The V8 API it is based on is deprecated and scheduled for removal later
this year.  Remove it.

PR-URL: https://github.com/nodejs/node/pull/13295


Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Robert Jefe Lindstaedt <robert.lindstaedt@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/19679

Notable changes:

No additional commits.

Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.

Note that Node.js versions 10.X and later will be built with version
4.9.X or later of the GCC compiler, and it is possible that Node.js
version 8.X may be built on the 4.9.X compiler at a later time as the
stated minimum compiler requirement for Node.js version 8.X is 4.9.4.

Refs: https://github.com/nodejs/node/blob/v8.x/BUILDING.md
PR-URL: https://github.com/nodejs/node/pull/19679

PR-URL: https://github.com/nodejs-private/node-private/pull/112

This is a security release. All Node.js users should consult the
security release summary at:

https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160

Notable changes:

* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
  are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
  A malicious website could use a DNS rebinding attack to trick a web
  browser to bypass same-origin-policy checks and allow HTTP
  connections to localhost or to hosts on the local network,
  potentially to an open inspector port as a debugger, therefore
  gaining full code execution access. The inspector now only allows
  connections that have a browser `Host` value of `localhost` or
  `localhost6`.
* **Fix for `'path'` module regular expression denial of service
  (CVE-2018-7158)**: A regular expression used for parsing POSIX an
  Windows paths could be used to cause a denial of service if an
  attacker were able to have a specially crafted path string passed
  through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
  (CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
  `Content-Length` header values. Such values now lead to rejected
  connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
  been added to the Node.js binary and 30 have been removed.

PR-URL: https://github.com/nodejs-private/node-private/pull/112

Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/108
PR-URL: https://github.com/nodejs-private/node-private/pull/102/


Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/108
PR-URL: https://github.com/nodejs-private/node-private/pull/102/


Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

Remove the CNNIC certificates again and remove the whitelist from commit
3beb8807 ("crypto: add cert check to CNNIC Whitelist") from June 2015.

Backport-PR-URL: https://github.com/nodejs/node/pull/19633
PR-URL: https://github.com/nodejs/node/pull/19322


Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.

Certificates added:
- GDCA TrustAUTH R5 ROOT
- SSL.com EV Root Certification Authority ECC
- SSL.com EV Root Certification Authority RSA R2
- SSL.com Root Certification Authority ECC
- SSL.com Root Certification Authority RSA
- TrustCor ECA-1
- TrustCor RootCert CA-1
- TrustCor RootCert CA-2

Certificates removed:
- ACEDICOM Root
- AddTrust Low-Value Services Root
- AddTrust Public Services Root
- AddTrust ualified Certificates Root
- CA Disig Root R1
- Camerfirma Chambers of Commerce Root
- Camerfirma Global Chambersign Root
- CA WoSign ECC Root
- Certification Authority of WoSign G2
- Certinomis - Autorité Racine
- Certum Root CA
- China Internet Network Information Center EV Certificates Root
- CNNIC ROOT
- Comodo Secure Services root
- Comodo Trusted Services root
- DST ACES CA X6
- GeoTrust Global CA 2
- PSCProcert
- Security Communication EV RootCA1
- StartCom Certification Authority
- StartCom Certification Authority
- StartCom Certification Authority G2
- Swisscom Root CA 1
- Swisscom Root CA 2
- Swisscom Root EV CA 2
- TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3
- TURKTRUST Certificate Services Provider Root 2007
- UTN USERFirst Hardware Root CA
- WoSign
- WoSign China

Backport-PR-URL: https://github.com/nodejs/node/pull/19633
PR-URL: https://github.com/nodejs/node/pull/19322


Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

This is the certdata.txt[0] from NSS 3.36, released on 2018-03-05.

This is the version of NSS that will ship in Firefox 60 on 2018-05-01.

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_36_RTM/lib/ckfw/builtins/certdata.txt

Backport-PR-URL: https://github.com/nodejs/node/pull/19633
PR-URL: https://github.com/nodejs/node/pull/19322


Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.

Backport-PR-URL: https://github.com/nodejs/node/pull/19638
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836


Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

Reapply b9106137 .

Backport-PR-URL: https://github.com/nodejs/node/pull/19638
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389


Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html

iojs needs to stop using masm and move to nasm or yasm on Win32.

Backport-PR-URL: https://github.com/nodejs/node/pull/19638
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389


Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .

Backport-PR-URL: https://github.com/nodejs/node/pull/19638
Fixes: https://github.com/iojs/io.js/issues/589
PR-URL: https://github.com/iojs/io.js/pull/1389


Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>

All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.

PR-URL: https://github.com/nodejs/node/pull/19638


Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rod Vagg <rod@vagg.org>

This replaces all sources of openssl-1.0.2o.tar.gz into
deps/openssl/openssl

PR-URL: https://github.com/nodejs/node/pull/19638


Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rod Vagg <rod@vagg.org>

Original commit message follows:

    Before this commit `Content-Length: 4 2` was accepted as a valid
    header and recorded as `parser->content_length = 42`.  Now it is
    a parse error that fails with error `HPE_INVALID_CONTENT_LENGTH`.

    Downstream users that inspect `parser->content_length` and naively
    parse the string value using `strtoul()` might get confused by the
    discrepancy between the two values.  Resolve that by simply not
    letting it happen.

Fixes: https://github.com/nodejs-private/security/issues/178
PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1


Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>

PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1


Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>

PR-URL: https://github.com/nodejs/node/pull/18336

Notable changes:

* deps:
  * update V8 to 6.2.414.46 (Michaël Zasso) [#16413](https://github.com/nodejs/node/pull/16413)
  * revert ABI breaking changes in V8 6.2 (Anna Henningsen) [#16413](https://github.com/nodejs/node/pull/16413)
  * upgrade libuv to 1.19.1 (cjihrig) [#18260](https://github.com/nodejs/node/pull/18260)
  * re land npm 5.6.0 (Myles Borins) [#18625](https://github.com/nodejs/node/pull/18625)
  * ICU 60 bump (Steven R. Loomis) [#16876](https://github.com/nodejs/node/pull/16876)
* crypto:
  * Support both OpenSSL 1.1.0 and 1.0.2 (David Benjamin) [#16130](https://github.com/nodejs/node/pull/16130)
  * warn on invalid authentication tag length (Tobias Nießen) [#17566](https://github.com/nodejs/node/pull/17566)
* async_hooks:
  * update defaultTriggerAsyncIdScope for perf (Anatoli Papirovski) [#18004](https://github.com/nodejs/node/pull/18004)
  * use typed array stack as fast path (Anna Henningsen) [#17780](https://github.com/nodejs/node/pull/17780)
  * use scope for defaultTriggerAsyncId (Andreas Madsen) [#17273](https://github.com/nodejs/node/pull/17273)
  * separate missing from default context (Andreas Madsen) [#17273](https://github.com/nodejs/node/pull/17273)
  * rename initTriggerId (Andreas Madsen) [#17273](https://github.com/nodejs/node/pull/17273)
  * deprecate undocumented API (Andreas Madsen) [#16972](https://github.com/nodejs/node/pull/16972)
  * add destroy event for gced AsyncResources (Sebastian Mayr) [#16998](https://github.com/nodejs/node/pull/16998)
  * add trace events to async_hooks (Andreas Madsen) [#15538](https://github.com/nodejs/node/pull/15538)
  * set HTTPParser trigger to socket (Andreas Madsen) [#18003](https://github.com/nodejs/node/pull/18003)
  * add provider types for net server (Andreas Madsen) [#17157](https://github.com/nodejs/node/pull/17157)
* n-api:
  * add helper for addons to get the event loop (Anna Henningsen) [#17109](https://github.com/nodejs/node/pull/17109)
* cli:
  * add --stack-trace-limit to NODE_OPTIONS (Anna Henningsen) [#16495](https://github.com/nodejs/node/pull/16495)
* console:
  * add support for console.debug (Benjamin Zaslavsky) [#17033](https://github.com/nodejs/node/pull/17033)
* module:
  * add builtinModules (Jon Moss) [#16386](https://github.com/nodejs/node/pull/16386)
  * replace default paths in require.resolve() (cjihrig) [#17113](https://github.com/nodejs/node/pull/17113)
* src:
  * add helper for addons to get the event loop (Anna Henningsen) [#17109](https://github.com/nodejs/node/pull/17109)
  * add process.ppid (cjihrig) [#16839](https://github.com/nodejs/node/pull/16839)
* http:
  * support generic `Duplex` streams (Anna Henningsen) [#16267](https://github.com/nodejs/node/pull/16267)
  * add rawPacket in err of `clientError` event (XadillaX) [#17672](https://github.com/nodejs/node/pull/17672)
  * better support for IPv6 addresses (Mattias Holmlund) [#14772](https://github.com/nodejs/node/pull/14772)
* net:
  * remove ADDRCONFIG DNS hint on Windows (Bartosz Sosnowski) [#17662](https://github.com/nodejs/node/pull/17662)
* process:
  * fix reading zero-length env vars on win32 (Anna Henningsen) [#18463](https://github.com/nodejs/node/pull/18463)
* tls:
  * unconsume stream on destroy (Anna Henningsen) [#17478](https://github.com/nodejs/node/pull/17478)
* process:
  * improve unhandled rejection message (Madara Uchiha) [#17158](https://github.com/nodejs/node/pull/17158)
* stream:
  * remove usage of *State.highWaterMark (Calvin Metcalf) [#12860](https://github.com/nodejs/node/pull/12860)
* trace_events:
  * add executionAsyncId to init events (Andreas Madsen) [#17196](https://github.com/nodejs/node/pull/17196)

PR-URL: https://github.com/nodejs/node/pull/18336

PR-URL: https://github.com/nodejs/node/pull/18432


Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/18380


Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/18373


Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

lchown and lchownSync were opening file descriptors without
closing them. Looks like it has been that way for 7 years.
Does anyone actually use these functions?

PR-URL: https://github.com/nodejs/node/pull/18329


Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/18369
Fixes: https://github.com/nodejs/code-and-learn/issues/58


Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>

Update documentation of modules.md for require.resolve.paths()
to include the possibillity of null as a return value if
the request string given matches a core module name.

PR-URL: https://github.com/nodejs/node/pull/18350
Fixes: https://github.com/nodejs/node/issues/18230


Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/18343


Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/18331


Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Khaidi Chu <i@2333.moe>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>

PR-URL: https://github.com/nodejs/node/pull/18271
Fixes: https://github.com/nodejs/node/issues/17842


Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/18314


Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/18309


Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/18310
Fixes: https://github.com/nodejs/node/issues/18305
Refs: https://github.com/nodejs/node/pull/13424


Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>

assert.strictEqual message argument removed to replace
with default assert message to show the expected vs
actual values

PR-URL: https://github.com/nodejs/node/pull/18259
Refs: https://github.com/nodejs/node/issues/13296


Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: Jon Moss <me@jonathanmoss.me>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

Use upper case variant in text in compliance with RFC 2898.

PR-URL: https://github.com/nodejs/node/pull/18279


Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Vladimir Kurchatkin <vladimir.kurchatkin@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

chrome://traceing does not exist

PR-URL: https://github.com/nodejs/node/pull/18280


Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Jon Moss <me@jonathanmoss.me>
Reviewed-By: Michaël Zasso <targos@protonmail.com>