2021-08-31, Version 14.17.6 'Fermium' (LTS), @MylesBorins

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803
and CVE-2021-32804.
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.

You can read more about it in:

• CVE-2021-37701
• CVE-2021-37712
• CVE-2021-37713
• CVE-2021-39134
• CVE-2021-39135

Commits

• [5b3f70bfb5] - deps: update archs files for OpenSSL-1.1.1l (Richard Lau) #39868
• [71372625ae] - deps: upgrade openssl sources to 1.1.1l (Richard Lau) #39868
• [4276984803] - deps: upgrade npm to 6.14.15 (Darcy Clarke) #39856

2021-08-31, Version 12.22.6 'Erbium' (LTS), @MylesBorins

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803
and CVE-2021-32804.
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.

You can read more about it in:

• CVE-2021-37701
• CVE-2021-37712
• CVE-2021-37713
• CVE-2021-39134
• CVE-2021-39135

Commits

• [a0154b586b] - deps: update archs files for OpenSSL-1.1.1l (Richard Lau) #39869
• [7a95637eb7] - deps: upgrade openssl sources to 1.1.1l (Richard Lau) #39869
• [840b0ffff6] - deps: upgrade npm to 6.14.15 (Darcy Clarke) #39856

2021-08-25, Version 16.8.0 (Current), @targos

Notable Changes

• [2e90b10f35] - doc: deprecate type coercion for dns.lookup options (Antoine du Hamel) #38906
• [a6d50a18a0] - (SEMVER-MINOR) stream: add stream.Duplex.from utility (Robert Nagy) #39519
• [af7047a815] - (SEMVER-MINOR) stream: add isDisturbed helper (Robert Nagy) #39628
• [66400374de] - (SEMVER-MINOR) util: expose toUSVString (Robert Nagy) #39814

Commits

• [90bf247a55] - build: fix update authors commit (Mestery) #39858
• [c968372e37] - build: add authors.yml (Tierney Cyren) #35831
• [3f284cf65c] - build: add option to hide console window (Cheng Zhao) #39712
• [a01e3ab41d] - deps: V8: cherry-pick 00bb1a77c03e (Darshan Sen) #39829
• [cce95c4c5b] - deps: upgrade npm to 7.21.0 (Myles Borins) #39813
• [254810a22e] - doc: add duplicate CVE check in sec. release doc (Daniel Bevenius) #39845
• [8c50d16712] - doc: improve description of the triagers team (Michaël Zasso) #39833
• [c02165d992] - doc: update instructions for cc (Michael Dawson) #39674
• [208305fd8f] - doc: move util.toUSVString() outside of deprecated group (Luigi Pinca) #39840
• [2e90b10f35] - doc: deprecate type coercion for dns.lookup options (Antoine du Hamel) #38906
• [8460a3216c] - doc: deprecate using non-boolean values in the verbatim option (Antoine du Hamel) #38906
• [3041d57201] - doc: fix malformed changelog entries (Rich Trott) #39791
• [2b02f747c3] - doc: fix lint errors in packages.md (Rich Trott) #39792
• [a387600d8f] - doc: add example of self-reference in scoped packages (Jesús Leganés-Combarro 'piranna) #37630
• [7a25bf3a6d] - doc: add himadriganguly as a triager (Himadri Ganguly) #39757
• [d1900f43ce] - fs: combine require() and destructure (Colin Ihrig) #39806
• [158d4464d2] - meta: add gyp as owner of gyp files and tools/gyp (Mary Marchini) #34847
• [8fa38500f2] - policy: canonicalize before resolving specifiers (Bradley Farias) #37863
• [a7a217be13] - repl: fix tla function hoisting (Don Jayamanne) #39745
• [3a8399ee61] - src: return Maybe<bool> from InitializeContextRuntime() (Darshan Sen) #39695
• [a704c9dfce] - (SEMVER-MINOR) src: call overload ctor from the original ctor (Darshan Sen) #39768
• [0918ea0683] - (SEMVER-MINOR) src: add a constructor overload for CallbackScope (Darshan Sen) #39768
• [a6d50a18a0] - (SEMVER-MINOR) stream: duplexify (Robert Nagy) #39519
• [af7047a815] - (SEMVER-MINOR) stream: add isDisturbed helper (Robert Nagy) #39628
• [f98311a7c8] - tools: update workflow to open a pull request (Rich Trott) #39825
• [d33f897509] - tools: use find-inactive-collaborators to modify README.md (Rich Trott) #39825
• [d82ee96861] - tools: update gyp-next to v0.9.5 (Jiawen Geng) #39818
• [79079ea01b] - tools: fix markdown linting (Rich Trott) #39832
• [01093b07cc] - tools: update markdown linter dependencies and move to ESM (Antoine du Hamel) #39801
• [9dc0c91392] - tools: update rollup to latest version in markdown linter (Rich Trott) #39797
• [c34e2534ab] - tools: update markdown lint dependencies (Rich Trott) #39770
• [66400374de] - (SEMVER-MINOR) util: expose toUSVString (Robert Nagy) #39814

2021-08-17, Version 16.7.0 (Current), @danielleadams

Notable Changes

• fs:
  • experimental: add recursive cp method (Benjamin Coe) #39372

Commits

• [a80c989306] - async_hooks: merge resource_symbol with owner_symbol (Darshan Sen) #38468
• [69a2a6b6c3] - bootstrap: call _undestroy() inside _destroy for stdout and stderr (Matteo Collina) #39685
• [5bc31ea0aa] - buffer: add endings option, remove Node.js specific encoding option (James M Snell) #39708
• [091a579275] - (SEMVER-MINOR) buffer: add Blob.prototype.stream method and other cleanups (James M Snell) #39693
• [097d898e58] - build: run coverage for inspector protocol changes (Richard Lau) #39725
• [cf028df0ed] - build: fix V8 build with pointer compression (Michaël Zasso) #39664
• [9d38400de1] - build: exclude markdown files from some GitHub Actions (Rich Trott) #39565
• [eeb804a7b7] - build: use lts shorthand in GitHub Actions (Rich Trott) #39538
• [93a904d0ba] - (SEMVER-MINOR) crypto: implement webcrypto.randomUUID (Michaël Zasso) #39648
• [3321b65a5a] - debugger: prevent simultaneous heap snapshots (Rich Trott) #39638
• [6c375e18b6] - debugger: remove undefined parameter (Rich Trott) #39570
• [103bf20988] - deps: V8: cherry-pick 81814ed44574 (Stephen Belanger) #39719
• [cf5e5b5711] - deps: upgrade to libuv 1.42.0 (Luigi Pinca) #39525
• [5f92d2fe6d] - dgram: use simplified validator (Voltrex) #39753
• [c7e918b06a] - (SEMVER-MINOR) dns: add "tries" option to Resolve options (Luan Devecchi) #39610
• [5d66646b71] - doc: correct cjs code to match mjs code (Raz Luvaton) #39509
• [f18bb2a0f1] - doc: fix typo in hmac.paramNames default (Justin) #39766
• [338a166e83] - doc: fix fs.rmdir recursive option deprecation history (Antoine du Hamel) #39728
• [bfb1dc0a2c] - doc: fixed variable names in queueMicrotask example (ashish maurya) #39634
• [08b31f12f8] - doc: change "Version 4 UUID" to "version 4 UUID" (Tobias Nießen) #39682
• [f5200f9785] - doc: update debugger.md description and examples (Rich Trott) #39661
• [4700f1e529] - doc: fix color contrast issue in light mode (Rich Trott) #39660
• [88c83a4698] - (SEMVER-MINOR) doc: add missing change to resolver ctor (Luan Devecchi) #39610
• [760cafa5ed] - doc: fix typo in url.md (Howie Zhao) #39666
• [9ab5503693] - doc: add point to ask H1 reporter about credit (Daniel Bevenius) #39585
• [7514405456] - doc: update min mac ver + move mac arm64 to tier 1 (Ash Cripps) #39586
• [d7c8c6dcee] - doc: add missing introduced_in metadata (Richard Lau) #39575
• [8072517097] - doc: add code examples to Writable.destroy() and Writable.destroyed (Juan José Arboleda) #39491
• [55f47cc2d0] - doc: add String.prototype.at and %TypedArray%.prototype.at (Jordan Harband) #39583
• [0c0412e2c4] - doc: move NODE_MODULE_VERSION in release guide (Richard Lau) #39544
• [5df74f9b21] - doc: remove outdated ARM information from release guide (Richard Lau) #39544
• [8eccb11ea0] - doc: fence command examples in release guide (Richard Lau) #39544
• [0bd97e1f2d] - doc: update backport labels in release guide (Richard Lau) #39544
• [2129ad6a0a] - doc: add code example to fs.truncate method (Juan José Arboleda) #39454
• [3ff5e153ef] - doc: add code example to http.createServer method (Juan José Arboleda) #39455
• [7d0c869cfa] - doc: add PerformanceObserver buffered document (legendecas) #39514
• [0dc167a03f] - (SEMVER-MINOR) fs: add recursive cp method (Benjamin Coe) #39372
• [54dd3df943] - http: decodes url.username and url.password for authorization header (Lew Gordon) #39310
• [81e62f67bf] - inspector: update inspector_protocol to 89c4adf (Rich Trott) #39650
• [793fee4915] - inspector: update inspector_protocol to 8ec18cf (Rich Trott) #39614
• [5afdc1f4c0] - lib: simplify validators (Voltrex) #39753
• [ca3cb96d25] - lib: cleanup validation (Voltrex) #39652
• [cc08d3062f] - lib: cleanup instance validation (Voltrex) #39656
• [2751cdf6f9] - lib: use helper for readability (Voltrex) #39649
• [c68415cba2] - lib: use validators (Voltrex) #39663
• [be2d60dd1d] - lib: use validator (Voltrex) #39547
• [486d51ac0c] - lib: use validateObject (Voltrex) #39605
• [058e882a2a] - lib: use ERR_ILLEGAL_CONSTRUCTOR (Mestery) #39556
• [07cadc4432] - meta: consolidate AUTHORS entries for ooHmartY (Rich Trott) #39705
• [6c788b8030] - meta: consolidate AUTHORS entries for homosaur (Rich Trott) #39705
• [07351edebe] - meta: consolidate AUTHORS entries for Ayase-252 (Rich Trott) #39705
• [5fe282769b] - meta: consolidate AUTHORS entries for robin-drexler (Rich Trott) #39705
• [[fc2a626357](https://g...

2021-08-11, Version 16.6.2 (Current), @BethGriggs

This is a security release.

Notable Changes

• CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
  • Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
• CVE-2021-22940: Use after free on close http2 on stream canceling (High)
  • Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940.
• CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
  • If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.

Commits

• [054537cdc2] - deps: update c-ares to 1.17.2 (Beth Griggs) #39724
• [ac544905b6] - deps: reflect c-ares source tree (Beth Griggs) #39653
• [a914b23cbc] - deps: apply missed updates from c-ares 1.17.1 (Beth Griggs) #39653
• [31d5773654] - http2: add tests for cancel event while client is paused reading (Akshay K) #39622
• [a3c33d4ce7] - http2: update handling of rst_stream with error code NGHTTP2_CANCEL (Akshay K) #39622
• [6c7fff6f1d] - tls: validate "rejectUnauthorized: undefined" (Matteo Collina) nodejs-private/node-private#276

2021-08-11, Version 14.17.5 'Fermium' (LTS), @BethGriggs

This is a security release.

Notable Changes

• CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
  • Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
• CVE-2021-22940: Use after free on close http2 on stream canceling (High)
  • Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940.
• CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
  • If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.

Commits

• [4923b59e0b] - deps: update c-ares to 1.17.2 (Beth Griggs) #39724
• [847a4c6a8a] - deps: reflect c-ares source tree (Beth Griggs) #39653
• [33208e2f89] - deps: apply missed updates from c-ares 1.17.1 (Beth Griggs) #39653
• [af5c1af9a4] - http2: add tests for cancel event while client is paused reading (Akshay K) #39622
• [434872e838] - http2: update handling of rst_stream with error code NGHTTP2_CANCEL (Akshay K) #39622
• [35b86110e4] - tls: validate "rejectUnauthorized: undefined" (Matteo Collina) nodejs-private/node-private#276

2021-08-11, Version 12.22.5 'Erbium' (LTS), @BethGriggs

This is a security release.

Notable Changes

• CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
  • Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
• CVE-2021-22940: Use after free on close http2 on stream canceling (High)
  • Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940.
• CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
  • If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.

Commits

• [5f947db68c] - deps: update c-ares to 1.17.2 (Beth Griggs) #39724
• [42695ea34b] - deps: reflect c-ares source tree (Beth Griggs) #39653
• [e4c9156b32] - deps: apply missed updates from c-ares 1.17.1 (Beth Griggs) #39653
• [9cd1f53103] - http2: add tests for cancel event while client is paused reading (Akshay K) #39622
• [2008c9722f] - http2: update handling of rst_stream with error code NGHTTP2_CANCEL (Akshay K) #39622
• [1780bbc329] - tls: validate "rejectUnauthorized: undefined" (Matteo Collina) nodejs-private/node-private#276

2021-08-03, Version 16.6.1 (Current), @targos

Notable Changes

• Updated npm to 7.20.3 (npm team) #39579
• Reverted an ABI-breaking change from V8 9.2 that could impact some native modules (Michaël Zasso) #39624
• Fixed a bug in error handling known to affect at least Webpack and Jest (Guy Bedford) #39593

Commits

• [6c769ccedf] - build: override python executable path on configure (legendecas) #39465
• [cbf6a01c17] - crypto: fix generateKeyPair with encoding 'jwk' (himself65) #39319
• [3091295609] - deps: revert ABI-breaking change from V8 9.2 (Michaël Zasso) #39624
• [06d7b8e8c8] - deps: upgrade npm to 7.20.3 (npm team) #39579
• [7b612fadc2] - doc: fix crypto.hkdf callback derivedKey type (Filip Skokan) #39453
• [7a731efd97] - doc,lib,test: rename HKDF 'key' argument (Tobias Nießen) #39474
• [93bbaa0ce9] - module: fix ERR_REQUIRE_ESM error for null frames (Guy Bedford) #39593
• [e13162de09] - module: refine enrichCJSError (Antoine du Hamel) #39507
• [815fbec6f1] - repl: do not include legacy getter/setter methods in completion (Anna Henningsen) #39576
• [0405c8d3f0] - zlib: avoid converting Uint8Array instances to Buffer (Antoine du Hamel) #39492

2021-07-29, Version 16.6.0 (Current), @BethGriggs

This is a security release.

Notable Changes

Say hello to V8 9.2

The V8 engine is updated to version 9.2.230.21.

It notably introduces the new Array.prototype.at method (also on Typed Arrays and strings):

const array = [1, 2, 3];

console.log(array.at(-1));
// Prints: 3

Contributed by Michaël Zasso - #39470

Other notable changes

• CVE-2021-22930: Use after free on close http2 on stream canceling (High) - #39423
  • Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930
• [f93d2ac587] - inspector: mark as stable (Gireesh Punathil) #37748
• [89b4770d5c] - punycode: add pending deprecation (Antoine du Hamel) #38444
• [b67214fe31] - (SEMVER-MINOR) repl: enable --experimental-repl-await /w opt-out (hemanth.hm) #34733

Commits

• [b5248d4000] - async_hooks: emit promise trace events from JS (Stephen Belanger) #39135
• [e18778d409] - async_hooks: eliminate native PromiseHook (Stephen Belanger) #39135
• [90b9bb1a7d] - build: use Node.js 14 in commit-lint.yml (Rich Trott) #39506
• [5182e26f14] - build: reset embedder string to "-node.0" (Michaël Zasso) #39470
• [e1910ef290] - build: fix host_arch_cc() for AIX/IBM i (Richard Lau) #39481
• [ce2011b7a1] - build: update coverage Makefile target comments (Richard Lau) #39365
• [6b055f17b6] - build: run workflows when a PR is ready for review (Michaël Zasso) #39405
• [25f45d5018] - build: update to setup-node@v2 (Rich Trott) #39366
• [a7472576d7] - build: add library_files to gyp variables (himself65) #39293
• [d16d36f1c2] - crypto: support Big(U)Int64Array in getRandomValues (Michaël Zasso) #39443
• [95db54482a] - debugger: validate sec-websocket-accept response header (Chris Opperwall) #39357
• [3751b92fa2] - debugger: rename internal module (Rich Trott) #39378
• [0e5eb8b17d] - deps: restore minimum ICU version to 68 (Michaël Zasso) #39470
• [e8da1f25fb] - (SEMVER-MINOR) deps: make V8 9.2 abi-compatible with 9.0 (Michaël Zasso) #39470
• [a93e6ef777] - deps: V8: backport 5c76da8ddcf8 (Michaël Zasso) #39337
• [d612544199] - deps: V8: cherry-pick 359d44df4cdd (Michaël Zasso) #39337
• [c6ec2b4817] - deps: V8: cherry-pick 3805a698f7b6 (Michaël Zasso) #39337
• [e6b84dfe84] - deps: V8: cherry-pick 56fe020eec0c (Michaël Zasso) #39337
• [2393fae427] - deps: V8: cherry-pick 2b77ca200c56 (Michaël Zasso) #39337
• [c8e7d80475] - deps: V8: cherry-pick 53784bdb8f01 (Michaël Zasso) #39337
• [65062b3e0d] - deps: V8: cherry-pick 7ff6609a5385 (Michaël Zasso) #38990
• [c3efc70df7] - deps: V8: cherry-pick a5cea1bfc38c (Michaël Zasso) #38990
• [201da87bc1] - deps: V8: cherry-pick 986299250e6d (Richard Lau) #38990
• [794ad2e016] - deps: V8: backport 71e8f8bb3c26 (Michaël Zasso) #38990
• [53cc6c8000] - deps: V8: cherry-pick 3d24b3ab8af0 (Michaël Zasso) #38990
• [7f7cb8bfe1] - deps: silence irrelevant V8 warning (Michaël Zasso) #38990
• [16cbd8c8b6] - deps: silence irrelevant V8 warnings (Michaël Zasso) #37587
• [98150e2bc6] - deps: fix V8 build issue with inline methods (Jiawen Geng) #35415
• [3f3e167fea] - deps: make v8.h compatible with VS2015 (Joao Reis) #32116
• [785b8990de] - deps: V8: forward declaration of Rtl*FunctionTable (Refael Ackermann) #32116
• [38cb655f04] - deps: V8: patch register-arm64.h (Refael Ackermann) #32116
• [9082ecef66] - deps: V8: un-cherry-pick bd019bd (Refael Ackermann) #32116
• [6114198717] - (SEMVER-MINOR) deps: update V8 to 9.2.230.21 (Michaël Zasso) #39470
• [89796d0c7f] - deps: bump HdrHistogram_C to 0.11.2 (Matteo Collina) #39462
• [9dd232c42b] - deps: update to cjs-module-lexer@1.2.2 (Guy Bedford) #39402
• [626eb07fda] - deps: extract gtest source files to deps/googletest (legendecas) #39386
• [487c45ffd9] - doc: move lball@redhat.com to emeritus (Lance Ball) #39501
• [5f84f47e13] - doc: update AUTHORS (Rich Trott) #39488
• [1d27ae1514] - doc: update strategic initiative champion (Rich Trott) #39487
• [e552b1a791] - doc: improve node.js+fips instructions (Benjamin Mayr) #39390
• [aa1dfb3111] - doc: simplify unnecessarily specific .mailmap entries (Rich Trott) #39430
• [ae69656c61] - doc: update checkbox label in backporting guide (Darshan Sen) #39420
• [4fd8db687d] - doc: remove _Addenda_ from headers (Rich Trott) #39427
• [cefd2fb1e4] - doc: simplify .mailmap file (Rich Trott) #39418
• [ade2eed9a6] - doc: fix broken internal link in http.md (Rich Trott) #39425
• [5fdfcc069f] - *...

2021-07-29, Version 14.17.4 'Fermium' (LTS), @richardlau

This is a security release.

Notable Changes

• CVE-2021-22930: Use after free on close http2 on stream canceling (High)
  • Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930

This releases also fixes some regressions with internationalization introduced by the ICU updates in Node.js 14.17.0 and 14.17.1.

Commits

• [86477b2b53] - benchmark: output JSON-compatible numbers (Michaël Zasso) #38778
• [f9693cf0a0] - benchmark: fix http elapsed time (Antoine du Hamel) #38743
• [1ab4f81abc] - build: fix building with external builtins (Momtchil Momtchev) #39091
• [a657f250f1] - build: reconfigure when gyp files change on Windows (Joyee Cheung) #39066
• [6962c647d6] - Revert "build: work around bug in MSBuild v16.10.0" (Michaël Zasso) #38977
• [069cf59e56] - build: make build-addons errors fail the build (Richard Lau) #38983
• [d341561ae0] - build: fix commit-queue default branch (Mary Marchini) #38998
• [0736dd833a] - build: don't pass python override to V8 build (Richard Lau) #38969
• [49a000683a] - build: correct Xcode spelling in .gitignore (bl-ue) #38895
• [1ffbe3d5da] - build: remove outdated dont-land-on-v6.x label (Michaël Zasso) #38886
• [7f53a0b349] - build: add lto build to CI (Jiawen Geng) #38567
• [a6f8ba8f0c] - build: allow LTO with Clang 3.9.1+ (Jesse Chan) #38751
• [b5b1d1fb79] - build: replace non-POSIX test -a|o (Issam E. Maghni) #38731
• [fc2b1ec308] - child_process: refactor to use validateBoolean (Qingyu Deng) #38927
• [55ea29eedd] - child_process: retain reference to data with advanced serialization (Anna Henningsen) #38728
• [716ee1531c] - debugger: rename internal library for clarity (Rich Trott) #39080
• [b7ee9d8287] - debugger: use ERR_DEBUGGER_STARTUP_ERROR in _inspect.js (Rich Trott) #39024
• [5d4d23dcf3] - debugger: use error codes in debugger REPL (Rich Trott) #39024
• [a3991d7c18] - debugger: use ERR_DEBUGGER_ERROR in debugger client (Rich Trott) #39024
• [052e1c5385] - debugger: removed unused function argument (Rich Trott) #38850
• [f9a4dcb30c] - debugger: refactor inspect_repl to use primordials (Antoine du Hamel) #38551
• [ad8056659f] - debugger: refactor to use internal modules (Antoine du Hamel) #38550
• [b5724a1984] - debugger: disable only the lint rules required by current file state (Rich Trott) #38529
• [34659f2b7a] - debugger: avoid non-ASCII char in code file (Rich Trott) #38529
• [ae90756582] - debugger: wrap lines longer than 80 chars (Rich Trott) #38529
• [b30ff35a36] - debugger: align message with Node.js standard (Rich Trott) #38400
• [d74d67f207] - debugger: remove unnecessary boilerplate copyright comment (Rich Trott) #38952
• [e58f938ab3] - debugger: enable linter on internal/inspector/inspect_client (Antoine du Hamel) #38417
• [249acd5e69] - debugger: reduce scope of eslint disable comment (Rich Trott) #38946
• [0ef5e088c0] - debugger: revise async iterator usage to comply with lint rules (Rich Trott) #38847
• [79bfb0416b] - debugger: wait for V8 debugger to be enabled (Michaël Zasso) #38811
• [721edeffd3] - debugger: refactor internal/inspector/_inspect to use more primordials (Antoine du Hamel) #38406
• [21ecee1b4b] - debugger: add usage example for --port (Rafael Gonzaga) #38400
• [cde72213d1] - Revert "debugger: rename internal library for clarity" (Antoine du Hamel) #39446
• [4c2b813799] - debugger: rename internal library for clarity (Rich Trott) #39080
• [61da371251] - debugger: apply automatic lint fixes for inspect_repl.js (Rich Trott) #38411
• [8dd1f70fe3] - debugger: apply automatic lint fixes for _inspect.js (Rich Trott) #38411
• [fb0ab4c034] - debugger: removed unused function argument (Rich Trott) #38850
• [9e28c6c946] - debugger: fix race condition/deadlock on initialization (Rich Trott) #38161
• [a8924fa0fb] - debugger: replace internal use of deprecated API (Rich Trott) #38161
• [22afb7cbe6] - debugger: allow longer time to connect (Rich Trott) #38161
• [b172e6f436] - debugger: accommodate line chunking in Windows (Rich Trott) #38161
• [1da692185a] - debugger: fix inspect restart on Windows (Rich Trott) #38161
• [0321c5b194] - debugger: remove unused code (Rich Trott) #38161
• [8bd2a3926a] - debugger: move node-inspect to internal library (Rich Trott) #38161
• [acf5279c39] - deps: upgrade npm to 6.14.14 (Darcy Clarke) #39553
• [4efefe02a8] - deps: V8: backport ae7bfb3f03b3 (Michaël Zasso) #39051
• [5039f21396] - deps: V8: backport 16ffec97e5eb (Michaël Zasso) #39051
• [9b69069f71] - deps: V8: cherry-pick b0a7f5691113 (Michaël Zasso) #39051
• [4213e97d26] - deps: V8: cherry-pick 81181a8ad80a (thomasmichaelwallace) [#39187](#3...