Merge nodejs/master

Merge d2e44d5 as of 2017-10-25.
This is an automatically created merge. For any problems please
contact @kunalspathak.

CHANGELOG.md

@@ -27,7 +27,8 @@ release.
 </tr>
 <tr>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V8.md#8.7.0">8.7.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V8.md#8.8.0">8.8.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V8.md#8.7.0">8.7.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V8.md#8.6.0">8.6.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V8.md#8.5.0">8.5.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V8.md#8.4.0">8.4.0</a><br/>
@@ -61,7 +62,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V7.md#7.0.0">7.0.0</a><br/>
     </td>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V6.md#6.11.4">6.11.4</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V6.md#6.11.5">6.11.5</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V6.md#6.11.4">6.11.4</a><br/>
 <a href="doc/changelogs/CHANGELOG_V6.md#6.11.3">6.11.3</a><br/>
 <a href="doc/changelogs/CHANGELOG_V6.md#6.11.2">6.11.2</a><br/>
 <a href="doc/changelogs/CHANGELOG_V6.md#6.11.1">6.11.1</a><br/>
@@ -91,7 +93,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V6.md#6.0.0">6.0.0</a><br/>
   </td>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V4.md#4.8.4">4.8.4</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V4.md#4.8.5">4.8.5</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V4.md#4.8.4">4.8.4</a><br/>
 <a href="doc/changelogs/CHANGELOG_V4.md#4.8.3">4.8.3</a><br/>
 <a href="doc/changelogs/CHANGELOG_V4.md#4.8.2">4.8.2</a><br/>
 <a href="doc/changelogs/CHANGELOG_V4.md#4.8.1">4.8.1</a><br/>

COLLABORATOR_GUIDE.md

@@ -677,4 +677,4 @@ LTS working group and the Release team.
 [backporting guide]: doc/guides/backporting-to-release-lines.md
 [Stability Index]: doc/api/documentation.md#stability-index
 [Enhancement Proposal]: https://github.com/nodejs/node-eps
-[git-username]: https://help.github.com/articles/setting-your-username-in-git/
+[git-username]: https://help.github.com/articles/setting-your-username-in-git/

common.gypi

@@ -164,6 +164,7 @@
             'BasicRuntimeChecks': 3, # /RTC1
             'AdditionalOptions': [
               '/bigobj', # prevent error C1128 in VS2015
+              '/MP', # compile across multiple CPUs
             ],
           },
           'VCLinkerTool': {
@@ -222,6 +223,9 @@
             'EnableFunctionLevelLinking': 'true',
             'EnableIntrinsicFunctions': 'true',
             'RuntimeTypeInfo': 'false',
+            'AdditionalOptions': [
+              '/MP', # compile across multiple CPUs
+            ],
           },
           'VCLibrarianTool': {
             'AdditionalOptions': [
@@ -254,9 +258,6 @@
         # and their sheer number drowns out other, more legitimate warnings.
         'DisableSpecificWarnings': ['4267'],
         'WarnAsError': 'false',
-        'AdditionalOptions': [
-          '/MP', # compile across multiple CPUs
-        ],
       },
       'VCLibrarianTool': {
       },

doc/api/child_process.md

@@ -128,7 +128,7 @@ exec('"my script.cmd" a b', (err, stdout, stderr) => {
 <!-- YAML
 added: v0.1.90
 changes:
-  - version: REPLACEME
+  - version: v8.8.0
     pr-url: https://github.com/nodejs/node/pull/15380
     description: The `windowsHide` option is supported now.
 -->
@@ -244,7 +244,7 @@ lsExample();
 <!-- YAML
 added: v0.1.91
 changes:
-  - version: REPLACEME
+  - version: v8.8.0
     pr-url: https://github.com/nodejs/node/pull/15380
     description: The `windowsHide` option is supported now.
 -->
@@ -375,7 +375,7 @@ supported by `child_process.fork()` and will be ignored if set.
 <!-- YAML
 added: v0.1.90
 changes:
-  - version: REPLACEME
+  - version: v8.8.0
     pr-url: https://github.com/nodejs/node/pull/15380
     description: The `windowsHide` option is supported now.
   - version: v6.4.0
@@ -665,7 +665,7 @@ configuration at startup.
 <!-- YAML
 added: v0.11.12
 changes:
-  - version: REPLACEME
+  - version: v8.8.0
     pr-url: https://github.com/nodejs/node/pull/15380
     description: The `windowsHide` option is supported now.
   - version: v8.0.0
@@ -719,7 +719,7 @@ throw an [`Error`][] that will include the full result of the underlying
 <!-- YAML
 added: v0.11.12
 changes:
-  - version: REPLACEME
+  - version: v8.8.0
     pr-url: https://github.com/nodejs/node/pull/15380
     description: The `windowsHide` option is supported now.
   - version: v8.0.0
@@ -775,7 +775,7 @@ execution.
 <!-- YAML
 added: v0.11.12
 changes:
-  - version: REPLACEME
+  - version: v8.8.0
     pr-url: https://github.com/nodejs/node/pull/15380
     description: The `windowsHide` option is supported now.
   - version: v8.0.0

doc/api/domain.md

@@ -1,8 +1,7 @@
 # Domain
 <!-- YAML
 changes:
-  - version: REPLACEME
-    pr-url: https://github.com/nodejs/node/pull/REPLACEME
+  - version: v8.8.0
     description: Any `Promise`s created in VM contexts no longer have a
                  `.domain` property. Their handlers are still executed in the
                  proper domain, however, and `Promise`s created in the main

doc/api/errors.md

@@ -810,8 +810,8 @@ reached.
 <a id="ERR_HTTP2_NO_SOCKET_MANIPULATION"></a>
 ### ERR_HTTP2_NO_SOCKET_MANIPULATION
 
-Used when attempting to read, write, pause, and/or resume a socket attached to
-an `Http2Session`.
+Used when attempting to directly manipulate (e.g read, write, pause, resume,
+etc.) a socket attached to an `Http2Session`.
 
 <a id="ERR_HTTP2_OUT_OF_STREAMS"></a>
 ### ERR_HTTP2_OUT_OF_STREAMS

doc/api/esm.md

@@ -43,7 +43,6 @@ points into ESM graphs at run time.
 | `require('./foo.mjs')` | ES Modules have differing resolution and timing, use language standard `import()` |
 | `import()` | pending newer V8 release used in Node.js |
 | `import.meta` | pending V8 implementation |
-| Loader Hooks | pending Node.js EP creation/consensus |
 
 ## Notable differences between `import` and `require`
 

doc/api/http2.md

@@ -16,14 +16,25 @@ support for HTTP/2 protocol features. It is specifically *not* designed for
 compatibility with the existing [HTTP/1][] module API. However,
 the [Compatibility API][] is.
 
+The `http2` Core API is much more symmetric between client and server than the
+`http` API. For instance, most events, like `error` and `socketError`, can be
+emitted either by client-side code or server-side code.
+
+### Server-side example
+
 The following illustrates a simple, plain-text HTTP/2 server using the
 Core API:
 
 ```js
 const http2 = require('http2');
+const fs = require('fs');
 
-// Create a plain-text HTTP/2 server
-const server = http2.createServer();
+const server = http2.createSecureServer({
+  key: fs.readFileSync('localhost-privkey.pem'),
+  cert: fs.readFileSync('localhost-cert.pem')
+});
+server.on('error', (err) => console.error(err));
+server.on('socketError', (err) => console.error(err));
 
 server.on('stream', (stream, headers) => {
   // stream is a Duplex
@@ -34,34 +45,44 @@ server.on('stream', (stream, headers) => {
   stream.end('<h1>Hello World</h1>');
 });
 
-server.listen(80);
+server.listen(8443);
 ```
 
-Note that the above example is an HTTP/2 server that does not support SSL.
-This is significant as most browsers support HTTP/2 only with SSL.
-To make the above server be able to serve content to browsers,
-replace `http2.createServer()` with
-`http2.createSecureServer({key: /* your SSL key */, cert: /* your SSL cert */})`.
+To generate the certificate and key for this example, run:
+
+```bash
+openssl req -x509 -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' \
+  -keyout localhost-privkey.pem -out localhost-cert.pem
+```
+
+### Client-side example
 
 The following illustrates an HTTP/2 client:
 
 ```js
 const http2 = require('http2');
+const fs = require('fs');
+const client = http2.connect('https://localhost:8443', {
+  ca: fs.readFileSync('localhost-cert.pem')
+});
+client.on('socketError', (err) => console.error(err));
+client.on('error', (err) => console.error(err));
 
-const client = http2.connect('http://localhost:80');
-
-// req is a Duplex
 const req = client.request({ ':path': '/' });
 
-req.on('response', (headers) => {
-  console.log(headers[':status']);
-  console.log(headers['date']);
+req.on('response', (headers, flags) => {
+  for (const name in headers) {
+    console.log(`${name}: ${headers[name]}`);
+  }
 });
 
-let data = '';
 req.setEncoding('utf8');
-req.on('data', (d) => data += d);
-req.on('end', () => client.destroy());
+let data = '';
+req.on('data', (chunk) => { data += chunk; });
+req.on('end', () => {
+  console.log(`\n${data}`);
+  client.destroy();
+});
 req.end();
 ```
 
@@ -463,12 +484,16 @@ added: v8.4.0
 
 * Value: {net.Socket|tls.TLSSocket}
 
-A reference to the [`net.Socket`][] or [`tls.TLSSocket`][] to which this
-`Http2Session` instance is bound.
+Returns a Proxy object that acts as a `net.Socket` (or `tls.TLSSocket`) but
+limits available methods to ones safe to use with HTTP/2.
 
-*Note*: It is not recommended for user code to interact directly with a
-`Socket` bound to an `Http2Session`. See [Http2Session and Sockets][] for
-details.
+`destroy`, `emit`, `end`, `pause`, `read`, `resume`, and `write` will throw
+an error with code `ERR_HTTP2_NO_SOCKET_MANIPULATION`. See
+[Http2Session and Sockets][] for more information.
+
+`setTimeout` method will be called on this `Http2Session`.
+
+All other interactions will be routed directly to the socket.
 
 #### http2session.state
 <!-- YAML
@@ -2138,10 +2163,10 @@ Returns `request`.
 added: v8.4.0
 -->
 
-* {net.Socket}
+* {net.Socket|tls.TLSSocket}
 
-Returns a Proxy object that acts as a `net.Socket` but applies getters,
-setters and methods based on HTTP/2 logic.
+Returns a Proxy object that acts as a `net.Socket` (or `tls.TLSSocket`) but
+applies getters, setters and methods based on HTTP/2 logic.
 
 `destroyed`, `readable`, and `writable` properties will be retrieved from and
 set on `request.stream`.
@@ -2293,7 +2318,7 @@ will result in a [`TypeError`][] being thrown.
 added: v8.4.0
 -->
 
-* {net.Socket}
+* {net.Socket|tls.TLSSocket}
 
 See [`response.socket`][].
 
@@ -2510,10 +2535,10 @@ Returns `response`.
 added: v8.4.0
 -->
 
-* {net.Socket}
+* {net.Socket|tls.TLSSocket}
 
-Returns a Proxy object that acts as a `net.Socket` but applies getters,
-setters and methods based on HTTP/2 logic.
+Returns a Proxy object that acts as a `net.Socket` (or `tls.TLSSocket`) but
+applies getters, setters and methods based on HTTP/2 logic.
 
 `destroyed`, `readable`, and `writable` properties will be retrieved from and
 set on `response.stream`.

doc/api/modules.md

@@ -598,14 +598,36 @@ filename scales linearly with the number of registered extensions.
 In other words, adding extensions slows down the module loader and
 should be discouraged.
 
-#### require.resolve()
+#### require.resolve(request[, options])
 <!-- YAML
 added: v0.3.0
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/16397
+    description: The `paths` option is now supported.
 -->
 
+* `request` {string} The module path to resolve.
+* `options` {Object}
+  * `paths` {Array} Paths to resolve module location from. If present, these
+    paths are used instead of the default resolution paths. Note that each of
+    these paths is used as a starting point for the module resolution algorithm,
+    meaning that the `node_modules` hierarchy is checked from this location.
+* Returns: {string}
+
 Use the internal `require()` machinery to look up the location of a module,
 but rather than loading the module, just return the resolved filename.
 
+#### require.resolve.paths(request)
+<!-- YAML
+added: REPLACEME
+-->
+
+* `request` {string} The module path whose lookup paths are being retrieved.
+* Returns: {Array}
+
+Returns an array containing the paths searched during resolution of `request`.
+
 ## The `module` Object
 <!-- YAML
 added: v0.1.16

doc/api/process.md

@@ -1899,7 +1899,7 @@ cases:
 [`promise.catch()`]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise/catch
 [`require()`]: globals.html#globals_require
 [`require.main`]: modules.html#modules_accessing_the_main_module
-[`require.resolve()`]: modules.html#modules_require_resolve
+[`require.resolve()`]: modules.html#modules_require_resolve_request_options
 [`setTimeout(fn, 0)`]: timers.html#timers_settimeout_callback_delay_args
 [Child Process]: child_process.html
 [Cluster]: cluster.html

doc/changelogs/CHANGELOG_V4.md

@@ -7,6 +7,7 @@
 </tr>
 <tr>
 <td valign="top">
+<a href="#4.8.5">4.8.5</a><br/>
 <a href="#4.8.4">4.8.4</a><br/>
 <a href="#4.8.3">4.8.3</a><br/>
 <a href="#4.8.2">4.8.2</a><br/>
@@ -63,6 +64,20 @@
 [Node.js Long Term Support Plan](https://github.com/nodejs/LTS) and
 will be supported actively until April 2017 and maintained until April 2018.
 
+<a id="4.8.5"></a>
+## 2017-10-24, Version 4.8.5 'Argon' (Maintenance), @MylesBorins
+
+This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ for details on patched vulnerabilities.
+
+### Notable Changes
+
+* **zlib**:
+  - CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialized with windowBits set to 8. On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. Node.js will now gracefully set windowBits to 9 replicating the legacy behavior to avoid a DOS vector. [nodejs-private/node-private#95](https://github.com/nodejs-private/node-private/pull/95)
+
+### Commits
+
+* [[`f5defa2a7c`](https://github.com/nodejs/node/commit/733578bb2e)] - **zlib**: gracefully set windowBits from 8 to 9 (Myles Borins) [nodejs-private/node-private#95](https://github.com/nodejs-private/node-private/pull/95)
+
 <a id="4.8.4"></a>
 ## 2017-07-11, Version 4.8.4 'Argon' (Maintenance), @MylesBorins
 

doc/changelogs/CHANGELOG_V6.md

@@ -7,6 +7,7 @@
 </tr>
 <tr>
 <td valign="top">
+<a href="#6.11.5">6.11.5</a><br/>
 <a href="#6.11.4">6.11.4</a><br/>
 <a href="#6.11.3">6.11.3</a><br/>
 <a href="#6.11.2">6.11.2</a><br/>
@@ -55,6 +56,20 @@
 [Node.js Long Term Support Plan](https://github.com/nodejs/LTS) and
 will be supported actively until April 2018 and maintained until April 2019.
 
+<a id="6.11.5"></a>
+## 2017-10-24, Version 6.11.5 'Boron' (LTS), @MylesBorins
+
+This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ for details on patched vulnerabilities.
+
+### Notable Changes
+
+* **zlib**:
+  - CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate stream is initialized with windowBits set to 8. On some versions this crashes Node and you cannot recover from it, while on some versions it throws an exception. Node.js will now gracefully set windowBits to 9 replicating the legacy behavior to avoid a DOS vector. [nodejs-private/node-private#95](https://github.com/nodejs-private/node-private/pull/95)
+
+### Commits
+
+* [[`dd764d9cb6`](https://github.com/nodejs/node/commit/b66e44c4d3)] - **zlib**: gracefully set windowBits from 8 to 9 (Myles Borins) [nodejs-private/node-private#95](https://github.com/nodejs-private/node-private/pull/95)
+
 <a id="6.11.4"></a>
 ## 2017-10-03, Version 6.11.4 'Boron' (LTS), @MylesBorins