-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2024-11-12, Version 18.20.5 'Hydrogen' (LTS) #55768
Conversation
Refs: #53212 (comment) PR-URL: #53233 Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io> Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Headers in nodejs can be arrays and current workaround for content-disposition header do not take this into account. This change fixes that and makes sure array values are handled properly. PR-URL: #50977 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Starting from OpenSSL 3.0.14, 3.1.6, 3.2.2, and 3.3.1, OpenSSL was fixed to return an error reason string for bad/unknown application protocols. Update tests to handle both the old `ECONNRESET` error on older versions of OpenSSL and the new `ERR_SSL_TLSV1_ALERT_NO_APPLICATION_PROTOCOL` on newer versions of OpenSSL. Refs: openssl/openssl#24338 PR-URL: #53373 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
Previously the test assumes that when the queued finalizer is run, it must be run at a point where env->can_call_into_js() is false (typically, during Environment shutdown), which is not certain. If GC kicks in early and the second pass finalizer is queued before the event loop runs the check callbacks, the finalizer would then be called in check callbacks (via native immediates), where the finalizer can still call into JS. Essentially, addons can't make assumptions about where the queued finalizer would be called. This patch updates the assertions in the test to account for that. PR-URL: #51898 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Report the version of OpenSSL that Node.js is running with instead of the version of OpenSSL that Node.js was compiled against. PR-URL: #53456 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Update the following TLS tests to account for error code changes in OpenSSL 3.2 and later. - `parallel/test-tls-empty-sni-context` - `parallel/test-tls-psk-circuit` PR-URL: #53384 Refs: #53382 Refs: openssl/openssl#19950 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Update `common.hasOpenSSL3*` to check against the run-time version of OpenSSL instead of the version of OpenSSL that Node.js was compiled against. Add a generalized `common.hasOpenSSL()` so we do not need to keep adding new checks for each new major/minor of OpenSSL. PR-URL: #53456 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Update tests to allow for a slight change to the TLS trace messages starting from OpenSSL 3.2. Refs: openssl/openssl@45aac10 PR-URL: #53229 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Use `asset.strictEqual()` and `asset.deepStrictEqual()` in `test/parallel/test-tls-set-sigalgs.js`. PR-URL: #54208 Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com> Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Refs: #44498 Refs: #53382 Key sizes were increased to 2048 in PR 44498 including the configuration file for the generation of ca2-cert.pem. However, it seems like updating ca2-cert.pem and related files themselves were missed as they were not updated in the PR and the ca2-cert.pem reported as being associated with a 1024 bit key. I believe that was the cause of some of the failures mentioned in #53382 as OpenSSL 3.2 increased the default security level from 1 to 2 and that would mean that certificates associated with keys of 1024 bits would no longer be accepted. This PR updates the key size for ca2-cert.pem. It was not necessary to change the config, only run the generation for the ca2-cert.pem and related files. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #54599 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: #53382 - OpenSSL32 has a minimum dh key size by 2048 by default. - Create larter 3072 dh key needed for testing and adjust tests to use it for builds with OpenSSL32 Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #54739 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: #53382 - OpenSSL32 has a minimum dh key size by 2048 by default. - Adjust test to use larger 3072 key instead of 1024 when OpenSSL32 is present. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #54903 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: #53382 Looks like test is forcing an error through bad data and the error code we get is different for OpenSSL32. Adjust test to cope with the variation across versions. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #54909 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: #53382 OpenSSL32 returns different error text. Looking through the test it seems like the expected error text has been adjusted for different OpenSSL versions in the past and what the test is testing is not related to the error being returned. Update test to allow for error returned by OpenSSL32 Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #54926 Refs: #53382 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Refs: #53382 This test fails on OpenSSL32 because it complains the key being used is too short. It seems to have been missed when the test suite was udpated to have a Makefile to generate key material as the keys are hard coded in the test as opposed to being read in from the fixtures/key directory. Update the test to use keys/certs from the fixtures directory and to remove newlines at the end of the key and cert to retain the inteded test. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #54968 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
Refs: #53382 This test fails on OpenSSL32 because it complains the key being used is too short. Adjust the key sizes so that they will pass on OpenSSL32 in addition to other OpenSSL3 versions. Since the keys are not public key related I don't think the increase in key size will be too bad in terms of performance so I've just increased versus guarding for OpenSSL32 Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #54972 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Refs: #53382 The test failed as it was using AES128 which is not supported in OpenSSL32 due to default security level and because some error messages have changed. Adjusted to use AES256 where it made sense and not run tests on OpenSSL32 where test was specific to AES128. Adjust to use the expected error messages based on version. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #55016 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: #53382 OpenSSL32 does not support AES128 and DH 1024 to update test to use newer algorithms. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #55030 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
As per the original pull request that introduced the OpenSSL version check in `parallel/test-crypto-dh`: ``` Error message change is test-only and uses the right error message for versions >=3.0.12 in 3.0.x and >= 3.1.4 in 3.1.x series. ``` Fix the check so that: - The older message is expected for OpenSSL 3.1.0. - The newer message is expected for OpenSSL from 3.1.4 (e.g. 3.2.x). Refs: #50395 PR-URL: #53503 Refs: #53382 Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Refs: #53382 TLS spec seems to indicate there should should be a response sent when TLS handshake fails. See https://datatracker.ietf.org/doc/html/rfc8446#page-85 When compiled with OpenSSL32 we see the the following response '15 03 03 00 02 02 16' which decodes as a fatal (0x02) TLS error alert number 22 (0x16). which corresponds to TLS1_AD_RECORD_OVERFLOW which matches the error we see if NODE_DEBUG is turned on once you get through the define aliases. If there is a response from the server the test used to hang because the end event will not be emitted until after the response is consumed. This PR fixes the test so it consumes the response. Some earlier OpenSSL versions did not seem to send a response but the error handling seems to have been re-written/improved in OpenSSL32. Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #55089 Refs: #52482 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Jithil P Ponnan <jithil@outlook.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #54038 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #52878 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
PR-URL: #55349 Refs: nodejs/Release#999 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
PR-URL: #50380 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
PR-URL: #50380 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
😡 https://ci.nodejs.org/job/node-test-commit-linuxone/nodes=rhel9-s390x/46737/console 21:37:43 Error: connect ENETUNREACH 2606:50c0:8003::154:443
21:37:43 at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1555:16) {
21:37:43 errno: -101,
21:37:43 code: 'ENETUNREACH',
21:37:43 syscall: 'connect',
21:37:43 address: '2606:50c0:8003::154',
21:37:43 port: 443
21:37:43 } is almost certainly nodejs/build#3950 which annoyingly was not happening on the |
I've extended nodejs/build#3952 to the rhel9-s390x machines. |
I'm not sure what went wrong and I don't care but the author of this change e9e3306426 is me. |
My bad! I have honestly no idea how it happened |
Notable changes: esm: * mark import attributes and JSON module as stable (Nicolò Ribaudo) nodejs#55333 PR-URL: nodejs#55768
Notable changes: esm: * mark import attributes and JSON module as stable (Nicolò Ribaudo) nodejs#55333 PR-URL: nodejs#55768
c2e6a8f215
] - benchmark: fix napi/ref addon (Michaël Zasso) #532334c2e07aaac
] - build: pin doc workflow to Node.js 20 (Richard Lau) #557556ba4ebd060
] - build: fix build with Python 3.12 (Luigi Pinca) #50582c50f01399e
] - crypto: ensure invalid SubtleCrypto JWK data import results in DataError (Filip Skokan) #550415c46782137
] - crypto: make deriveBits length parameter optional and nullable (Filip Skokan) #536016e7274fa53
] - crypto: reject dh,x25519,x448 in {Sign,Verify}Final (Huáng Jùnliàng) #53774d2442044db
] - crypto: reject Ed25519/Ed448 in Sign/Verify prototypes (Filip Skokan) #5234093670de499
] - deps: upgrade npm to 10.8.2 (npm team) #537998531c95587
] - deps: upgrade npm to 10.8.1 (npm team) #53207fd9933ea0f
] - deps: upgrade npm to 10.8.0 (npm team) #5301403852495d7
] - deps: update simdutf to 5.6.0 (Node.js GitHub Bot) #553793597be4146
] - deps: update simdutf to 5.5.0 (Node.js GitHub Bot) #5443452d2c03738
] - deps: update simdutf to 5.3.4 (Node.js GitHub Bot) #54312dd882ac483
] - deps: update simdutf to 5.3.1 (Node.js GitHub Bot) #541965fb8e1b428
] - deps: update simdutf to 5.3.0 (Node.js GitHub Bot) #53837c952fd886d
] - deps: update simdutf to 5.2.8 (Node.js GitHub Bot) #52727a1ae050ed5
] - deps: update simdutf to 5.2.6 (Node.js GitHub Bot) #5272796ec48da7f
] - deps: update brotli to 1.1.0 (Node.js GitHub Bot) #5080411242bcfb4
] - deps: update zlib to 1.3.0.1-motley-71660e1 (Node.js GitHub Bot) #5346464f98a9869
] - deps: update zlib to 1.3.0.1-motley-c2469fd (Node.js GitHub Bot) #534644b815550e0
] - deps: update zlib to 1.3.0.1-motley-68e57e6 (Node.js GitHub Bot) #53464f6b2f68ce7
] - deps: update zlib to 1.3.0.1-motley-8b7eff8 (Node.js GitHub Bot) #53464e151ebef86
] - deps: update zlib to 1.3.0.1-motley-e432200 (Node.js GitHub Bot) #53464637a306e02
] - deps: update zlib to 1.3.0.1-motley-887bb57 (Node.js GitHub Bot) #53464569a739569
] - deps: update zlib to 1.3.0.1-motley-209717d (Node.js GitHub Bot) #53156033f1e2ba5
] - deps: update zlib to 1.3.0.1-motley-4f653ff (Node.js GitHub Bot) #53052aaa857fc01
] - deps: update ada to 2.8.0 (Node.js GitHub Bot) #53254d577321877
] - deps: update acorn to 8.13.0 (Node.js GitHub Bot) #5555855b3c8a41f
] - deps: update acorn-walk to 8.3.4 (Node.js GitHub Bot) #5495050a9456f1e
] - deps: update acorn-walk to 8.3.3 (Node.js GitHub Bot) #53466f56cfe776b
] - deps: update acorn to 8.12.1 (Node.js GitHub Bot) #53465fce3ab686d
] - deps: update archs files for openssl-3.0.15+quic1 (Node.js GitHub Bot) #5518446c782486e
] - deps: upgrade openssl sources to quictls/openssl-3.0.15+quic1 (Node.js GitHub Bot) #551844a18581dc3
] - deps: update corepack to 0.29.4 (Node.js GitHub Bot) #5484567e98831ab
] - deps: update archs files for openssl-3.0.14+quic1 (Node.js GitHub Bot) #54336c60c6630af
] - deps: upgrade openssl sources to quictls/openssl-3.0.14+quic1 (Node.js GitHub Bot) #54336935a506377
] - deps: update corepack to 0.29.3 (Node.js GitHub Bot) #54072dbdfdd0226
] - deps: update corepack to 0.29.2 (Node.js GitHub Bot) #53838395ee44608
] - deps: update corepack to 0.28.2 (Node.js GitHub Bot) #532536ba8bc0618
] - deps: update c-ares to 1.29.0 (Node.js GitHub Bot) #5315581c3260cd2
] - deps: update corepack to 0.28.1 (Node.js GitHub Bot) #52946e81201e91b
] - doc: only apply content-visibility on all.html (Filip Skokan) #535104d2ac5d98f
] - doc: move release key for Myles Borins (Richard Lau) #540591c4decc998
] - doc: add release key for aduh95 (Antoine du Hamel) #55349a4f6f0918f
] - doc: add names next to release key bash commands (Aviv Keller) #52878c679348f83
] - errors: usedetermineSpecificType
in more error messages (Antoine du Hamel) #49580ac37e554a5
] - esm: mark import attributes and JSON module as stable (Nicolò Ribaudo) #5533384b0ead758
] - esm: fix hook name in error message (Bruce MacNaughton) #504660092358d00
] - http: handle multi-value content-disposition header (Arsalan Ahmad) #50977d814fe935c
] - src: account for OpenSSL unexpected version (Shelley Vohr) #540386615fe5db1
] - src: fix dynamically linked OpenSSL version (Richard Lau) #53456d6114cb2e2
] - test: fix test when compiled without engine support (Richard Lau) #53232ac3a39051c
] - test: fix test-tls-junk-closes-server (Michael Dawson) #55089c8520ff7d2
] - test: fix OpenSSL version checks (Richard Lau) #535039824827937
] - test: update tls test to support OpenSSL32 (Michael Dawson) #550301a4d497936
] - test: adjust tls-set-ciphers for OpenSSL32 (Michael Dawson) #55016341496a5a2
] - test: add asserts to validate test assumptions (Michael Dawson) #5499737a2f7eaa4
] - test: adjust key sizes to support OpenSSL32 (Michael Dawson) #5497275ff0cdf66
] - test: update test to support OpenSSL32 (Michael Dawson) #54968b097d85dfe
] - test: adjust test-tls-junk-server for OpenSSL32 (Michael Dawson) #54926e9997388a6
] - test: adjust tls test for OpenSSL32 (Michael Dawson) #54909c7de027adb
] - test: fix test test-tls-dhe for OpenSSL32 (Michael Dawson) #5490368156cbae1
] - test: fix test-tls-client-mindhsize for OpenSSL32 (Michael Dawson) #54739d5b73e5683
] - test: increase key size for ca2-cert.pem (Michael Dawson) #545995316314755
] - test: update TLS test for OpenSSL 3.2 (Richard Lau) #54612a1f0c87859
] - test: fix test-tls-client-auth test for OpenSSL32 (Michael Dawson) #54610e9e3306426
] - test: use assert.{s,deepS}trictEqual() (Sonny) #542081320fb9475
] - test: update TLS trace tests for OpenSSL >= 3.2 (Richard Lau) #53229cc3cdf7cc0
] - test: check against run-time OpenSSL version (Richard Lau) #53456fc43c6803e
] - test: update TLS tests for OpenSSL 3.2 (Richard Lau) #53384627d3993f0
] - test: fix unreliable assumption in js-native-api/test_cannot_run_js (Joyee Cheung) #518989f521f456e
] - test: update tests for OpenSSL 3.0.14 (Richard Lau) #533730fb652eba9
] - tools: update gyp-next to v0.16.1 (Michaël Zasso) #50380fa72b2c2de
] - tools: skip ruff on tools/gyp (Michaël Zasso) #50380