Version 0.7.12

2012.06.19, Version 0.7.12 (unstable)

This is the last release on the 0.7 branch. Version 0.8.0 will be released some time later this week, barring any major problems.

As with other even-numbered Node releases before it, the v0.8.x releases will maintain API and binary compatibility.

The major changes between v0.6 and v0.8 are detailed in https://github.com/joyent/node/wiki/API-changes-between-v0.6-and-v0.8

Please try out this release. There will be very virtually no changes between this and the v0.8.x release family. This is the last chance to comment before it is locked down for stability. The API is effectively frozen now.

This version adds backwards-compatible shims for binary addons that use libeio and libev directly. If you find that binary modules that could compile on v0.6 can not compile on this version, please let us know. Note that libev is officially deprecated in v0.8, and will be removed in v0.9. You should be porting your modules to use libuv as soon as possible.

V8 is on 3.11.10 currently, and will remain on the V8 3.11.x branch for the duration of Node v0.8.x.

  • npm: Upgrade to 1.1.30
    – Improved 'npm init'
    – Fix the 'cb never called' error from 'oudated' and 'update'
    – Add –save-bundle|-B config
    – Fix isaacs/npm#2465: Make npm script and windows shims cygwin-aware
    – Fix isaacs/npm#2452 Use –save(-dev|-optional) in npm rm
    logstream option to replace removed logfd (Rod Vagg)
    – Read default descriptions from README.md files

  • Shims to support deprecated ev_* and eio_* methods (Ben Noordhuis)

  • #3118 net.Socket: Delay pause/resume until after connect (isaacs)

  • #3465 Add ./configure –no-ifaddrs flag (isaacs)

  • child_process: add .stdin stream to forks (Fedor Indutny)

  • build: fix make install DESTDIR=/path (Ben Noordhuis)

  • tls: fix off-by-one error in renegotiation check (Ben Noordhuis)

  • crypto: Fix diffie-hellman key generation UTF-8 errors (Fedor Indutny)

  • node: change the constructor name of process from EventEmitter to process (Andreas Madsen)

  • net: Prevent property access throws during close (Reid Burke)

  • querystring: improved speed and code cleanup (Felix Böhm)

  • sunos: fix assertion errors breaking fs.watch() (Fedor Indutny)

  • unix: stat: detect sub-second changes (Ben Noordhuis)

  • add stat() based file watcher (Ben Noordhuis)

Source Code: http://nodejs.org/dist/v0.7.12/node-v0.7.12.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.7.12/node-v0.7.12.pkg

Windows Installer: http://nodejs.org/dist/v0.7.12/node-v0.7.12-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.7.12/x64/node-v0.7.12-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.7.12/x64/

Other release files: http://nodejs.org/dist/v0.7.12/

Website: http://nodejs.org/docs/v0.7.12/

Documentation: http://nodejs.org/docs/v0.7.12/api/

Shasums

ded6a2197b1149b594eb45fea921e8538ba442aa  blog.html
dfabff0923d4b4f1d53bd9831514c1ac8c4b1876  email.md
be313d35511e6d7e43cae5fa2b18f3e0d2275ba1  node-v0.7.12-x86.msi
8f7ba0c8283e3863de32fd5c034f5b599c78f830  node-v0.7.12.pkg
cb570abacbf4eb7e23c3d2620d00dd3080d9c19d  node-v0.7.12.tar.gz
e13a6edfcba1c67ffe794982dd20a222ce8ce40f  node.exe
20906ad76a43eca52795b2a089654a105e11c1e6  node.exp
acbcbb87b6f7f2af34a3ed0abe6131d9e7a237af  node.lib
4013d5b25fe36ae4245433b972818686cd9a2205  node.pdb
6c0a7a2e8ee360e2800156293fb2f6a5c1a57382  npm-1.1.30.tgz
9d23e42e8260fa20001d5618d2583a62792bf63f  npm-1.1.30.zip
840157b2d6f7389ba70b07fc9ddc048b92c501cc  x64/node-v0.7.12-x64.msi
862d42706c21ea83bf73cd827101f0fe598b0cf7  x64/node.exe
de0af95fac083762f99c875f91bab830dc030f71  x64/node.exp
3122bd886dfb96f3b41846cef0bdd7e97326044a  x64/node.lib
e0fa4e42cd19cadf8179e492ca606b7232bbc018  x64/node.pdb
Posted in release | Leave a comment

Version 0.7.11 (unstable)

This is the most stable 0.7 release yet. Please try it out.

Version 0.8 will be out very soon. You can follow the remaining issues
on the github issue tracker.

https://github.com/joyent/node/issues?milestone=10&state=open

2012.06.15, Version 0.7.11 (unstable)

  • V8: Upgrade to v3.11.10

  • npm: Upgrade to 1.1.26

  • doc: Improve cross-linking in API docs markdown (Ben Kelly)

  • Fix #3425: removeAllListeners should delete array (Reid Burke)

  • cluster: don't silently drop messages when the write queue gets big (Bert Belder)

  • Add Buffer.concat method (isaacs)

  • windows: make symlinks tolerant to forward slashes (Bert Belder)

  • build: Add node.d and node.1 to installer (isaacs)

  • cluster: rename worker.unqiueID to worker.id (Andreas Madsen)

  • Windows: Enable ETW events on Windows for existing DTrace probes. (Igor Zinkovsky)

  • test: bundle node-weak in test/gc so that it doesn't need to be downloaded (Nathan Rajlich)

  • Make many tests pass on Windows (Bert Belder)

  • Fix #3388 Support listening on file descriptors (isaacs)

  • Fix #3407 Add os.tmpDir() (isaacs)

  • Unbreak the snapshotted build on Windows (Bert Belder)

  • Clean up child_process.kill throws (Bert Belder)

  • crypto: make cipher/decipher accept buffer args (Ben Noordhuis)

Source Code: http://nodejs.org/dist/v0.7.11/node-v0.7.11.tar.gz

Macintosh Installer (Universal): http://nodejs.org/dist/v0.7.11/node-v0.7.11.pkg

Windows Installer: http://nodejs.org/dist/v0.7.11/node-v0.7.11-x86.msi

Windows x64 Installer: http://nodejs.org/dist/v0.7.11/node-v0.7.11-x64.msi

Windows x64 Files: http://nodejs.org/dist/v0.7.11/x64/

Other release files: http://nodejs.org/dist/v0.7.11/

Website: http://nodejs.org/docs/v0.7.11/

Documentation: http://nodejs.org/docs/v0.7.11/api/

Posted in release | Leave a comment

Version 0.7.10 (unstable)

2012.06.11, Version 0.7.10 (unstable)

This is the second-to-last release on the 0.7 branch. Version 0.8.0
will be released some time next week. As other even-numbered Node
releases before it, the v0.8.x releases will maintain API and binary
compatibility.

The major changes are detailed in
https://github.com/joyent/node/wiki/API-changes-between-v0.6-and-v0.8

Please try out this release. There will be very few changes between
this and the v0.8.x release family. This is the last chance to comment
on the API before it is locked down for stability.

  • Roll V8 back to 3.9.24.31

  • build: x64 target should always pass -m64 (Robert Mustacchi)

  • add NODE_EXTERN to node::Start (Joel Brandt)

  • repl: Warn about running npm commands (isaacs)

  • slab_allocator: fix crash in dtor if V8 is dead (Ben Noordhuis)

  • slab_allocator: fix leak of Persistent handles (Shigeki Ohtsu)

  • windows/msi: add node.js prompt to startmenu (Jeroen Janssen)

  • windows/msi: fix adding node to PATH (Jeroen Janssen)

  • windows/msi: add start menu links when installing (Jeroen Janssen)

  • windows: don't install x64 version into the 'program files (x86)' folder (Matt Gollob)

  • domain: Fix #3379 domain.intercept no longer passes error arg to cb (Marc Harter)

  • fs: make callbacks run in global context (Ben Noordhuis)

  • fs: enable fs.realpath on windows (isaacs)

  • child_process: expose UV_PROCESS_DETACHED as options.detached (Charlie McConnell)

  • child_process: new stdio API for .spawn() method (Fedor Indutny)

  • child_process: spawn().ref() and spawn().unref() (Fedor Indutny)

  • Upgrade npm to 1.1.25

    • Enable npm link on windows
    • Properly remove sh-shim on Windows
    • Abstract out registry client and logger

Source Code: http://nodejs.org/dist/v0.7.10/node-v0.7.10.tar.gz

Windows Installer: http://nodejs.org/dist/v0.7.10/node-v0.7.10.msi

Windows x64 Files: http://nodejs.org/dist/v0.7.10/x64/

Macintosh Installer (Universal): http://nodejs.org/dist/v0.7.10/node-v0.7.10.pkg

Other release files: http://nodejs.org/dist/v0.7.10/

Website: http://nodejs.org/docs/v0.7.10/

Documentation: http://nodejs.org/docs/v0.7.10/api/

Posted in release | Leave a comment

Node Version 0.6.19 (stable)

2012.06.06 Version 0.6.19 (stable)

  • npm: upgrade to 1.1.24

  • fs: no end emit after createReadStream.pause() (Andreas Madsen)

  • vm: cleanup module memory leakage (Marcel Laverdet)

  • unix: fix loop starvation under high network load (Ben Noordhuis)

  • unix: remove abort() in ev_unref() (Ben Noordhuis)

  • windows/tty: never report error after forcibly aborting line-buffered read (Bert Belder)

  • windows: skip GetFileAttributes call when opening a file (Bert Belder)

Source Code: http://nodejs.org/dist/v0.6.19/node-v0.6.19.tar.gz

Windows Installer: http://nodejs.org/dist/v0.6.19/node-v0.6.19.msi

Windows x64 Files: http://nodejs.org/dist/v0.6.19/x64/

Macintosh Installer (Universal): http://nodejs.org/dist/v0.6.19/node-v0.6.19.pkg

Other release files: http://nodejs.org/dist/v0.6.19/

Website: http://nodejs.org/docs/v0.6.19/

Documentation: http://nodejs.org/docs/v0.6.19/api/

Shasums:

ef4f5c1e5f12f6ef3478a794d6a81f59669332f9  node-v0.6.19.msi
781616f33208f532f168633758a648c20e1ea68b  node-v0.6.19.pkg
f6c5cfbadff4788ac3a95f8263a0c2f4e07444b6  node-v0.6.19.tar.gz
10f729ca236825821d97556441fa64f994cb4ca8  node.exe
5b8cd02e5f92ed6512aabdac11766ad8c1abc436  node.exp
20037e4901de605e08e48d0c85531334912844e3  node.lib
c44f62852918d449850014d9b29dd073cb6920a5  node.pdb
04db25c93c5357394941dd2de12cb61959eb82d1  x64/node-v0.6.19.msi
f77c77f2e470cfc9071853af2f277ba91d660b9c  x64/node.exe
fcf26a3f984a3f19804e0567414604b77b1d3bac  x64/node.exp
bfed2a24f253dbac99379d6f22fc8e9e85ade7ed  x64/node.lib
95226c1cc5170ea05c2e54431040f06c3e95e99f  x64/node.pdb
Posted in release | Leave a comment

Node Version 0.7.9 (unstable)

2012.05.28, Version 0.7.9 (unstable)

  • Upgrade V8 to 3.11.1

  • Upgrade npm to 1.1.23

  • uv: rework reference counting scheme (Ben Noordhuis)

  • uv: add interface for joining external event loops (Bert Belder)

  • repl, readline: Handle Ctrl+Z and SIGCONT better (Nathan Rajlich)

  • fs: 64bit offsets for fs calls (Igor Zinkovsky)

  • fs: add sync open flags 'rs' and 'rs+' (Kevin Bowman)

  • windows: enable creating directory junctions with fs.symlink (Igor Zinkovsky, Bert Belder)

  • windows: fix fs.lstat to properly detect symlinks. (Igor Zinkovsky)

  • Fix #3270 Escape url.parse delims (isaacs)

  • http: make http.get() accept a URL (Adam Malcontenti-Wilson)

  • Cleanup vm module memory leakage (Marcel Laverdet)

  • Optimize writing strings with Socket.write (Bert Belder)

  • add support for CESU-8 and UTF-16LE encodings (koichik)

  • path: add path.sep to get the path separator. (Yi, EungJun)

  • net, http: add backlog parameter to .listen() (Erik Dubbelboer)

  • debugger: support mirroring Date objects (Fedor Indutny)

  • addon: add AtExit() function (Ben Noordhuis)

  • net: signal localAddress bind failure in connect (Brian Schroeder)

  • util: handle non-string return value in .inspect() (Alex Kocharin)

Source Code: http://nodejs.org/dist/v0.7.9/node-v0.7.9.tar.gz

Windows Installer: http://nodejs.org/dist/v0.7.9/node-v0.7.9.msi

Windows x64 Files: http://nodejs.org/dist/v0.7.9/x64/

Macintosh Installer (Universal): http://nodejs.org/dist/v0.7.9/node-v0.7.9.pkg

Other release files: http://nodejs.org/dist/v0.7.9/

Website: http://nodejs.org/docs/v0.7.9/

Documentation: http://nodejs.org/docs/v0.7.9/api/

Posted in release | Leave a comment

Version 0.6.18 (stable)

2012.05.15 Version 0.6.18 (stable)

  • windows: skip GetFileAttributes call when opening a file (Bert Belder)

  • crypto: add PKCS12/PFX support (Sambasiva Suda)

  • #3240: child_process: delete NODE_CHANNEL_FD from env in spawn (Ben Noordhuis)

  • windows: add test for path.normalize with UNC paths (Bert Belder)

  • windows: make path.normalize convert all slashes to backslashes (Bert Belder)

  • fs: Automatically close FSWatcher on error (Bert Belder)

  • #3258: fs.ReadStream.pause() emits duplicate data event (koichik)

  • pipe_wrap: don't assert() on pipe accept errors (Ben Noordhuis)

  • Better exception output for module load and process.nextTick (Felix Geisendörfer)

  • zlib: fix error reporting (Ben Noordhuis)

  • http: Don't destroy on timeout (isaacs)

  • #3231: http: Don't try to emit error on a null'ed req object (isaacs)

  • #3236: http: Refactor ClientRequest.onSocket (isaacs)

Source Code: http://nodejs.org/dist/v0.6.18/node-v0.6.18.tar.gz

Windows Installer: http://nodejs.org/dist/v0.6.18/node-v0.6.18.msi

Windows x64 Files: http://nodejs.org/dist/v0.6.18/x64/

Macintosh Installer (Universal): http://nodejs.org/dist/v0.6.18/node-v0.6.18.pkg

Other release files: http://nodejs.org/dist/v0.6.18/

Website: http://nodejs.org/docs/v0.6.18/

Documentation: http://nodejs.org/docs/v0.6.18/api/

Posted in release | Leave a comment

Bryan Cantrill: Instrumenting the Real Time Web

Bryan Cantrill, VP of Engineering at Joyent, describes the challenges of instrumenting a distributed, dynamic, highly virtualized system — and what their experiences taught them about the problem, the technologies used to tackle it, and promising approaches.

This talk was given at Velocity Conf in 2011.

Posted in video | 3 Comments

HTTP Server Security Vulnerability: Please upgrade to 0.6.17

tl;dr

  • A carefully crafted attack request can cause the contents of the HTTP parser’s buffer to be appended to the attacking request’s header, making it appear to come from the attacker. Since it is generally safe to echo back contents of a request, this can allow an attacker to get an otherwise correctly designed server to divulge information about other requests. It is theoretically possible that it could enable header-spoofing attacks, though such an attack has not been demonstrated.

  • Versions affected: All versions of the 0.5/0.6 branch prior to 0.6.17, and all versions of the 0.7 branch prior to 0.7.8. Versions in the 0.4 branch are not affected.
  • Fix: Upgrade to v0.6.17, or apply the fix in c9a231d to your system.

Details

A few weeks ago, Matthew Daley found a security vulnerability in Node's HTTP implementation, and thankfully did the responsible thing and reported it to us via email. He explained it quite well, so I’ll quote him here:

There is a vulnerability in node's http_parser binding which allows information disclosure to a remote attacker:

In node::StringPtr::Update, an attempt is made at an optimization on certain inputs (node_http_parser.cc, line 151). The intent is that if the current string pointer plus the current string size is equal to the incoming string pointer, the current string size is just increased to match, as the incoming string lies just beyond the current string pointer. However, the check to see whether or not this can be done is incorrect; "size" is used whereas "size_" should be used. Therefore, an attacker can call Update with a string of certain length and cause the current string to have other data appended to it. In the case of HTTP being parsed out of incoming socket data, this can be incoming data from other sockets.

Normally node::StringPtr::Save, which is called after each execution of http_parser, would stop this from being exploitable as it converts strings to non-optimizable heap-based strings. However, this is not done to 0-length strings. An attacker can therefore exploit the mistake by making Update set a 0-length string, and then Update past its boundary, so long as it is done in one http_parser execution. This can be done with an HTTP header with empty value, followed by a continuation with a value of certain length.

The attached files demonstrate the issue:

$ ./node ~/stringptr-update-poc-server.js &
[1] 11801
$ ~/stringptr-update-poc-client.py
HTTP/1.1 200 OK
Content-Type: text/plain
Date: Wed, 18 Apr 2012 00:05:11 GMT
Connection: close
Transfer-Encoding: chunked

64
X header:
 This is private data, perhaps an HTTP request with a Cookie in it.
0

The fix landed on 7b3fb22 and c9a231d, for master and v0.6, respectively. The innocuous commit message does not give away the security implications, precisely because we wanted to get a fix out before making a big deal about it.

The first releases with the fix are v0.7.8 and 0.6.17. So now is a good time to make a big deal about it.

If you are using node version 0.6 in production, please upgrade to at least v0.6.17, or at least apply the fix in c9a231d to your system. (Version 0.6.17 also fixes some other important bugs, and is without doubt the most stable release of Node 0.6 to date, so it's a good idea to upgrade anyway.)

I'm extremely grateful that Matthew took the time to report the problem to us with such an elegant explanation, and in such a way that we had a reasonable amount of time to fix the issue before making it public.

Posted in vulnerability | 11 Comments

Version 0.6.17 (stable)

2012.05.04 Version 0.6.17 (stable)

  • Upgrade npm to 1.1.21

  • uv: Add support for EROFS errors (Ben Noordhuis, Maciej Małecki)

  • uv: Add support for EIO and ENOSPC errors (Fedor Indutny)

  • windows: Add support for EXDEV errors (Bert Belder)

  • http: Fix client memory leaks (isaacs, Vincent Voyer)

  • fs: fix file descriptor leak in sync functions (Ben Noordhuis)

  • fs: fix ReadStream / WriteStream double close bug (Ben Noordhuis)

Source Code: http://nodejs.org/dist/v0.6.17/node-v0.6.17.tar.gz

Windows Installer: http://nodejs.org/dist/v0.6.17/node-v0.6.17.msi

Windows x64 Files: http://nodejs.org/dist/v0.6.17/x64/

Macintosh Installer (Universal): http://nodejs.org/dist/v0.6.17/node-v0.6.17.pkg

Other release files: http://nodejs.org/dist/v0.6.17/

Website: http://nodejs.org/docs/v0.6.17/

Documentation: http://nodejs.org/docs/v0.6.17/api/

Posted in release | 3 Comments

multi-server continuous deployment with fleet

substackThis is a guest post by James “SubStack” Halliday, originally posted on his blog, and reposted here with permission.

Writing applications as a sequence of tiny services that all talk to each other over the network has many upsides, but it can be annoyingly tedious to get all the subsystems up and running.

Running a seaport can help with getting all the services to talk to each other, but running the processes is another matter, especially when you have new code to push into production.

fleet aims to make it really easy for anyone on your team to push new code from git to an armada of servers and manage all the processes in your stack.

To start using fleet, just install the fleet command with npm:

$ npm install -g fleet 

Then on one of your servers, start a fleet hub. From a fresh directory, give it a passphrase and a port to listen on:

$ fleet hub --port=7000 --secret=beepboop 

Now fleet is listening on :7000 for commands and has started a git server on :7001 over http. There’s no ssh keys or post commit hooks to configure, just run that command and you’re ready to go!

Next set up some worker drones to run your processes. You can have as many workers as you like on a single server but each worker should be run from a separate directory. Just do:

$ fleet drone --hub=x.x.x.x:7000 --secret=beepboop 

where x.x.x.x is the address where the fleet hub is running. Spin up a few of these drones.

Now navigate to the directory of the app you want to deploy. First set a remote so you don’t need to type –hub and –secret all the time.

$ fleet remote add default --hub=x.x.x.x:7000 --secret=beepboop 

Fleet just created a fleet.json file for you to save your settings.

From the same app directory, to deploy your code just do:

$ fleet deploy 

The deploy command does a git push to the fleet hub’s git http server and then the hub instructs all the drones to pull from it. Your code gets checked out into a new directory on all the fleet drones every time you deploy.

Because fleet is designed specifically for managing applications with lots of tiny services, the deploy command isn’t tied to running any processes. Starting processes is up to the programmer but it’s super simple. Just use the fleet spawn command:

$ fleet spawn -- node server.js 8080 

By default fleet picks a drone at random to run the process on. You can specify which drone you want to run a particular process on with the –drone switch if it matters.

Start a few processes across all your worker drones and then show what is running with the fleet ps command:

$ fleet ps
drone#3dfe17b8
├─┬ pid#1e99f4
│ ├── status:   running
│ ├── commit:   webapp/1b8050fcaf8f1b02b9175fcb422644cb67dc8cc5
│ └── command:  node server.js 8888
└─┬ pid#d7048a
  ├── status:   running
  ├── commit:   webapp/1b8050fcaf8f1b02b9175fcb422644cb67dc8cc5
  └── command:  node server.js 8889

Now suppose that you have new code to push out into production. By default, fleet lets you spin up new services without disturbing your existing services. If you fleet deploy again after checking in some new changes to git, the next time you fleet spawn a new process, that process will be spun up in a completely new directory based on the git commit hash. To stop a process, just use fleet stop.

This approach lets you verify that the new services work before bringing down the old services. You can even start experimenting with heterogeneous and incremental deployment by hooking into a custom http proxy!

Even better, if you use a service registry like seaport for managing the host/port tables, you can spin up new ad-hoc staging clusters all the time without disrupting the normal operation of your site before rolling out new code to users.

Fleet has many more commands that you can learn about with its git-style manpage-based help system! Just do fleet help to get a list of all the commands you can run.

$ fleet help
Usage: fleet <command> [<args>]

The commands are:
  deploy   Push code to drones.
  drone    Connect to a hub as a worker.
  exec     Run commands on drones.
  hub      Create a hub for drones to connect.
  monitor  Show service events system-wide.
  ps       List the running processes on the drones.
  remote   Manage the set of remote hubs.
  spawn    Run services on drones.
  stop     Stop processes running on drones.

For help about a command, try `fleet help `.

npm install -g fleet and check out the code on github!

Posted in module | Leave a comment