://github.com/nodejs/build/issues/1849

More info:
- https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/generalprogramming/sys_mem_alloc.html
- https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/p_bostechref/psdanger.html

Related to:
- https://github.com/nodejs/build/issues/1820#issuecomment-505998851
- https://github.com/nodejs/node/pull/28469
- https://github.com/nodejs/node/pull/28516

PR-URL: https://github.com/nodejs/node/pull/28857
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* src: move relative uptime init

PR-URL: https://github.com/nodejs/node/pull/28849
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

* http: reset parser.incoming when server response is finished

This resolves a memory leak for keep-alive connections with a naïve
approach.

Fixes: https://github.com/nodejs/node/issues/9668

PR-URL: https://github.com/nodejs/node/pull/28646
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

* deps: remove backup files

PR-URL: https://github.com/nodejs/node/pull/28865
Reviewed-By: Richard Lau <riclau@uk.…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crypto Issues and PRs related to the crypto subsystem. lib / src Issues and PRs related to general changes in the lib or src directory. semver-minor PRs that contain new features and should be released in the next minor version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet