Update Node.js to v10.9.0

[renovate]

This Pull Request updates dependency node from v10.8.0 to v10.9.0

Release Notes

2018-08-15, Version 10.9.0 (Current), @​rvagg

Compare Source
This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

• CVE-2018-0732 (OpenSSL)
• CVE-2018-7166 (Node.js)
• CVE-2018-12115 (Node.js)

Notable Changes

• buffer:
  • Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
  • Fix unintentional exposure of uninitialized memory in Buffer.alloc() (CVE-2018-7166)
• deps:
  • Upgrade to OpenSSL 1.1.0i, fixing:
    • Client DoS due to large DH parameter (CVE-2018-0732)
    • ECDSA key extraction via local side-channel (CVE not assigned)
  • Upgrade V8 from 6.7 to 6.8 (Michaël Zasso) #​21079
    • Memory reduction and performance improvements, details at: https://v8project.blogspot.com/2018/06/v8-release-68.html
• http: http.get() and http.request() (and https variants) can now accept three arguments to allow for a URL and an options object (Sam Ruby) #​21616
• Added new collaborators
  • Sam Ruby (https://github.com/rubys)
  • George Adams (https://github.com/gdams)

Commits

• [58a9ae118e] - assert: fix loose assert with map and set (Ruben Bridgewater) #​22145
• [1c577016b8] - benchmark: improve assert benchmarks (Ruben Bridgewater) #​22211
• [734323d9eb] - buffer: stop alloc() uninitialized memory return (cjihrig) nodejs-private/node-private#​137
• [2c4c17b708] - buffer: avoid overrun on UCS-2 string write (Rod Vagg) nodejs-private/node-private#​138
• [6622ac798d] - buffer: use FastBuffer when fill is set to 0 (Сковорода Никита Андреевич) #​21989
• [f506a5f46e] - build: make --shared-[…]-path work on Windows (Jeremy Apthorp) #​21530
• [1be6fb93c8] - build: add CONFIG_FLAGS to with-code-cache target (Daniel Bevenius) [#​22207](https
  ://github.com/build: add CONFIG_FLAGS to with-code-cache target nodejs/node#22207)
• [4520bb8a73] - build: make tools/doc/node_modules non-phony (Daniel Bevenius) #​22189
• [c42ff4ebd8] - build: add crypto check to build targets (Daniel Bevenius) #​22148
• [cdb8c1b44d] - build: extract common parts from addon .buildstamp (Daniel Bevenius) #​22171
• [1e7a8c3016] - build: reset embedder string to "-node.0" (Michaël Zasso) #​21079
• [86ab2c041e] - crypto: remove unused SSLWrap handle methods (Jon Moss) #​22216
• [9212875406] - crypto: simplify state failure handling (Tobias Nießen) #​22131
• [916a1d59f0] - crypto: simplify Hmac::HmacUpdate (Tobias Nießen) #​22132
• [2dc7f17e8b] - (SEMVER-MINOR) crypto: add better scrypt option aliases (Anna Henningsen) #​21525
• [fcf422e921] - deps: backport c608122 from upstream (Ruben Bridgewater) #​22210
• [a07ccaeb19] - deps: update archs files for OpenSSL-1.1.0i (Shigeki Ohtsu) #​22318
• [473996c90f] - deps: add s390 asm rules for OpenSSL-1.1.0 (Shigeki Ohtsu) #​19794
• [05e48fd018] - deps: upgrade openssl sources to 1.1.0i (Shigeki Ohtsu) #​22318
• [f8bc5d6320] - deps: cherry-pick 09bca09 from upstream V8 (Matheus Marchini) #​22068
• [c69fdc9d5f] - (SEMVER-MINOR) deps: remove thread_local to fix V8 compilation (Peter Marshall) #​21668
• [981fff714e] - deps: refactor v8.gyp (Michaël Zasso) #​22017
• [5fa3ffad20] - (SEMVER-MINOR) deps: patch the V8 API to be backwards compatible with 6.7 (Peter Marshall) #​21668
• [6eed40acbb] - deps: cherry-pick 804a693 from upstream V8 (Matheus Marchini) #​21855
• [7eccaf86d6] - deps: V8: Backport of 0dd3390 from upstream (James M Snell) #​21899
• [328c89925a] - deps: cherry-pick 907d7bc from upstream V8 (Michaël Zasso) #​21838
• [afacfd2992] - deps: cherry-pick 2075910 from upstream V8 (Michaël Zasso) #​21838
• [4f24256274] - deps: cherry-pick 555c811 from upstream V8 (Anna Henningsen) #​21741
• [7b4272a14d] - deps: cherry-pick 477df06 from upstream v8 (Gus Caplan) #​21644
• [a0bf7aa07c] - deps: cherry-pick 70c4340 from upstream V8 (Matheus Marchini) #​21126
• [4994ac65b0] - deps: cherry-pick acc336c from upstream V8 (Matheus Marchini) #​21126
• [be569f82f1] - deps: cherry-pick b20faff from upstream V8 (Matheus Marchini) #​21126
• [6df5feb13f] - deps: cherry-pick aa6ce3e from upstream V8 (Michaël Zasso) #​21079
• [8b9a956f9e] - deps: cherry-pick 5dd3395 from upstream V8 (Matheus Marchini) #​21386
• [548008a6f6] - deps: update v8.gyp and run Torque (Michaël Zasso) #​21079
• [9c74271a96] - deps: update V8 to 6.8.275.24 (Michaël Zasso) #​21079
• [a3f3c40966] - doc: simplify urlObject.hash text (Rich Trott) #​22326
• [d2848697dc] - doc: simplify urlObject.hash description (Rich Trott) #​22326
• [6d29986f4d] - doc: simplify format description of urlObject.auth (Rich Trott) #​22324
• [a658a4df34] - doc: remove redundant explanation of format (Rich Trott) #​22324
• [3236697c0b] - doc: use italics for words-as-words (Rich Trott) #​22324
• [da76b61f59] - doc: bump ICU version to avoid confusion (Csaba Palfi) #​22313
• [e04b0532bf] - doc: document 'inherit' option for stdio (non-shorthand) (James Bromwell) #​22309
• [882c2c017a] - doc: clarify http2 docs around class exports (James M Snell) #​22247
• [dd96ba5b89] - doc: add multiple issue templates for GitHub (Tobias Nießen) #​22215
• [d95a22c304] - doc: declare all parameter types (Sam Ruby) #​21782
• [9e25028981] - doc: add missing option for child_process.spawnSync() (James Bromwell) #​22231
• [ef8d0fc490] - doc: list encodings supported by buffer.transcode (James M Snell) #​22263
• [1b41cd44b5] - doc: discuss special protocol handling (James M Snell) #​22261
• [cea8d4f4e9] - doc: replace _WG_ with _team_ (Rich Trott) #​22183
• [fafdae4ce1] - doc: add subprocess.ref() and subprocess.unref() (Thomas Hunter II) #​22220
• [d4f3615aaf] - doc: add gdams to collaborators (George Adams) [#​22236](https://github.com/nodejs/n
  ode/pull/22236)
• [e75885f2e6] - doc: specify options parameter type in zlib.md (Vse Mozhet Byt) #​21920
• [40af9767a2] - doc: declare all parameter types (Sam Ruby) #​21782
• [38dd407c83] - doc: remove unused error codes from errors.md (Сковорода Никита Андреевич) #​21491
• [6c7733f58a] - doc: update recommendations for createCipher (Tobias Nießen) #​22087
• [34300aaaa4] - doc: correct crypto.randomFill() and randomFillSync() (Gerhard Stoebich) #​21550
• [28870a46ac] - doc: add rubys to collaborators (Sam Ruby) #​22109
• [d2ad9a2c13] - doc: fix return type of server.address() (Weijia Wang) #​22043
• [168abb5801] - doc: rename stackStartFunction in assert.md (Eugene Y. Q. Shen) #​22077
• [d364f9c8e7] - doc: fix changelog for v10.8.0 (Michaël Zasso) #​22072
• [abac0c56b8] - doc: mark DEP0004 and DEP0042 as End-of-Life (Jon Moss) #​22033
• [c6a56ae23e] - doc: correct grammatical error in BUILDING.md (Brandon Lee) #​22067
• [29bc55320c] - doc: fixup process.binding deprecation code (James M Snell) #​22062
• [ec9d529a32] - doc: documentation deprecation of process.binding (James M Snell) #​22004
• [37369eba38] - (SEMVER-MINOR) http: allow url and options to be passed to http*.request and http*.get (Sam Ruby) #​21616
• [1ca46ab6f4] - http,tls: name anonymous callbacks (Marco Levrero) #​21412
• [8d226c6a79] - http2: correcting the heading format (Anto Aravinth) #​22262
• [7223a91a50] - http2: explicitly disallow nested push streams (James M Snell) #​22245
• [cee78bf7a2] - http2: avoid race condition in OnHeaderCallback (James M Snell) #​22256
• [fcca2f7e49] - http2: remove streamError from docs (James M Snell) #​22246
• [2bf9a4a09e] - https: allow url and options to be passed to https.request (Sam Ruby) #​22003
• [4c5dc6e012] - inspector: tie objects lifetime to the thread they belong to (Eugene Ostroukhov) #​22242
• [39898695b6] - inspector: add inspector_protocol as a direct dependency (Andrey Lushnikov) #​21975
• [311ec12702] - inspector: fixed V8InspectorClient::currentTimeMS (Aleksey Kozyatinskiy) #​21917
• [8f7e37337f] - lib: remove unused filterInternalStackFrames param (MaleDong) #​22267
• [3f729aac20] - lib: extract validateString validator (Jon Moss) #​22101
• [f570c19c89] - perf_hooks: avoid memory leak on gc observer (James M Snell) #​22241
• [76a65921d3] - readline,zlib: named anonymous functions (Anto Aravinth) #​21792
• [e4f346892c] - repl: support mult-line string-keyed objects (Sam Ruby) #​21805
• [d0b0ea971a] - src: remove unnecessary writes in tls_wrap.cc (Anna Henningsen) #​21984
• [b2ac7a750f] - src: avoid possible race during NodeBIO initialization (Anna Henningsen) #​21984
• [d85b0a3c10] - src: use smart pointers for NodeBIO (Anna Henningsen) #​21984
• [82e71dd8bd] - src: fix integer overflow in GetNow (Anatoli Papirovski) #​22214
• [2737b46e16] - src: add READONLY_STRING_PROPERTY and simplify config (Jon Moss) #​22222
• [8b5485dcf5] - src: fix up doc comment for experimental-worker bool (Anna Henningsen) #​22165
• [e90e56f4ca] - src: remove calls to deprecated v8 functions (NumberValue) (Ujjwal Sharma) #​22094
• [c09872b749] - src: remove unused env->vm_parsing_context_symbol (Jon Moss) #​22034
• [6ca00d7044] - src: remove unused env strings (Jon Moss) #​22137
• [0ca831a0ed] - src: clean up PackageConfig pseudo-boolean fields (Anna Henningsen) #​21987
• [00c33a5131] - src: clean up agent loop when exiting through destructor (Anna Henningsen) #​21867
• [ba480d33ce] - src: use only one tracing write fs req at a time (Anna Henningsen) #​21867
• [6b58746b2e] - src: use unique_ptr for internal JSON trace writer (Anna Henningsen) #​21867
• [ce48936077] - src: plug trace file file descriptor leak (Anna Henningsen) #​21867
• [89e23021fb] - src: initialize file trace writer on tracing thread (Anna Henningsen) [#​21867](http
  s://github.com/src: refactor tracing code  nodejs/node#21867)
• [56edd5fc5b] - src: close tracing event loop (Anna Henningsen) #​21867
• [4c9c1bbc45] - src: fix tracing if cwd or file path is inaccessible (Anna Henningsen) #​21867
• [c101b396aa] - src: refactor default trace writer out of agent (Anna Henningsen) #​21867
• [daafe6c195] - src: refactor tracing agent code (Anna Henningsen) #​21867
• [4379140dbf] - src: minor refactor of node_trace_events.cc (Anna Henningsen) #​21867
• [cde0e5f396] - src: reduce unnecessary includes (Anna Henningsen) #​21867
• [31e3e6f1f8] - stream: fix readable behavior for highWaterMark === 0 (Denys Otrishko) #​21690
• [9d89b3c7ec] - test: rename some allegories (Vse Mozhet Byt) #​22307
• [1d15f33277] - test: call gc() explicitly to avoid OOM (Refael Ackermann) #​22301
• [a7dad4565b] - test: move test-http-client-timeout-option-with-agent to sequential (Ouyang Yadong) #​22083
• [a414b0757a] - test: add test-http2-large-file sequential test (James M Snell) #​22254
• [01fe2cee5b] - test: fix error messages for OpenSSL-1.1.0i (Shigeki Ohtsu) #​22318
• [c145690aad] - test: improve test coverage for comparisons (Ruben Bridgewater) #​22212
• [bdc644f2ec] - test: remove common.fileExists() (Rich Trott) #​22151
• [bc1cb7b7fc] - test: handle errors correctly in GC http test (Ouyang Yadong) #​22185
• [cefc4a03cc] - test: remove second arg from assert.ifError() (Musa Hamwala) #​22190
• [b1cbbbc7af] - test: move require of https to after crypto check (Daniel Bevenius) #​22148
• [a6ab19a96a] - test: move require of http2 to after crypto check (Daniel Bevenius) #​22148
• [7a4c7e6c82] - test: don't mask descriptor.enumerable (Thomas Leah) #​22172
• [5018661a85] - test: remove common.fileExists() (Richard Lau) #​22200
• [77ce40fa03] - test: remove unused argument in assertion (yahavfuchs) #​22113
• [6daa4f8797] - test: update postmortem metadata test (cjihrig) #​21079
• [16a929b867] - test: fix scriptParsed event expectations (Ingvar Stepanyan) #​21079
• [e58c17b849] - test: update certificates and private keys (Fedor Indutny) #​22184
• [d38ccaa421] - test: fix n-api addon build warnings (Kyle Farnung) #​21808
• [d66e52fb8e] - test: run ESM tests in parallel (Michaël Zasso) #​21919
• [6cff57e98d] - test: fix incorrect file mode check (Timothy Gu) #​22023
• [dafaff3a5e] - test: remove unused config (Benjamin Gruenbaum) #​21985
• [a569ae4b44] - test: remove third argument from assert.strictEqual() (Rishabh Singh) #​22051
• [a60060b499] - test: remove third argument from call to assert.strictEqual() (Michael Sommer) #​22047
• [246a94f301] - test: see value of "hadError" in tls test (Oryan Moshe) #​22069
• [a40ee213b3] - test: improve reliability in http2-session-timeout (Rich Trott) #​22026
• [e2d97eeb65] - test: remove outdated documentation (Jon Moss) #​22009
• [94746d6a47] - test: remove outdated, non-functioning test (Anatoli Papirovski) #​20894
• [0beffc0f3b] - test: remove test/gc, integrate into parallel (Anna Henningsen) #​22001
• [c2372eac16] - test: add tracing crash regression test (Eugene Ostroukhov) #​21867
• [7e23080d45] - test: pass through stderr in benchmark tests (Anna Henningsen) #​21860
• [52020dc09a] - test: refactor test-http2-compat-serverresponse-finished.js (Anto Aravinth) #​21929
• [88665b3cef] - test,doc: fix async-hooks coverage doc for md lint (Rod Vagg) #​22296
• [d60b017135] - test,doc: adjust markdown table for linting (Rich Trott) #​22221
• [8f56cc0321] - test,doc: adjust async-hooks coverage doc for lint (Rich Trott) #​22221
• [5c41caa1cc] - test,doc: wrap common module md doc at 80 chars (Rich Trott) #​22221
• [21883be05d] - test,doc: fix lint error in test fixtures (Rich Trott) [#​22221](https://github.com/
  tools,test: apply markdown linting to test dir nodejs/node#22221)
• [ec2209dc8b] - tls: change var to const (Eugen Cazacu) #​22219
• [2d1c1853e9] - tls: remove SLAB_BUFFER_SIZE (Anatoli Papirovski) #​21199
• [f989681e34] - tls: preallocate SSL cipher array (Tobias Nießen) #​22136
• [6cd2d1dddc] - tools: fix header escaping regression (Sam Ruby) #​22084
• [80dd0445c6] - tools: add no-misleading-character-class ESLint rule (Vse Mozhet Byt) #​22278
• [bc35f17b7b] - tools: do not autolink section to itself (Vse Mozhet Byt) #​22138
• [950a4a9b91] - tools: update ESLint to 5.3.0 (Rich Trott) #​22134
• [0c67d326dc] - tools: convert addon-verify to remark (Sam Ruby) #​21978
• [c85d00b786] - tools: produce JSON documentation using unified/remark/rehype (Sam Ruby) #​21697
• [f0c871b0c7] - tools: add make format-cpp to run clang-format on C++ diffs (Joyee Cheung) #​21997
• [5a4abbadfe] - tools: update to using dmn 1.0.11 (Rich Trott) #​22035
• [7a7c194f4e] - tools: fix docs and run known_issues by default (Jon Moss) #​21910
• [4995b28a11] - tools,build: apply markdown linting to test dir (Rich Trott) #​22221
• [ad46cca104] - trace_events: add node.promises category, rejection counter (James M Snell) #​22124
• [b171fa2530] - util: improve display of iterators and weak entries (Ruben Bridgewater) #​20961
• [f1c22eaa56] - util,assert: fix boxed primitives bug (Ruben Bridgewater) #​22243
• [677d10cdd1] - worker: fix deadlock when calling terminate from exit handler (Anna Henningsen) #​22073
• [4b0d2de5f4] - zlib: remove unused parameters (MaleDong) #​22115

---

---

This PR has been generated by Renovate Bot.

[matticbot]

Test live: https://calypso.live/?branch=renovate/node-10.x

[sirreal]

The Jetpack e2e tests appear to have unrelated failures, similar to the ones observed in #26531.

Let's proceed with this, it's a security release:

• https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
• https://nodejs.org/en/blog/release/v10.9.0/

[renovate]

PR has been edited

As this PR has been edited, Renovate will stop updating it in order to not cause any conflicts or other problems. If you wish to abandon your edits and have Renovate recreate this PR then you should rename this PR and then close it.

[sirreal]

Full e2e looks green: https://circleci.com/gh/Automattic/wp-e2e-tests-for-branches/12888

CircleCI doesn't have images yet: https://circleci.com/gh/Automattic/wp-calypso/102154

Let's proceed with this.

[sirreal]

CircleCI tests will run on Node 10.8.1 and production will run on 10.9.0 until they release an updated image.

That's not ideal, but the risk is minimal. I've run the tests locally with npm test and Node 10.9.0 and everything looks good:

$ npm run test-client

Test Suites: 1335 passed, 1335 total
Tests:       5 skipped, 12130 passed, 12135 total
Snapshots:   64 passed, 64 total
Time:        109.208s
Ran all test suites.

$ npm run test-server

Test Suites: 8 passed, 8 total
Tests:       48 passed, 48 total
Snapshots:   24 passed, 24 total
Time:        41.183s
Ran all test suites.

[sirreal]

We can keep an eye on this for the CircleCI 10.9.0 image:

https://hub.docker.com/r/circleci/node/tags/

[flootr]

I agree with @sirreal , we should be safe to go