nodejs14/nodejs14.changes

-------------------------------------------------------------------
Fri Jun  4 22:12:29 UTC 2021 - Dirk Müller <dmueller@suse.com>

- update to 14.17.0:
  * Experimental support for AbortController and AbortSignal
  * Diagnostics channel (experimental module)
  * UUID support in the crypto module
  * update ICU to 68.1 
  * upgrade to libuv 1.41.0
- add Fix-build-with-icu-69.patch: fix build with icu 69

-------------------------------------------------------------------
Mon May 31 16:27:44 UTC 2021 - Adam Majer <adam.majer@suse.de>

- Use libalternatives instead of update-alternatives

-------------------------------------------------------------------
Wed Apr  7 12:35:34 UTC 2021 - Adam Majer <adam.majer@suse.de>

- New upstream LTS version 14.16.1:
  * CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    This is a vulnerability in the y18n npm module which may be
    exploited by prototype pollution. You can read more about it in
    https://github.com/advisories/GHSA-c4w7-xm78-47vh
    (bsc#1184450)
  * deps: upgrade npm to 6.14.12

- versioned.patch: refreshed

-------------------------------------------------------------------
Tue Feb 23 14:46:06 UTC 2021 - Adam Majer <adam.majer@suse.de>

- New upstream LTS version 14.16.0:
  * CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service
    by resource exhaustion (bsc#1182619)
  * CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)

-------------------------------------------------------------------
Wed Feb 17 17:33:25 UTC 2021 - Adam Majer <adam.majer@suse.de>

- New upstream LTS version 14.15.5:
  * deps: 
    + upgrade npm to 6.14.11
    + V8: backport dfcf1e86fac0 #37245
    Note: Node.js is not believed to be vulnerable to CVE-2021-21148
  * stream,zlib: do not use _stream_* anymore

- relax OpenSSL cipher suite policies for unit tests
 
-------------------------------------------------------------------
Mon Jan  4 19:27:41 UTC 2021 - Adam Majer <adam.majer@suse.de>

- New upstream LTS version 14.15.4:
  * CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS
    implementation. When writing to a TLS enabled socket,
    node::StreamBase::Write calls node::TLSWrap::DoWrite with
    a freshly allocated WriteWrap object as first argument.
    If the DoWrite method does not return an error, this object is
    passed back to the caller as part of a StreamWriteResult structure.
    This may be exploited to corrupt memory leading to a
    Denial of Service or potentially other exploits (bsc#1180553)
  * CVE-2020-8287: HTTP Request Smuggling allow two copies of a
    header field in a http request. For example, two Transfer-Encoding
    header fields. In this case Node.js identifies the first header
    field and ignores the second. This can lead to HTTP Request
    Smuggling (https://cwe.mitre.org/data/definitions/444.html).
    (bsc#1180554)

-------------------------------------------------------------------
Mon Dec 21 12:37:16 UTC 2020 - Adam Majer <adam.majer@suse.de>

- New upstream LTS version 14.15.3:
  * deps:
    + upgrade npm to 6.14.9
    + update acorn to v8.0.4
  * http2: check write not scheduled in scope destructor
  * stream: fix regression on duplex end

- versioned.patch, sle12_python3_compat.patch: refreshed

-------------------------------------------------------------------
Mon Nov 30 19:44:30 UTC 2020 - Adam Majer <adam.majer@suse.de>

- openssl_binary_detection.patch: fixes unit tests on SLE12

-------------------------------------------------------------------
Mon Nov 23 16:06:15 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update Requires: so -devel requires npm
- Rely on rpmbuild to define necessary python dependencies

-------------------------------------------------------------------
Thu Nov 19 11:42:09 UTC 2020 - Adam Majer <adam.majer@suse.de>

- New upstream LTS version 14.15.1:
  * deps: Denial of Service through DNS request (High).
  A Node.js application that allows an attacker to trigger a DNS
  request for a host of their choice could trigger a Denial of Service
  by getting the application to resolve a DNS record with
  a larger number of responses (bsc#1178882, CVE-2020-8277)

-------------------------------------------------------------------
Thu Oct 29 10:12:54 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to LTS version 14.15.0: (jsc#SLE-15774)
  * no major changes
  * test: reverts marking test-webcrypto-encrypt-decrypt-aes flaky

-------------------------------------------------------------------
Tue Oct 20 14:23:42 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Use SLE OpenSSL version with 12-SP4+, and not just 12-SP5+
- Bump mininum ICU version to 65

-------------------------------------------------------------------
Fri Oct 16 11:54:33 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.14.0:
  * fs: add rm method
  * http: allow passing array of key/val into writeHead
  * src: expose v8::Isolate setup callbacks

- sle12_python3_compat.patch: refreshed

-------------------------------------------------------------------
Thu Oct  8 15:12:05 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.13.1:
  * fs: rmdir recursive is no longer considered experimental

- fix_ci_tests.patch: add support to SUSE's ECDH backport errors
  in SLE's openssl

-------------------------------------------------------------------
Tue Oct  6 11:30:37 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.13.0:
  * deps: upgrade to libuv 1.40.0 #35333
  * module: named exports for CJS via static analysis #35249
  * module: exports pattern support #34718
  * src: allow N-API addon in AddLinkedBinding()

-------------------------------------------------------------------
Thu Sep 24 19:04:31 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.12.0:
  * n-api:
    + create N-API version 7
    + add more property defaults

- Changes since version 14.9.0
  * deps:
    + update llhttp to 2.1.2 (bsc#1176605, CVE-2020-8201)
    + http: add requestTimeout. Fixes Denial of Service by
      resource exhaustion due to unfinished HTTP/1.1 requests
      (bsc#1176604, CVE-2020-8251)
    + buffer: also alias BigUInt methods
    + crypto: add randomInt function
    + perf_hooks: add idleTime and event loop util
    + stream: simpler and faster Readable async iterator
    + stream: save error in state

-------------------------------------------------------------------
Wed Sep  2 10:44:47 UTC 2020 - Adam Majer <adam.majer@suse.de>

- old_icu.patch: re-add support for ICU 65 from SLE15 SP2
- fix_ci_tests.patch: move debug symbol strip for testing to the Makefile

-------------------------------------------------------------------
Fri Aug 28 10:39:52 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.9.0:
  * build: set --v8-enable-object-print by default (Mary Marchini) #34705
  * deps:
    + upgrade to libuv 1.39.0 (cjihrig) #34915
    + upgrade npm to 6.14.8 (Ruy Adorno) #34834
    + V8: cherry-pick e06ace6b5cdb (Anna Henningsen) #34673
  * n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) #34839
  * tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) #34378

- Changes in version 14.8.0:
  * async_hooks: add AsyncResource.bind utility (James M Snell) #34574
  * deps: update to uvwasi 0.0.10 (Colin Ihrig) #34623
  * module: unflag Top-Level Await (Myles Borins) #34558
  * n-api: support type-tagging objects (Gabriel Schulhof) #28237
  * n-api,src: provide asynchronous cleanup hooks (Anna Henningsen) #34572

- versioned.patch: refreshed
- linker_lto_jobs.patch: refreshed

-------------------------------------------------------------------
Mon Aug 10 16:38:15 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation
  on Aarch64 with gcc10 (bsc#1172686)

-------------------------------------------------------------------
Mon Aug  3 12:20:57 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.7.0:
  * deps: upgrade npm to 6.14.7
  * dgram: add IPv6 scope id suffix to received udp6 dgrams
  * src:
    + allow preventing SetPromiseRejectCallback #34387
    + allow setting a dir for all diagnostic output #33584
  * worker: make MessagePort inherit from EventTarget #34057
  * zlib: switch to lazy init for zlib streams (Andrey Pechkurov) #34048

-------------------------------------------------------------------
Tue Jul 28 07:13:57 UTC 2020 - Dirk Mueller <dmueller@suse.com>

- avoid rpmbuild warnings on if/else/endif constructs

-------------------------------------------------------------------
Wed Jul 22 12:52:50 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.6.0:
  * deps:
    + upgrade to libuv 1.38.1
    + upgrade npm to 6.14.6 fixing information leak through
      log files (bsc#1173937, CVE-2020-15095)
    + update V8 to 8.4.371.19
  * module:
    + doc only deprecation of module.parent
    + package "imports" field
  * src: allow embedders to disable esm loader
  * tls: make 'createSecureContext' honor more options
  * vm: add run-after-evaluate microtask mode
  * worker: add option to track unmanaged file descriptors

- versioned.patch - refreshed

-------------------------------------------------------------------
Thu Jul  2 20:51:30 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.5.0:
  * deps: V8 engine is updated to version 8.3. For details, see
    https://v8.dev/blog/v8-release-83
  * events: experimental implementation of EventTarget

For details, see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.5.0

- sle12_python3_compat.patch: refreshed
- fix_ci_tests.patch: refreshed

-------------------------------------------------------------------
Tue Jun  9 11:45:55 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Add Require for nodejs14 when intalling npm14. (bsc#1172728)

-------------------------------------------------------------------
Thu Jun  4 12:03:49 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.4.0:
  * napi: fix various types of memory corruption in napi_get_value_string_*()
    (CVE-2020-8174, bsc#1172443)
  * http2: fix HTTP/2 Large Settings Frame DoS
    (CVE-2020-11080, bsc#1172442)
  * TLS session reuse can lead to host certificate verification bypass
    (CVE-2020-8172, bsc#1172441)

-------------------------------------------------------------------
Fri May 29 10:46:58 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.3.0:
  * repl: previews improvements with autocompletion
  * it's now possible to use the await keyword outside of async functions,
    with the --experimental-top-level-await flag

- Changes in version 14.2.0:
  * console: Support for console constructor groupIndentation options

- skip_no_console.patch: refreshed
- versioned.patch, fix_ci_tests.patch: refreshed

-------------------------------------------------------------------
Thu Apr 30 11:22:45 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Update to version 14.1.0:
  * deps: upgrade openssl sources to 1.1.1g (SLE-12 only)
  * http: doc deprecate abort and improve docs
  * module: do not warn when accessing __esModule of unfinished exports
  * n-api: detect deadlocks in thread-safe function
  * src: deprecate embedder APIs with replacements
  * stream:
    + don't emit end after close
    + don't wait for close on legacy streams
    + pipeline should only destroy un-finished streams
  * vm: add importModuleDynamically option to compileFunction

skip_no_console.patch: add more unit tests that fail on dumb terminals

-------------------------------------------------------------------
Mon Apr 27 13:35:05 UTC 2020 - Adam Majer <adam.majer@suse.de>

- Initial version 14.0.0

 Deprecations

 * crypto: move pbkdf2 without digest to EOL
 * fs: deprecate closing FileHandle on garbage collection
 * http: move OutboundMessage.prototype.flush to EOL
 * lib: move GLOBAL and root aliases to EOL
 * os: move tmpDir() to EOL
 * src: remove deprecated wasm type check
 * stream: move _writableState.buffer to EOL
 * doc: deprecate process.mainModule
 * doc: deprecate process.umask() with no arguments

For a detailed list of changes, see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.0.0