Welcome to this week’s wrap up of the week in Node and libuv covering March 21-27. The purpose of this blog is to recap a subset of the non-documentation related commits to the master branch of Node.js, plus give a little color and commentary to the ongoing development of Node.
npm’s missing callback fix
There was bug in process#send() and child_process.ChildProcess#send() that got fixed this week. Messages between the processes were getting corrupted when:
- They contained non-ASCII (v0.10 only), or
- The message could not be read/written atomically and was split inside a UTF-8 character sequence (something of an edge case but affected both v0.8 and v0.10).
See also: https://github.com/joyent/node/pull/5016
Another bug that was tackled was one that when sending over handles (e.g. net.Socket
objects), sometimes the same handle would be emitted two or even three times. People don’t generally use that part of the API directly so it’s unlikely to have affected anyone. Ben only discovered it in the process of hunting down some other bug.
An update to crypto.getCiphers()
crypto.getCiphers() got updated to return normal ciphers instead of SSL/TLS ciphers (so it’s more inline with what crypto.getHashes() does) and Ben added tls.getCiphers() which returns the SSL/TLS ciphers. Compare:
$ node -p 'require("crypto").getCiphers().slice(1, 4)'
[ 'aes-128-cbc', 'aes-128-cbc-hmac-sha1', 'aes-128-cfb' ]
$ node -p 'require("tls").getCiphers().slice(1, 4)'
[ 'aes128-sha', 'aes128-sha256', 'aes256-gcm-sha384' ]
Security fix CVE-2013-2632 was a back-port from upstream V8 commits. This is unlikely to affect Node users unless they’re in the habit of running untrusted, arbitrary JS code.
Ben fixed a timer bug in libuv, but it might also need to get fixed in uv-win. Alexey added an additional safeguard to the fix so that Timers specified with a timeout of 1ms now won’t fire any earlier. There was a signed int32 overflow assertion bug that Fedor fixed as well.
There was a performance regression in V8 3.17, that has been fixed to some extent in upstream V8, but it will take some time to trickle into Node master. v0.10 is not affected because we stuck with V8 3.14 exactly for this reason.
Sub-second stat resolution
While libuv supports reporting subsecond stat resolution across platforms, to actually get that resolution your platform and filesystem must support it (not HFS, ext and FAT) otherwise the nsecs are 0.
libuv 0.10.2 (Stable) is out!
The first officially versioned release of libuv is out now and will begin releasing independently of the Node releases. libuv.org is pretty barebones, any web designers want to show it some love?
Update: Node v0.10.2 is out – here’s the official release blog.
This week’s commits to Node master
- src: write ascii strings using WriteOneByte
- timers: handle signed int32 overflow in enroll()
- stream: Fix stall in Transform under very specific conditions
- crypto: check randomBytes() size argument
- v8: Unify kMaxArguments with number of bits used to encode it.
- tls: remove harmful unnecessary bounds checking
- deps: upgrade libuv to eca008a
- fs: uv_[fl]stat now reports subsecond resolution
- timer: fix off-by-one ms error
- tools: update gyp to r1601
- stream: Fix early end in Writables on zero-length writes
- deps: fix openssl build on windows
- bench: add child process read perf benchmark
- child_process: fix sending utf-8 to child process
- crypto: make getCiphers() return non-SSL ciphers
- child_process: don’t emit same handle twice
- test: test name is the last elem, not second
- tls: expose SSL_CTX_set_timeout via tls.createServer
- buffer: remove _charsWritten
- test: Use ‘close’ event in simple/test-repl-timeout-throw
- openssl: make sed tool configurable
You can view the complete Node commit history on GitHub.
This week’s blogs, tutorials, how-tos and news:
- Node Roundup: wish, Vow, shell-jobs via DailyJS
- The Node.js Weekly March 22, 2013 by @seyhunak
- What’s in the upcoming Node v0.12 release? Six new features, plus new and breaking APIs.
- Ready to develop APIs in Node.js and get them connected to your data? Check out the Node.js LoopBack framework. We’ve made it easy to get started either locally or on your favorite cloud, with a simple npm install.
- Need for Node? Learn more about both the private and open options StrongLoop offers.