chore(deps): update node.js to 4.9

[renovate]

This PR contains the following updates:

Package	Update	Change
node	minor	4.2 -> 4.9

---

Release Notes

nodejs/node

v4.9.1: 2018-03-29, Version 4.9.1 'Argon' (Maintenance), @​MylesBorins

Compare Source

Notable Changes

No additional commits.

Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little
endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are doing this release to ensure that
the hosted binaries are adhering to our platform support contract.

v4.9.0: 2018-03-28, Version 4.9.0 'Argon' (Maintenance), @​MylesBorins

Compare Source

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

• CVE-2018-7158
• CVE-2018-7159

Notable Changes

• Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
• Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX an Windows paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.
• Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.
• Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.

Commits

• [497ff3cd4f] - crypto: update root certificates (Ben Noordhuis) #​19322
• [514709e41f] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#​1836
• [5108108606] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#​1389
• [d67d0a63d9] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#​1389
• [6af057ecc8] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #​19638
• [b50cd3359d] - deps: upgrade openssl sources to 1.0.2o (Shigeki Ohtsu) #​19638
• [da6e24c8d6] - deps: reject interior blanks in Content-Length (Ben Noordhuis) nodejs-private/http-parser-private#​1
• [7ebc9981e0] - deps: upgrade http-parser to v2.8.0 (Ben Noordhuis) nodejs-private/http-parser-private#​1
• [6fd2cc93a6] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#​1389
• [bf00665af6] - path: unwind regular expressions in Windows (Myles Borins)
• [4196fcf23e] - path: unwind regular expressions in POSIX (Myles Borins)
• [625986b699] - src: drop CNNIC+StartCom certificate whitelisting (Ben Noordhuis) #​19322
• [ebc46448a4] - tools: update certdata.txt (Ben Noordhuis) #​19322

v4.8.7: 2017-12-08, Version 4.8.7 'Argon' (Maintenance), @​MylesBorins

Compare Source

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

• CVE-2017-15896
• CVE-2017-3738 (from the openssl project)

Notable Changes

• deps:
  • openssl updated to 1.0.2n (Shigeki Ohtsu) #​17526

Commits

• [4f8fae3493] - deps: update openssl asm and asm_obsolete files (Shigeki Ohtsu) #​17526
• [eacd090e7b] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#​1836
• [3e6b0b0d13] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#​1389
• [b0ed4c52af] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#​1389
• [dd6a2dff1e] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #​17526
• [b3afedfbe9] - deps: upgrade openssl sources to 1.0.2n (Shigeki Ohtsu) #​17526
• [f7eb162d0d] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#​1389

v4.8.6: 2017-11-07, Version 4.8.6 'Argon' (Maintenance), @​MylesBorins

Compare Source

This Maintenance release comes with 47 commits. This includes 26 commits which are updates to dependencies,
8 which are build / tool related, 4 which are doc related, and 2 which are test related.

This release includes a security update to openssl that has been deemed low severity for the Node.js project.

Notable Changes

• crypto:
  • update root certificates (Ben Noordhuis) #​13279
  • update root certificates (Ben Noordhuis) #​12402
• deps:
  • add support for more modern versions of INTL (Bruno Pagani) #​13040
  • upgrade openssl sources to 1.0.2m (Shigeki Ohtsu) #​16691
  • upgrade openssl sources to 1.0.2l (Daniel Bevenius) #​13233

Commits

• [e064ae62e4] - build: fix make test-v8 (Ben Noordhuis) #​15562
• [a7f7a87a1b] - build: run test-hash-seed at the end of test-v8 (Michaël Zasso) #​14219
• [05e8b1b7d9] - build: codesign tarball binary on macOS (Evan Lucas) #​14179
• [e2b6fdf93e] - build: avoid /docs/api and /docs/doc/api upload (Rod Vagg) #​12957
• [59d35c0775] - build,tools: do not force codesign prefix (Evan Lucas) #​14179
• [210fa72e9e] - crypto: update root certificates (Ben Noordhuis) #​13279
• [752b46a259] - crypto: update root certificates (Ben Noordhuis) #​12402
• [3640ba4acb] - crypto: clear err stack after ECDH::BufferToPoint (Ryan Kelly) #​13275
• [545235fc4b] - deps: add missing #include "unicode/normlzr.h" (Bruno Pagani) #​13040
• [ea09a1c3e6] - deps: update openssl asm and asm_obsolete files (Shigeki Ohtsu) #​16691
• [68661a95b5] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#​1836
• [bdcb2525fb] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#​1389
• [3f93ffee89] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#​1389
• [16fbd9da0d] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #​16691
• [55e15ec820] - deps: upgrade openssl sources to 1.0.2m (Shigeki Ohtsu) #​16691
• [9c3e246ffe] - deps: backport 4e18190 from V8 upstream (jshin) #​15562
• [43d1ac3a62] - deps: backport bff3074 from V8 upstream (Myles Borins) #​15562
• [b259fd3bd5] - deps: cherry pick d7f813b from V8 upstream (akos.palfi) #​15562
• [85800c4ba4] - deps: backport e28183b from upstream V8 (karl) #​15562
• [06eb181916] - deps: update openssl asm and asm_obsolete files (Daniel Bevenius) #​13233
• [c0fe1fccc3] - deps: update openssl config files (Daniel Bevenius) #​13233
• [523eb60424] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#​1836
• [0aacd5a8cd] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#​1389
• [80c48c0720] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#​1389
• [bbd92b4676] - deps: copy all openssl header files to include dir (Daniel Bevenius) #​13233
• [8507f0fb5d] - deps: upgrade openssl sources to 1.0.2l (Daniel Bevenius) #​13233
• [9bfada8f0c] - deps: add example of comparing OpenSSL changes (Daniel Bevenius) #​13234
• [71f9cdf241] - deps: cherry-pick 09db540,686558d from V8 upstream (Jesse Rosenberger) #​14829
• [751f1ac08e] - Revert "deps: backport e093a04, 09db540 from upstream V8" (Jesse Rosenberger) #​14829
• [ed6298c7de] - deps: cherry-pick 18ea996 from c-ares upstream (Anna Henningsen) #​13883
• [639180adfa] - deps: update openssl asm and asm_obsolete files (Shigeki Ohtsu) #​12913
• [9ba73e1797] - deps: cherry-pick 4ae5993 from upstream OpenSSL (Shigeki Ohtsu) #​12913
• [f8e282e51c] - doc: fix typo in zlib.md (Luigi Pinca) #​16480
• [532a2941cb] - doc: add missing make command to UPGRADING.md (Daniel Bevenius) #​13233
• [1db33296cb] - doc: add entry for subprocess.killed property (Rich Trott) #​14578
• [0fa09dfd77] - doc: change child to subprocess (Rich Trott) #​14578
• [43bbfafaef] - docs: Fix broken links in crypto.md (Zuzana Svetlikova) #​15182
• [1bde7f5cef] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#​1389
• [e69f47b686] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#​1389
• [cb92f93cd5] - test: remove internal headers from addons (Gibson Fahnestock) #​7947
• [5d9164c315] - test: move test-cluster-debug-port to sequential (Oleksandr Kushchak) #​16292
• [07c912e849] - tools: update certdata.txt (Ben Noordhuis) #​13279
• [c40bffcb88] - tools: update certdata.txt (Ben Noordhuis) #​12402
• [161162713f] - tools: be explicit about including key-id (Myles Borins) #​13309
• [0c820c092b] - v8: fix stack overflow in recursive method (Ben Noordhuis) #​12460
• [a1f992975f] - zlib: fix crash when initializing failed (Anna Henningsen) #​14666
• [31bf595b94] - zlib: fix node crashing on invalid options (Alexey Orlenko) #​13098

v4.8.5: Version 4.8.5 'Argon' (Maintenance), @​MylesBorins

Compare Source

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ for details on patched vulnerabilities.

Notable Changes

• zlib:
  • CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialized with windowBits set to 8. On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. Node.js will now gracefully set windowBits to 9 replicating the legacy behavior to avoid a DOS vector. nodejs-private/node-private#​95

Commits

• [f5defa2a7c] - zlib: gracefully set windowBits from 8 to 9 (Myles Borins) nodejs-private/node-private#​95

v4.8.4

Compare Source

v4.8.3

Compare Source

v4.8.2

Compare Source

v4.8.1

Compare Source

v4.8.0

Compare Source

v4.7.3

Compare Source

v4.7.2

Compare Source

v4.7.1

Compare Source

v4.7.0

Compare Source

v4.6.2

Compare Source

v4.6.1

Compare Source

v4.6.0

Compare Source

v4.5.0

Compare Source

v4.4.7

Compare Source

v4.4.6

Compare Source

v4.4.5

Compare Source

v4.4.4

Compare Source

v4.4.3

Compare Source

v4.4.2

Compare Source

v4.4.1

Compare Source

v4.4.0

Compare Source

v4.3.2

Compare Source

v4.3.1

Compare Source

v4.3.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.