This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/for details on patched vulnerabilities.
A New LTS Release Line
v6.9.0 marks the transition of Node.js v6 into Long Term Support (LTS) with the codename "Boron". The v6 release line now moves in to "Active LTS" and will remain so until April 2018. After that time it will move in to "Maintenance" until end of life in April 2019.
Some highlights for users migrating from Node.js v4 LTS "Argon" to Node.js v6 LTS "Boron":
The Buffer()constructor has been deprecated in the documentation in favour of the new Buffer.from(), Buffer.alloc()and Buffer.allocUnsafe()for security and safety. See theBuffer documentation for full details. As a documentation-only deprecation there will be no warnings printed to standard error, this is the first phase in a long deprecation cycle.
Support has been dropped for Windows Vista and earlier and macOS 10.7 and earlier.
Many warning messages and error messages have been cleaned up and made more consistent.
The --prof-process command line argument can be used to process output files created when using the V8 --profcommand line argument.
A new EventEmitter#eventNames() method can be used to list all events currently being listened to on an EventEmitter.
fs.mkdtemp() is a fast and safe way to make a unique temporary directory using operating system primitives.
process.cpuUsage() will allow insight into CPU resources being consumed by the current process.
Very large arrays are now truncated when passed through util.inspect(), this also applies to console.log()and friends.
When a native Promiseincurs a rejection but there is no handler to receive it, a warning will be printed to standard error.
A new experimental debugging protocol can be activated with the --inspectorcommand line argument. This uses the "v8_inspector" protocol and can be consumed directly by Chrome DevTools, Visual Studio Code and others.
While there are some breaking API changes appearing in bothv5.0.0 andv6.0.0, they are relatively minor and should not have significant impact on most users.
The spread operatorfor arrays and function calls
Default function parameters
It's time to start planning your migration from Node.js v4 LTS "Argon" to Node.js v6 "Boron". Argon remains in Active LTSuntil April, 2017 and then moves in to Maintenanceuntil April 2018 when support will cease. These details and more can be found in the Node.js LTS plan, located at https://github.com/nodejs/LTS.
If you would like help with Node.js, please open an issue at https://github.com/nodejs/help
If you would like to report a bug with Node.js, please open an issue at https://github.com/nodejs/node
Node.js v6.9.0 LTS "Boron"
crypto: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSL_CONFenvironment variable or from the default location for the current platform. Always triggering a configuration file load attempt may allow an attacker to load compromised OpenSSL configuration into a Node.js process if they are able to place a file in a default location. (Fedor Indutny, Rod Vagg)
node: Introduce the process.release.ltsproperty, set to "Boron". This value is "Argon"for v4 LTS releases and undefinedfor all other releases. (Rod Vagg)
v8_inspector: Generate a UUID for each execution of the inspector. This provides additional security to prevent unauthorized clients from connecting to the Node.js process via the v8_inspector port when running with --inspect. Since the debugging protocol allows extensive access to the internals of a running process, and the execution of arbitrary code, it is important to limit connections to authorized tools only. Vulnerability originally reported by Jann Horn. (Eugene Ostroukhov)
[ 99e4eee8ef ] - build: do not define ZLIB_CONST (Bradley T. Hughes) #9122