chore(deps): update node.js to v12.9.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
node		minor	12.7.0 -> 12.9.1
node	engines	minor	12.7.0 -> 12.9.1

---

Release Notes

nodejs/node

v12.9.1

Compare Source

Notable changes

This release fixes two regressions in the http module:

• Fixes an event listener leak in the HTTP client. This resulted in lots of
  warnings during npm/yarn installs (Robert Nagy) #​29245.
• Fixes a regression preventing the 'end' event from being emitted for
  keepalive requests in case the full body was not parsed (Matteo Collina) #​29263.

Commits

• [3cc8fca299] - crypto: handle i2d_SSL_SESSION() error return (Ben Noordhuis) #​29225
• [ae0a0e97ba] - http: reset parser.incoming when server request is finished (Anna Henningsen) #​29297
• [dedbd119c5] - http: fix event listener leak (Robert Nagy) #​29245
• [f8f8754d43] - Revert "http: reset parser.incoming when server response is finished" (Matteo Collina) #​29263
• [a6abfcb423] - src: remove unused using declarations (Daniel Bevenius) #​29222
• [ff6330a6ac] - test: fix 'timeout' typos (cjihrig) #​29234
• [3c7a1a9090] - test, http: add regression test for keepalive 'end' event (Matteo Collina) #​29263

v12.9.0

Compare Source

Notable changes

• crypto:
  • Added an oaepHash option to asymmetric encryption which allows users to specify a hash function when using OAEP padding (Tobias Nießen) #​28335.
• deps:
  • Updated V8 to 7.6.303.29 (Michaël Zasso) #​28955.
    • Improves the performance of various APIs such as JSON.parse and methods
      called on frozen arrays.
    • Adds the Promise.allSettled method.
    • Improves support of BigInt in Intl methods.
    • For more information: https://v8.dev/blog/v8-release-76
  • Updated libuv to 1.31.0 (cjihrig) #​29070.
    • UV_FS_O_FILEMAP has been added for faster access to memory mapped files on Windows.
    • uv_fs_mkdir() now returns UV_EINVAL for invalid filenames on Windows. It previously returned UV_ENOENT.
    • The uv_fs_statfs() API has been added.
    • The uv_os_environ() and uv_os_free_environ() APIs have been added.
• fs:
  • Added fs.writev, fs.writevSync and filehandle.writev (promise version) methods. They allow to write an array of ArrayBufferViews to a file descriptor (Anas Aboureada) #​25925, (cjihrig) #​29186.
• http:
  • Added three properties to OutgoingMessage.prototype: writableObjectMode, writableLength and writableHighWaterMark #​29018.
• stream:
  • Added an new property readableEnded to readable streams. Its value is set to true when the 'end' event is emitted. (Robert Nagy) #​28814.
  • Added an new property writableEnded to writable streams. Its value is set to true after writable.end() has been called. (Robert Nagy) #​28934.

Commits

• [5008b46159] - benchmark: allow easy passing of process flags (Brian White) #​28986
• [9057814206] - buffer: improve copy() performance (Brian White) #​29066
• [c7a4525bbe] - buffer: improve ERR_BUFFER_OUT_OF_BOUNDS default (cjihrig) #​29098
• [f42eb01d1d] - build: enable linux large pages LLVM lld linkage support (David Carlier) #​28938
• [5c5ef4e858] - build: remove unused option (Rich Trott) #​29173
• [fbe25c7fb7] - build: remove unnecessary Python semicolon (MattIPv4) #​29170
• [e51f924964] - build: add a testclean target (Daniel Bevenius) #​29094
• [0a63e2d9ff] - build: support py3 for configure.py (cclauss) #​29106
• [b04f9e1f57] - build: reset embedder string to "-node.0" (Michaël Zasso) #​28955
• [b085b94fce] - console: minor timeLogImpl() refactor (cjihrig) #​29100
• [54197eac4d] - (SEMVER-MINOR) crypto: extend RSA-OAEP support with oaepHash (Tobias Nießen) #​28335
• [a17d398989] - deps: V8: cherry-pick e3d7f8a (cclauss) #​29105
• [2c91c65961] - deps: upgrade to libuv 1.31.0 (cjihrig) #​29070
• [53c7fac310] - deps: patch V8 to be API/ABI compatible with 7.4 (from 7.6) (Michaël Zasso) #​28955
• [7b8eb83895] - (SEMVER-MINOR) deps: patch V8 to be API/ABI compatible with 7.4 (from 7.5) (Michaël Zasso) #​28005
• [7d411f47b2] - deps: V8: backport b33af60 (Gus Caplan) #​28671
• [492b7cb8c3] - (SEMVER-MINOR) deps: V8: cherry-pick d2ccc59 (Michaël Zasso) #​28016
• [945955ff86] - deps: cherry-pick 13a04ab from V8 upstream (Jon Kunkee) #​28602
• [9b3c115efb] - (SEMVER-MINOR) deps: V8: cherry-pick 3b8c624 (Michaël Zasso) #​28016
• [533b2d4a08] - (SEMVER-MINOR) deps: V8: fix linking issue for MSVS (Refael Ackermann) #​28016
• [c9f8d28f71] - (SEMVER-MINOR) deps: V8: fix BUILDING_V8_SHARED issues (Refael Ackermann) #​27375
• [f24caeff2f] - (SEMVER-MINOR) deps: V8: add workaround for MSVC optimizer bug (Refael Ackermann) #​28016
• [94c8d068f8] - (SEMVER-MINOR) deps: V8: use ATOMIC_VAR_INIT instead of std::atomic_init (Refael Ackermann) #​27375
• [d940403c20] - (SEMVER-MINOR) deps: V8: forward declaration of Rtl\*FunctionTable (Refael Ackermann) #​27375
• [ac0c075cad] - (SEMVER-MINOR) deps: V8: patch register-arm64.h (Refael Ackermann) #​27375
• [eefbc0773f] - (SEMVER-MINOR) deps: V8: update postmortem metadata generation script (cjihrig) #​28016
• [33f3e383da] - (SEMVER-MINOR) deps: V8: silence irrelevant warning (Michaël Zasso) #​26685
• [434c127651] - (SEMVER-MINOR) deps: V8: un-cherry-pick bd019bd (Refael Ackermann) #​26685
• [040e7dabe4] - (SEMVER-MINOR) deps: V8: fix filename manipulation for Windows (Refael Ackermann) #​28016
• [cfe2484e04] - deps: update V8 to 7.6.303.29 (Michaël Zasso) #​28955
• [6f7b561295] - dns: update lookupService() first arg name (cjihrig) #​29040
• [ad28f555a1] - doc: improve example single-test command (David Guttman) #​29171
• [edbe38d52d] - doc: mention N-API as recommended approach (Michael Dawson) #​28922
• [ebfe6367f0] - doc: fix introduced_in note in querystring.md (Ben Noordhuis) #​29014
• [9ead4eceeb] - doc: note that stream error can close stream (Robert Nagy) #​29082
• [5ea9237d2b] - doc: clarify async iterator leak (Robert Nagy) #​28997
• [1b6d7c0d00] - doc: fix nits in child_process.md (Vse Mozhet Byt) #​29024
• [375d1ee58b] - doc: improve UV_THREADPOOL_SIZE description (Tobias Nießen) #​29033
• [7b7b8f21cb] - doc: documented default statusCode (Natalie Fearnley) #​28982
• [17d9495afa] - doc: make unshift doc compliant with push doc (EduardoRFS) #​28953
• [3bfca0b7e4] - doc, lib, src, test, tools: fix assorted typos (XhmikosR) #​29075
• [b7696b41e5] - events: give subclass name in unhandled 'error' message (Anna Henningsen) #​28952
• [d79d142e0c] - fs: use fs.writev() internally (Robert Nagy) #​29189
• [82eeadb216] - fs: use consistent buffer array validation (cjihrig) #​29186
• [81f3eb5bb1] - fs: add writev() promises version (cjihrig) #​29186
• [435683610b] - fs: validate writev fds consistently (cjihrig) #​29185
• [bb19d8212a] - (SEMVER-MINOR) fs: add fs.writev() which exposes syscall writev() (Anas Aboureada) #​25925
• [178caa56ae] - fs: add default options for *stat() (Tony Brix) #​29114
• [f194626ffb] - fs: validate fds as int32s (cjihrig) #​28984
• [c5edeb9776] - http: simplify drain() (Robert Nagy) #​29081
• [6b9e372198] - http: follow symbol naming convention (Robert Nagy) #​29091
• [2e5008848e] - http: remove redundant condition (Luigi Pinca) #​29078
• [13a497912d] - http: remove duplicate check (Robert Nagy) #​29022
• [16e001112c] - (SEMVER-MINOR) http: add missing stream-like properties to OutgoingMessage (Robert Nagy) #​29018
• [c396b2a5b2] - http: buffer writes even while no socket assigned (Robert Nagy) #​29019
• [f9b61d2bc7] - (SEMVER-MINOR) http,stream: add writableEnded (Robert Nagy) #​28934
• [964dff8a9e] - http2: remove unused FlushData() function (Anna Henningsen) #​29145
• [66249bbcad] - inspector: use const for contextGroupId (gengjiawen) #​29076
• [cb162298eb] - module: pkg exports validations and fallbacks (Guy Bedford) #​28949
• [491b46d605] - module: refine package name validation (Guy Bedford) #​28965
• [925e40cfa7] - module: add warning when import,export is detected in CJS context (Giorgos Ntemiris) #​28950
• [17319e7f44] - net: use callback to properly propagate error (Robert Nagy) #​29178
• [7f11c72cc5] - readline: close dumb terminals on Control+D (cjihrig) #​29149
• [3c346b8bad] - readline: close dumb terminals on Control+C (cjihrig) #​29149
• [e474c6776c] - (SEMVER-MINOR) readline: establish y in cursorTo as optional (Gerhard Stoebich) #​29128
• [2528dee674] - report: list envvars using uv_os_environ() (cjihrig) #​28963
• [a6b9299039] - src: rename --security-reverts to ...-revert (Sam Roberts) #​29153
• [62a0e91d8c] - src: simplify UnionBytes (Ben Noordhuis) #​29116
• [b2936cff5d] - src: organize imports in inspector_profiler.cc (pi1024e) #​29073
• [a9f8b62b47] - (SEMVER-MINOR) stream: add readableEnded (Robert Nagy) #​28814
• [1e3e6da9b9] - stream: simplify howMuchToRead() (Robert Nagy) #​29155
• [e2a2a3f4dd] - stream: use lazy registration for drain for fast destinations (Robert Nagy) #​29095
• [2a844599db] - stream: improve read() performance further (Brian White) #​29077
• [e543d35f35] - stream: inline and simplify onwritedrain (Robert Nagy) #​29037
• [6bc4620d8b] - stream: improve read() performance more (Brian White) #​28989
• [647f3a8d01] - stream: encapsulate buffer-list (Robert Nagy) #​28974
• [000999c06c] - stream: improve read() performance (Brian White) #​28961
• [6bafd35369] - test: deflake test-tls-passphrase (Luigi Pinca) #​29134
• [aff1ef9d27] - test: add required settings to test-benchmark-buffer (Rich Trott) #​29163
• [18b711366a] - test: make exported method static (Rainer Poisel) #​29102
• [0aa339e5e1] - test: skip test-fs-access if root (Daniel Bevenius) #​29092
• [e3b1243ea2] - test: unskip tests that now pass on AIX (Sam Roberts) #​29054
• [f9ed5f351b] - test: assert: add failing deepEqual test for faked boxed primitives (Jordan Harband) #​29029
• [43e444b07a] - test: refactor test-sync-io-option (Anna Henningsen) #​29020
• [82edebfebf] - (SEMVER-MINOR) test: add test for OAEP hash mismatch (Tobias Nießen) #​28335
• [f08f154fd6] - (SEMVER-MINOR) test: update postmortem metadata test for V8 7.6 (cjihrig) #​28016
• [5b892c44d6] - tls: allow client-side sockets to be half-opened (Luigi Pinca) #​27836
• [c4f6077994] - tools: make code cache and snapshot deterministic (Ben Noordhuis) #​29142
• [acdc21b832] - tools: make pty_helper.py python3-compatible (Ben Noordhuis) #​29167
• [31c50e5c17] - tools: make nodedownload.py Python 3 compatible (cclauss) #​29104
• [1011a1792c] - tools: allow single JS file for --link-module (Daniel Bevenius) #​28443
• [4d7a7957fc] - (SEMVER-MINOR) tools: sync gypfiles with V8 7.6 (Michaël Zasso) #​28016
• [a4e2549b87] - util: improve debuglog performance (Brian White) #​28956
• [112ec73c95] - util: isEqualBoxedPrimitive: ensure both values are actual boxed Symbols (Jordan Harband) #​29029
• [8426077898] - util: assert: fix deepEqual comparing fake-boxed to real boxed primitive (Jordan Harband) #​29029
• [d4e397a900] - worker: fix crash when SharedArrayBuffer outlives creating thread (Anna Henningsen) #​29190

v12.8.1

Compare Source

Notable changes

This is a security release.

Node.js, as well as many other implementations of HTTP/2, have been found
vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

• CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
• CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
• CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
• CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
• CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
• CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)

Commits

• [bfeb5fc07f] - deps: update nghttp2 to 1.39.2 (Anna Henningsen) #​29122
• [08021fac59] - http2: allow security revert for Ping/Settings Flood (Anna Henningsen) #​29122
• [bbb4769cc1] - http2: pause input processing if sending output (Anna Henningsen) #​29122
• [f64515b05e] - http2: stop reading from socket if writes are in progress (Anna Henningsen) #​29122
• [ba332df5d2] - http2: consider 0-length non-end DATA frames an error (Anna Henningsen) #​29122
• [23b0db58ca] - http2: shrink default vector::reserve() allocations (Anna Henningsen) #​29122
• [4f10ac3623] - http2: handle 0-length headers better (Anna Henningsen) #​29122
• [a21a1c007b] - http2: limit number of invalid incoming frames (Anna Henningsen) #​29122
• [4570ed10d7] - http2: limit number of rejected stream openings (Anna Henningsen) #​29122
• [88726f2384] - http2: do not create ArrayBuffers when no DATA received (Anna Henningsen) #​29122
• [530004ef32] - http2: only call into JS when necessary for session events (Anna Henningsen) #​29122
• [58d8c9ef48] - http2: improve JS-side debug logging (Anna Henningsen) #​29122

---

Renovate configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot. View repository job log here.