nodejs
diff --git a/‎AUTHORS
Lines changed: 4 additions & 0 deletions b/‎AUTHORS
Lines changed: 4 additions & 0 deletions
diff --git a/‎CHANGELOG.md
Lines changed: 4 additions & 2 deletions b/‎CHANGELOG.md
Lines changed: 4 additions & 2 deletions
diff --git a/‎README.md
Lines changed: 4 additions & 2 deletions b/‎README.md
Lines changed: 4 additions & 2 deletions
diff --git a/‎SECURITY.md
Lines changed: 21 additions & 6 deletions b/‎SECURITY.md
Lines changed: 21 additions & 6 deletions
diff --git a/‎benchmark/.eslintrc.yaml
Lines changed: 16 additions & 7 deletions b/‎benchmark/.eslintrc.yaml
Lines changed: 16 additions & 7 deletions
diff --git a/‎benchmark/_http-benchmarkers.js
Lines changed: 2 additions & 2 deletions b/‎benchmark/_http-benchmarkers.js
Lines changed: 2 additions & 2 deletions
diff --git a/‎benchmark/assert/deepequal-map.js
Lines changed: 2 additions & 2 deletions b/‎benchmark/assert/deepequal-map.js
Lines changed: 2 additions & 2 deletions
diff --git a/‎benchmark/async_hooks/async-local-storage-getstore-nested-resources.js
Lines changed: 46 additions & 0 deletions b/‎benchmark/async_hooks/async-local-storage-getstore-nested-resources.js
Lines changed: 46 additions & 0 deletions
diff --git a/‎benchmark/async_hooks/async-local-storage-getstore-nested-run.js
Lines changed: 46 additions & 0 deletions b/‎benchmark/async_hooks/async-local-storage-getstore-nested-run.js
Lines changed: 46 additions & 0 deletions
diff --git a/‎benchmark/async_hooks/async-local-storage-propagate-asyncresource.js
Lines changed: 46 additions & 0 deletions b/‎benchmark/async_hooks/async-local-storage-propagate-asyncresource.js
Lines changed: 46 additions & 0 deletions
@@ -3601,5 +3601,9 @@ Mordy Tikotzky <[email protected]>
 vitpavlenko <[email protected]>
 Tim Gerk <[email protected]>
 Suyash Nayan <[email protected]>
+0xflotus <[email protected]>
+Alec Mev <[email protected]>
+Miguel Teixeira <[email protected]>
+José Dapena Paz <[email protected]>
 
 # Generated by tools/update-authors.mjs
@@ -35,7 +35,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V19.md#19.5.0">19.5.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V19.md#19.6.0">19.6.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V19.md#19.5.0">19.5.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V19.md#19.4.0">19.4.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V19.md#19.3.0">19.3.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V19.md#19.2.0">19.2.0</a><br/>
@@ -44,7 +45,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V19.md#19.0.0">19.0.0</a><br/>
   </td>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V18.md#18.13.0">18.13.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V18.md#18.14.0">18.14.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V18.md#18.13.0">18.13.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V18.md#18.12.1">18.12.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V18.md#18.12.0">18.12.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V18.md#18.11.0">18.11.0</a><br/>
 
@@ -316,6 +316,8 @@ For information about the governance of the Node.js project, see
   **Daniel Bevenius** <<[email protected]>> (he/him)
 * [danielleadams](https://github.com/danielleadams) -
   **Danielle Adams** <<[email protected]>> (she/her)
+* [deokjinkim](https://github.com/deokjinkim) -
+  **Deokjin Kim** <<[email protected]>> (he/him)
 * [devnexen](https://github.com/devnexen) -
   **David Carlier** <<[email protected]>>
 * [devsnek](https://github.com/devsnek) -
@@ -346,8 +348,6 @@ For information about the governance of the Node.js project, see
   **Zeyu "Alex" Yang** <<[email protected]>> (he/him)
 * [iansu](https://github.com/iansu) -
   **Ian Sutherland** <<[email protected]>>
-* [indutny](https://github.com/indutny) -
-  **Fedor Indutny** <<[email protected]>>
 * [JacksonTian](https://github.com/JacksonTian) -
   **Jackson Tian** <<[email protected]>>
 * [JakobJingleheimer](https://github.com/JakobJingleheimer) -
@@ -534,6 +534,8 @@ For information about the governance of the Node.js project, see
   **Imran Iqbal** <<[email protected]>>
 * [imyller](https://github.com/imyller) -
   **Ilkka Myller** <<[email protected]>>
+* [indutny](https://github.com/indutny) -
+  **Fedor Indutny** <<[email protected]>>
 * [isaacs](https://github.com/isaacs) -
   **Isaac Z. Schlueter** <<[email protected]>>
 * [italoacasas](https://github.com/italoacasas) -
 
@@ -82,14 +82,22 @@ Vulnerabilities related to this case may be fixed by a documentation update.
 
 **Node.js does NOT trust**:
 
-1. The data from network connections that are created through the use of Node.js
-   APIs and which is transformed/validated by Node.js before being passed to the
-   application. This includes:
-   * HTTP APIs (all flavors) client and server APIs.
+1. Data received from the remote end of inbound network connections
+   that are accepted through the use of Node.js APIs and
+   which is transformed/validated by Node.js before being passed
+   to the application. This includes:
+   * HTTP APIs (all flavors) server APIs.
+2. The data received from the remote end of outbound network connections
+   that are created through the use of Node.js APIs and
+   which is transformed/validated by Node.js before being passed
+   to the application EXCEPT in respect to payload length. Node.js trusts
+   that applications make connections/requests which will avoid payload
+   sizes that will result in a Denial of Service.
+   * HTTP APIs (all flavors) client APIs.
    * DNS APIs.
-2. Consumers of data protected through the use of Node.js APIs (for example
+3. Consumers of data protected through the use of Node.js APIs (for example
    people who have access to data encrypted through the Node.js crypto APIs).
-3. The file content or other I/O that is opened for reading or writing by the
+4. The file content or other I/O that is opened for reading or writing by the
    use of Node.js APIs (ex: stdin, stdout, stderr).
 
 In other words, if the data passing through Node.js to/from the application
@@ -181,6 +189,13 @@ the community they pose.
   no scenario that requires modification of that configuration file is
   considered a vulnerability.
 
+#### Uncontrolled Resource Consumption (CWE-400) on outbound connections
+
+* If Node.js is asked to connect to a remote site and return an
+  artifact, it is not considered a vulnerability if the size of
+  that artifact is large enough to impact performance and or
+  cause the runtime to run out of resources.
+
 ## Receiving security updates
 
 Security notifications will be distributed via the following methods.
 
@@ -5,11 +5,20 @@ env:
   es6: true
 
 rules:
-  comma-dangle: [error, {
-    arrays: always-multiline,
-    exports: always-multiline,
-    functions: only-multiline,
-    imports: always-multiline,
-    objects: only-multiline,
-  }]
   prefer-arrow-callback: error
+
+overrides:
+  - files:
+      - crypto/*.js
+      - http/*.js
+      - http2/*.js
+      - path/*.js
+      - url/*.js
+    rules:
+      comma-dangle: [error, {
+        arrays: always-multiline,
+        exports: always-multiline,
+        functions: only-multiline,
+        imports: always-multiline,
+        objects: only-multiline,
+      }]
@@ -106,7 +106,7 @@ class TestDoubleBenchmarker {
     const scheme = options.scheme || 'http';
     const env = {
       test_url: `${scheme}://127.0.0.1:${options.port}${options.path}`,
-      ...process.env
+      ...process.env,
     };
 
     const child = child_process.fork(this.executable,
@@ -203,7 +203,7 @@ exports.run = function(options, callback) {
     connections: 100,
     duration: 5,
     benchmarker: exports.default_http_benchmarker,
-    ...options
+    ...options,
   };
   if (!options.benchmarker) {
     callback(new Error('Could not locate required http benchmarker. See ' +
 
@@ -46,7 +46,7 @@ function main({ n, len, method, strict }) {
     }
     case 'deepEqual_mixed': {
       const values = array.map(
-        (_, i) => [i % 2 ? [`str_${i}`, 1] : `str_${i}`, 123]
+        (_, i) => [i % 2 ? [`str_${i}`, 1] : `str_${i}`, 123],
       );
       benchmark(strict ? deepStrictEqual : deepEqual, n, values);
       break;
@@ -67,7 +67,7 @@ function main({ n, len, method, strict }) {
     }
     case 'notDeepEqual_mixed': {
       const values = array.map(
-        (_, i) => [i % 2 ? [`str_${i}`, 1] : `str_${i}`, 123]
+        (_, i) => [i % 2 ? [`str_${i}`, 1] : `str_${i}`, 123],
       );
       const values2 = values.slice(0);
       values2[0] = ['w00t', 123];
 
@@ -0,0 +1,46 @@
+'use strict';
+const common = require('../common.js');
+const { AsyncLocalStorage, AsyncResource } = require('async_hooks');
+
+/**
+ * This benchmark verifies the performance of
+ * `AsyncLocalStorage.getStore()` on propagation through async
+ * resource scopes.
+ *
+ * - AsyncLocalStorage.run()
+ *  - AsyncResource.runInAsyncScope
+ *    - AsyncResource.runInAsyncScope
+ *      ...
+ *        - AsyncResource.runInAsyncScope
+ *          - AsyncLocalStorage.getStore()
+ */
+const bench = common.createBenchmark(main, {
+  resourceCount: [10, 100, 1000],
+  n: [1e4],
+});
+
+function runBenchmark(store, n) {
+  for (let i = 0; i < n; i++) {
+    store.getStore();
+  }
+}
+
+function runInAsyncScopes(resourceCount, cb, i = 0) {
+  if (i === resourceCount) {
+    cb();
+  } else {
+    const resource = new AsyncResource('noop');
+    resource.runInAsyncScope(() => {
+      runInAsyncScopes(resourceCount, cb, i + 1);
+    });
+  }
+}
+
+function main({ n, resourceCount }) {
+  const store = new AsyncLocalStorage();
+  runInAsyncScopes(resourceCount, () => {
+    bench.start();
+    runBenchmark(store, n);
+    bench.end(n);
+  });
+}
@@ -0,0 +1,46 @@
+'use strict';
+const common = require('../common.js');
+const { AsyncLocalStorage } = require('async_hooks');
+
+/**
+ * This benchmark verifies the performance of
+ * `AsyncLocalStorage.getStore()` on multiple `AsyncLocalStorage` instances
+ * nested `AsyncLocalStorage.run()`s.
+ *
+ * - AsyncLocalStorage1.run()
+ *   - AsyncLocalStorage2.run()
+ *    ...
+ *      - AsyncLocalStorageN.run()
+ *        - AsyncLocalStorage1.getStore()
+ */
+const bench = common.createBenchmark(main, {
+  sotrageCount: [1, 10, 100],
+  n: [1e4],
+});
+
+function runBenchmark(store, n) {
+  for (let idx = 0; idx < n; idx++) {
+    store.getStore();
+  }
+}
+
+function runStores(stores, value, cb, idx = 0) {
+  if (idx === stores.length) {
+    cb();
+  } else {
+    stores[idx].run(value, () => {
+      runStores(stores, value, cb, idx + 1);
+    });
+  }
+}
+
+function main({ n, sotrageCount }) {
+  const stores = new Array(sotrageCount).fill(0).map(() => new AsyncLocalStorage());
+  const contextValue = {};
+
+  runStores(stores, contextValue, () => {
+    bench.start();
+    runBenchmark(stores[0], n);
+    bench.end(n);
+  });
+}
@@ -0,0 +1,46 @@
+'use strict';
+const common = require('../common.js');
+const { AsyncLocalStorage, AsyncResource } = require('async_hooks');
+
+/**
+ * This benchmark verifies the performance degradation of
+ * async resource propagation on the increasing number of
+ * active `AsyncLocalStorage`s.
+ *
+ * - AsyncLocalStorage.run() * storageCount
+ * - new AsyncResource()
+ * - new AsyncResource()
+ * ...
+ * - N new Asyncresource()
+ */
+const bench = common.createBenchmark(main, {
+  storageCount: [0, 1, 10, 100],
+  n: [1e3],
+});
+
+function runStores(stores, value, cb, idx = 0) {
+  if (idx === stores.length) {
+    cb();
+  } else {
+    stores[idx].run(value, () => {
+      runStores(stores, value, cb, idx + 1);
+    });
+  }
+}
+
+function runBenchmark(n) {
+  for (let i = 0; i < n; i++) {
+    new AsyncResource('noop');
+  }
+}
+
+function main({ n, storageCount }) {
+  const stores = new Array(storageCount).fill(0).map(() => new AsyncLocalStorage());
+  const contextValue = {};
+
+  runStores(stores, contextValue, () => {
+    bench.start();
+    runBenchmark(n);
+    bench.end(n);
+  });
+}