deps: upgrade to npm 2.14.4#2958
Uh oh!
There was an error while loading. Please reload this page.
Conversation
zkat commented Sep 18, 2015
(oops, I pushed the submit button on this before tests finished running, please hold) EDIT: We're all good now. :) |
brendanashworth added the npm 
thefourtheye commented Sep 18, 2015
Rubber stamp LGTM |
rvagg commented Sep 19, 2015
@zkat re npm@3, you might want to prime Rebecca on this, but we should be able to start accepting npm@3 pull requests to I'm making an assumption here that there would be no objections amongst @nodejs/collaborators to jumping to npm@3 for v5+ (collaborators: pipe up in here if you think this might not be a good idea). Also, [email protected] would be good on top of this, unfortunately (sorry), it's got 2 fixes that are fairly important. Thanks! |
Fishrock123 commented Sep 19, 2015
+1 for npm@3 in |
zkat commented Sep 19, 2015
Added |
PR-URL: #2958 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Jeremiah Senkpiel <[email protected]>
PR-URL: #2958 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Jeremiah Senkpiel <[email protected]>
Fishrock123 commented Sep 20, 2015
Thanks, landed in 61d48b4...2c09a53 :) |
zkat commented Sep 20, 2015
Thanks, Jeremiah! :D |
PR-URL: #2958 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Jeremiah Senkpiel <[email protected]>
PR-URL: #2958 Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Jeremiah Senkpiel <[email protected]>
Notable changes * buffer: Fixed a bug introduced in v4.1.0 where allocating a new zero-length buffer can result in the next allocation of a TypedArray in JavaScript not being zero-filled. In certain circumstances this could result in data leakage via reuse of memory space in TypedArrays, breaking the normally safe assumption that TypedArrays should be always zero-filled. (Trevor Norris) #2931. * http: Guard against response-splitting of HTTP trailing headers added via response.addTrailers() by removing new-line ([\r\n]) characters from values. Note that standard header values are already stripped of new-line characters. The expected security impact is low because trailing headers are rarely used. (Ben Noordhuis) #2945. * npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full details (Kat Marchán) #2958 - Upgrades graceful-fs on multiple dependencies to no longer rely on monkey-patching fs - Fix npm link for pre-release / RC builds of Node * v8: Update post-mortem metadata to allow post-mortem debugging tools to find and inspect: - JavaScript objects that use dictionary properties (Julien Gilli) #2959 - ScopeInfo and thus closures (Julien Gilli) #2974
Notable changes * buffer: Fixed a bug introduced in v4.1.0 where allocating a new zero-length buffer can result in the next allocation of a TypedArray in JavaScript not being zero-filled. In certain circumstances this could result in data leakage via reuse of memory space in TypedArrays, breaking the normally safe assumption that TypedArrays should be always zero-filled. (Trevor Norris) #2931. * http: Guard against response-splitting of HTTP trailing headers added via response.addTrailers() by removing new-line ([\r\n]) characters from values. Note that standard header values are already stripped of new-line characters. The expected security impact is low because trailing headers are rarely used. (Ben Noordhuis) #2945. * npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full details (Kat Marchán) #2958 - Upgrades graceful-fs on multiple dependencies to no longer rely on monkey-patching fs - Fix npm link for pre-release / RC builds of Node * v8: Update post-mortem metadata to allow post-mortem debugging tools to find and inspect: - JavaScript objects that use dictionary properties (Julien Gilli) #2959 - ScopeInfo and thus closures (Julien Gilli) #2974 PR-URL: #2995
iarna commented Sep 24, 2015
@rvagg FYI: Because of npm/npm#9695, I won't be making a pull request to bring in npm@3 till 3.3.5, when that patch is |
rvagg commented Sep 24, 2015
@iarna as per #3000 there's no great rush just yet, we're going to have v4 be LTS soon but you probably have until the next V8 stable before we ship v5 which could be as late as mid-October or later. Will keep you informed of progress though and if we have to punt to v6 then that's fine too because v5 won't end up as LTS anyway. |
6 participants
Heyo!
This release is the first one to officially include
node-gyp(@3.0.1), so it shouldn't need any hotfixes cherry-picked over! Otherwise, I can add a commit to this that bumps it to@3.0.3(which will come in with next week's downstreaming anyway).This also includes most of @thefourtheye's
graceful-fsupgrades, a Windows fix fornpm link, and a removal of our only usage of a deprecated API (process.binding).You can see the full release notes at https://github.com/npm/npm/releases/tag/v2.14.4
lmk if you want that
node-gyppatch added to this PR!Also note that we finally released
npm@3this week (as you may have heard), but I'll continue to submitnpm@2release PRs -- you can expect a potential slowing, though, since we're also switching to LTS more withnpm@2, so it won't see very much in terms of new features and such.Cheers!