Node v12.15.0 (LTS)

Notable changes

This is a security release.

Vulnerabilities fixed:

CVE-2019-15606 : HTTP header values do not have trailing OWS trimmed.

: HTTP header values do not have trailing OWS trimmed. CVE-2019-15605 : HTTP request smuggling using malformed Transfer-Encoding header.

: HTTP request smuggling using malformed Transfer-Encoding header. CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.

Commits

[ 209767c7a2 ] - benchmark : support optional headers with wrk (Sam Roberts) nodejs-private/node-private#189

] - : support optional headers with wrk (Sam Roberts) nodejs-private/node-private#189 [ 02c8905051 ] - crypto : fix assertion caused by unsupported ext (Fedor Indutny) nodejs-private/node-private#175

] - : fix assertion caused by unsupported ext (Fedor Indutny) nodejs-private/node-private#175 [ 25d6011912 ] - deps : update llhttp to 2.0.4 (Beth Griggs) nodejs-private/llhttp-private#1

] - : update llhttp to 2.0.4 (Beth Griggs) nodejs-private/llhttp-private#1 [ 8162f0e194 ] - deps : upgrade http-parser to v2.9.3 (Sam Roberts) nodejs-private/http-parser-private#4

] - : upgrade http-parser to v2.9.3 (Sam Roberts) nodejs-private/http-parser-private#4 [ d41314ef99 ] - (SEMVER-MINOR) deps : upgrade http-parser to v2.9.1 (Sam Roberts) #30473

] - : upgrade http-parser to v2.9.1 (Sam Roberts) #30473 [ 7fc565666c ] - (SEMVER-MINOR) http : make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) #31448

] - : make --insecure-http-parser configurable per-stream or per-server (Anna Henningsen) #31448 [ 496736ff78 ] - (SEMVER-MINOR) http : opt-in insecure HTTP header parsing (Sam Roberts) #30567

] - : opt-in insecure HTTP header parsing (Sam Roberts) #30567 [ 76fd8910e9 ] - http : strip trailing OWS from header values (Sam Roberts) nodejs-private/node-private#189

] - : strip trailing OWS from header values (Sam Roberts) nodejs-private/node-private#189 [ 9cd155eb4a ] - test : using TE to smuggle reqs is not possible (Sam Roberts) nodejs-private/node-private#192

] - : using TE to smuggle reqs is not possible (Sam Roberts) nodejs-private/node-private#192 [ ab1fcb89cb ] - test: check that --insecure-http-parser works (Sam Roberts) #31253

Windows 32-bit Installer: https://nodejs.org/dist/v12.15.0/node-v12.15.0-x86.msi

Windows 64-bit Installer: https://nodejs.org/dist/v12.15.0/node-v12.15.0-x64.msi

Windows 32-bit Binary: https://nodejs.org/dist/v12.15.0/win-x86/node.exe

Windows 64-bit Binary: https://nodejs.org/dist/v12.15.0/win-x64/node.exe

macOS 64-bit Installer: https://nodejs.org/dist/v12.15.0/node-v12.15.0.pkg

macOS 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-darwin-x64.tar.gz

Linux 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-linux-x64.tar.xz

Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-linux-ppc64le.tar.xz

Linux s390x 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-linux-s390x.tar.xz

AIX 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-aix-ppc64.tar.gz

SmartOS 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-sunos-x64.tar.xz

ARMv7 32-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-linux-armv7l.tar.xz

ARMv8 64-bit Binary: https://nodejs.org/dist/v12.15.0/node-v12.15.0-linux-arm64.tar.xz

Source Code: https://nodejs.org/dist/v12.15.0/node-v12.15.0.tar.gz

Other release files: https://nodejs.org/dist/v12.15.0/

Documentation: https://nodejs.org/docs/v12.15.0/api/

SHASUMS