llhttp icon indicating copy to clipboard operation
llhttp copied to clipboard

Published 20 hours ago verified publisher icon nodejs

‘Merge’ changes of 2.2.1 and 2.1.4

Open jellelicht opened this issue 3 years ago • 3 comments

Dear maintainer,

Since the 2.2.1 and 2.1.4 releases both contain (unique) important security fixes, could there be one release that contains both? Perhaps call it 2.3.0, to get rid of potential confusion going forward.

Most importantly, it would be nice to have a ‘release’ of the llhttp used to generate the sources for Node 14.18.1, which (I believe) should be the combination of the earlier-mentioned releases. Perhaps some internal discussions can be had to streamline this, since going forward it seems there will always be {current,lts,maintenance} versions of Node that implicitly depend on a proper release of llhttp.

Thanks in advance

jellelicht avatar Nov 15 '21 22:11 jellelicht

Polite ping, as this may leave some users of 2.2.1 and 2.1.4 vulnerable to fixed CVEs. In guix, we fixed this by doing exactly what I propose here: we apply e9b36ea6 to the 2.2.1 release, and this seems to work fine in practice (and the generated C sources pass the node test suite).

jellelicht avatar Nov 28 '21 13:11 jellelicht

Alternatively, could someone with the right credentials please share an overview of which versions/commits of llhttp were used to generate the c-sources in the currently support Node releases?

jellelicht avatar Dec 20 '21 10:12 jellelicht

Ping (polite though :sweat_smile: )

jellelicht avatar Mar 02 '22 10:03 jellelicht

Released v2.3.0. Note that now all non 6.x and 2.1.x are not supported anymore.

ShogunPanda avatar Sep 01 '22 12:09 ShogunPanda