Node.js 0.10 ChangeLog

<table> <tr> <th colspan="2">Stable</th> </tr> <tr> <td valign="top"> <a href="#0.10.48">0.10.48</a>

</td> <td valign="top"> <a href="#0.10.22">0.10.22</a>

</td> </tr> </table>

Other Versions
- 25.x
- 24.x
- 23.x
- 22.x
- 21.x
- 20.x
- 18.x
- 17.x
- 16.x
- 15.x
- 14.x
- 13.x
- 12.x
- 11.x
- 10.x
- 9.x
- 8.x
- 7.x
- 6.x
- 5.x
- 4.x
- 0.12.x
- io.js
- Archive

Note: Node.js v0.10 is covered by the Node.js Long Term Support Plan and will be maintained until October 2016.

2016-10-18, Version 0.10.48 (Maintenance), @rvagg

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ for details on patched vulnerabilities.

Notable changes

c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more information at https://c-ares.haxx.se/adv_20160929.html (Rod Vagg)

Commits

[a14a6a3a11] - deps: c-ares, avoid single-byte buffer overwrite (Rod Vagg) https://github.com/nodejs/node/pull/9108
[b798f598af] - tls: fix minor jslint failure (Rod Vagg) https://github.com/nodejs/node/pull/9107
[92b232ba01] - win,build: try multiple timeservers when signing (Rod Vagg) https://github.com/nodejs/node/pull/9155

2016-09-27, Version 0.10.47 (Maintenance), @rvagg

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/ for details on patched vulnerabilities.

Notable changes:

buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat() while providing a totalLength parameter that exceeds the total length of the original Buffer objects being concatenated. (Сковорода Никита Андреевич)
http:
- CVE-2016-5325 - Properly validate for allowable characters in the reason argument in ServerResponse#writeHead(). Fixes a possible response splitting attack vector. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas)
- Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. Lack of proper validation may also serve as a potential response splitting attack vector. Backported from v4.x. (Brian White)
openssl: Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-2183, CVE-2016-2178 and CVE-2016-6306.
tls: CVE-2016-7099 - Fix invalid wildcard certificate validation check whereby a TLS server may be able to serve an invalid wildcard certificate for its hostname due to improper validation of *. in the wildcard string. Originally reported by Alexander Minozhenko and James Bunton (Atlassian) (Ben Noordhuis)

Commits:

[fc259c7dc4] - buffer: zero-fill uninitialized bytes in .concat() (Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/67
[35b49ed4bb] - build: turn on -fno-delete-null-pointer-checks (Ben Noordhuis) https://github.com/nodejs/node/pull/6738
[03f4920d6a] - crypto: don't build hardware engines (Rod Vagg) https://github.com/nodejs/node-private/pull/68
[1cbdb1957d] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25368
[c66408cd0c] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) https://github.com/nodejs/node-v0.x-archive/pull/25654
[68f88ea792] - deps: separate sha256/sha512-x86_64.pl for openssl (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25654
[884d50b348] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8718
[bfd6cb5699] - deps: upgrade openssl sources to 1.0.1u (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8718
[3614a173d0] - http: check reason chars in writeHead (Evan Lucas) https://github.com/nodejs/node-private/pull/48
[f2433430ca] - http: disallow sending obviously invalid status codes (Evan Lucas) https://github.com/nodejs/node-private/pull/48
[0d7e21ee7b] - lib: make tls.checkServerIdentity() more strict (Ben Noordhuis) https://github.com/nodejs/node-private/pull/62
[1f4a6f5bd1] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25654
[88dcc7f5bb] - v8: fix -Wsign-compare warning in Zone::New() (Ben Noordhuis) https://github.com/nodejs/node-private/pull/62
[fd8ac56c75] - v8: fix build errors with g++ 6.1.1 (Ben Noordhuis) https://github.com/nodejs/node-private/pull/62

2016-06-23, Version 0.10.46 (Maintenance), @rvagg

Notable changes:

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ for details on patched vulnerabilities.

libuv: (CVE-2014-9748) Fixes a bug in the read/write locks implementation for Windows XP and Windows 2003 that can lead to undefined and potentially unsafe behaviour. More information can be found at https://github.com/libuv/libuv/issues/515 or at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.
V8: (CVE-2016-1669) Fixes a potential Buffer overflow vulnerability discovered in V8, more details can be found in the CVE at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669 or at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.

Commits:

[3374f57973] - deps: update libuv to 0.10.37 (Saúl Ibarra Corretgé) https://github.com/nodejs/node/pull/7293
[fcb9145e29] - deps: backport 3a9bfec from v8 upstream (Myles Borins) https://github.com/nodejs/node-private/pull/43

2016-05-06, Version 0.10.45 (Maintenance), @rvagg

Notable changes:

npm: Correct erroneous version number in v2.15.1 code (Forrest L Norvell) https://github.com/nodejs/node/pull/5987
openssl: Upgrade to v1.0.1t, addressing security vulnerabilities (Shigeki Ohtsu) https://github.com/nodejs/node/pull/6553
- Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check"
- See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for full details

Commits:

[3cff81c7d6] - deps: completely upgrade npm in LTS to 2.15.1 (Forrest L Norvell) https://github.com/nodejs/node/pull/5987
[7c22f19009] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) https://github.com/joyent/node/pull/25368
[5d78366937] - deps: update openssl asm files (Shigeki Ohtsu) https://github.com/nodejs/node/pull/6553
[2bc2427cb7] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) https://github.com/joyent/node/pull/25654
[8df4b0914c] - deps: separate sha256/sha512-x86_64.pl for openssl (Shigeki Ohtsu) https://github.com/joyent/node/pull/25654
[11eefefb17] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) https://github.com/nodejs/node/pull/6553
[61ccc27b54] - deps: upgrade openssl sources to 1.0.1t (Shigeki Ohtsu) https://github.com/nodejs/node/pull/6553
[aa02438274] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) https://github.com/joyent/node/pull/25654

2016-03-31, Version 0.10.44 (Maintenance), @rvagg

Notable changes

npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell) https://github.com/nodejs/node/pull/5967
openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on OPENSSL_NO_WEAK_SSL_CIPHERS to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter (https://github.com/nodejs/LTS/issues/85). (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712

Commits

[feceb77d7e] - deps: upgrade npm in LTS to 2.15.1 (Forrest L Norvell) https://github.com/nodejs/node/pull/5968
[0847954331] - deps: Disable EXPORT and LOW ciphers in openssl (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712
[6bb86e727a] - test: change tls tests not to use LOW cipher (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712
[905bec29ad] - win,build: support Visual C++ Build Tools 2015 (João Reis) https://github.com/nodejs/node/pull/5627

2016-03-04, Version 0.10.43 (Maintenance), @rvagg

Notable changes:

http_parser: Update to http-parser 1.2 to fix an unintentionally strict limitation of allowable header characters. (James M Snell) https://github.com/nodejs/node/pull/5242
domains:
- Prevent an exit due to an exception being thrown rather than emitting an 'uncaughtException' event on the process object when no error handler is set on the domain within which an error is thrown and an 'uncaughtException' event listener is set on process. (Julien Gilli) https://github.com/nodejs/node/pull/3887
- Fix an issue where the process would not abort in the proper function call if an error is thrown within a domain with no error handler and --abort-on-uncaught-exception is used. (Julien Gilli) https://github.com/nodejs/node/pull/3887
openssl: Upgrade from 1.0.1r to 1.0.1s (Ben Noordhuis) https://github.com/nodejs/node/pull/5508
- Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare cases relating to the internal BN_hex2bn() and BN_dec2bn() functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are unlikely to be possible. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at https://www.openssl.org/news/vulnerabilities.html#2016-0702
- Remove SSLv2 support, the --enable-ssl2 command line argument will now produce an error. The DROWN Attack (https://drownattack.com/) creates a vulnerability where SSLv2 is enabled by a server, even if a client connection is not using SSLv2. The SSLv2 protocol is widely considered unacceptably broken and should not be supported. More information is available at https://www.openssl.org/news/vulnerabilities.html#2016-0800

Commits:

[164157abbb] - build: update Node.js logo on OSX installer (Rod Vagg) https://github.com/nodejs/node/pull/5401
[f8cb0dcf67] - crypto,tls: remove SSLv2 support (Ben Noordhuis) https://github.com/nodejs/node/pull/5529
[42ded2a590] - deps: upgrade openssl to 1.0.1s (Ben Noordhuis) https://github.com/nodejs/node/pull/5508
[1e45a6111c] - deps: update http-parser to version 1.2 (James M Snell) https://github.com/nodejs/node/pull/5242
[6db377b2f4] - doc: remove SSLv2 descriptions (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5541
[563c359f5c] - domains: fix handling of uncaught exceptions (Julien Gilli) https://github.com/nodejs/node/pull/3887
[e483f3fd26] - test: fix hanging http obstext test (Ben Noordhuis) https://github.com/nodejs/node/pull/5511

2016-02-09, Version 0.10.42 (Maintenance), @jasnell

This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities.

Notable changes

http: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters.
http-parser: upgrade from 1.0 to 1.1
openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits.
src:
- introduce new --security-revert={cvenum} command line flag for selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using --security-revert=CVE-2016-2216
build:
- xz compressed tar files will be made available from nodejs.org for v0.10 builds from v0.10.42 onward
- A headers.tar.gz file will be made available from nodejs.org for v0.10 builds from v0.10.42 onward, a future change to node-gyp will be required to make use of these

Commits

[fdc332183e] - build: enable xz compressed tarballs where possible (Rod Vagg) https://github.com/nodejs/node/pull/4894
[2d35b421b5] - deps: upgrade openssl sources to 1.0.1r (Shigeki Ohtsu) https://github.com/joyent/node/pull/25368
[b31c0f3ea4] - deps: update http-parser to version 1.1 (James M Snell)
[616ec1d6b0] - doc: clarify v0.10.41 openssl tls security impact (Rod Vagg) https://github.com/nodejs/node/pull/4153
[ccb3c2377c] - http: strictly forbid invalid characters from headers (James M Snell)
[f0af0d1f96] - src: avoid compiler warning in node_revert.cc (James M Snell)
[df80e856c6] - src: add --security-revert command line flag (James M Snell)
[ff58dcdd74] - tools: backport tools/install.py for headers (Richard Lau) https://github.com/nodejs/node/pull/4149

2015-12-04, Version 0.10.41 (Maintenance), @rvagg

Security Update

Notable changes

build: Add support for Microsoft Visual Studio 2015
npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry (https://github.com/nodejs/LTS/issues/37). This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2.
openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client certificate authentication; TLS clients are also impacted. Details are available at http://openssl.org/news/secadv/20151203.txt. (Ben Noordhuis) https://github.com/nodejs/node/pull/4133

Commits

[16ca0779f5] - src/node.cc: fix build error without OpenSSL support (Jörg Krause) https://github.com/nodejs/node-v0.x-archive/pull/25862
[c559c7911d] - build: backport tools/release.sh (Rod Vagg) https://github.com/nodejs/node/pull/3965
[268d2b4637] - build: backport config for new CI infrastructure (Rod Vagg) https://github.com/nodejs/node/pull/3965
[c88a0b26da] - build: update manifest to include Windows 10 (Lucien Greathouse) https://github.com/nodejs/node/pull/2838
[8564a9f5f7] - build: gcc version detection on openSUSE Tumbleweed (Henrique Aparecido Lavezzo) https://github.com/nodejs/node-v0.x-archive/pull/25671
[9c7bd6de56] - build: run-ci makefile rule (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686
[ffa1e1f31d] - build: support flaky tests in test-ci (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686
[100dd19e61] - build: support Jenkins via test-ci (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686
[ec861f6f90] - build: make release process easier for multi users (Julien Gilli) https://github.com/nodejs/node-v0.x-archive/pull/25638
[d7ae79a452] - build,win: fix node.exe resource version (João Reis) https://github.com/nodejs/node/pull/3053
[6ac47aa9f5] - build,win: try next MSVS version on failure (João Reis) https://github.com/nodejs/node/pull/2910
[e669b27740] - crypto: replace rwlocks with simple mutexes (Ben Noordhuis) https://github.com/nodejs/node/pull/2723
[ce0a48826e] - deps: upgrade to openssl 1.0.1q (Ben Noordhuis) https://github.com/nodejs/node/pull/4132
[b68781e500] - deps: upgrade npm to 1.4.29 (Forrest L Norvell) https://github.com/nodejs/node/pull/3639
[7cf0d9c1d9] - deps: fix openssl for MSVS 2015 (Andy Polyakov) https://github.com/nodejs/node-v0.x-archive/pull/25857
[9ee8a14f9e] - deps: fix gyp to work on MacOSX without XCode (Shigeki Ohtsu) https://github.com/nodejs/node-v0.x-archive/pull/25857
[a525c7244e] - deps: update gyp to 25ed9ac (João Reis) https://github.com/nodejs/node-v0.x-archive/pull/25857
[6502160294] - dns: allow v8 to optimize lookup() (Brian White) https://github.com/nodejs/node-v0.x-archive/pull/8942
[5d829a63ab] - doc: backport README.md (Rod Vagg) https://github.com/nodejs/node/pull/3965
[62c8948109] - doc: fix Folders as Modules omission of index.json (Elan Shanker) https://github.com/nodejs/node-v0.x-archive/pull/8868
[572663f303] - https: don't overwrite servername option (skenqbx) https://github.com/nodejs/node-v0.x-archive/pull/9368
[75c84b2439] - test: add test for https agent servername option (skenqbx) https://github.com/nodejs/node-v0.x-archive/pull/9368
[841a6dd264] - test: mark more tests as flaky (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25807
[a7fee30da1] - test: mark test-tls-securepair-server as flaky (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25807
[7df57703dd] - test: mark test-net-error-twice flaky on SmartOS (Julien Gilli) https://github.com/nodejs/node-v0.x-archive/pull/25760
[e10892cccc] - test: make test-abort-fatal-error non flaky (Julien Gilli) https://github.com/nodejs/node-v0.x-archive/pull/25755
[a2f879f197] - test: mark recently failing tests as flaky (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686
[e7010bdf92] - test: runner should return 0 on flaky tests (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686
[c283c9bbb3] - test: support writing test output to file (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686
[eeaed586bb] - test: runner support for flaky tests (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25686
[3bb8174b94] - test: refactor to use common testcfg (Timothy J Fontaine) https://github.com/nodejs/node-v0.x-archive/pull/25686
[df59d43586] - tools: pass constant to logger instead of string (Johan Bergström) https://github.com/nodejs/node-v0.x-archive/pull/25686
[d103d4ed9a] - tools: fix test.py after v8 upgrade (Ben Noordhuis) https://github.com/nodejs/node-v0.x-archive/pull/25686
[8002192b4e] - win: manifest node.exe for Windows 8.1 (Alexis Campailla) https://github.com/nodejs/node/pull/2838
[66ec1dae8f] - win: add MSVS 2015 support (Rod Vagg) https://github.com/nodejs/node-v0.x-archive/pull/25857
[e192f61514] - win: fix custom actions for WiX older than 3.9 (João Reis) https://github.com/nodejs/node-v0.x-archive/pull/25569
[16bcd68dc5] - win: fix custom actions on Visual Studio != 2013 (Julien Gilli) https://github.com/nodejs/node-v0.x-archive/pull/25569
[517986c2f4] - win: backport bringing back xp/2k3 support (Bert Belder) https://github.com/nodejs/node-v0.x-archive/pull/25569
[10f251e8dd] - win: backport set env before generating projects (Alexis Campailla) https://github.com/nodejs/node-v0.x-archive/pull/25569

2015-07-09, Version 0.10.40 (Maintenance)

Commits

[0cf9f27703] - openssl: upgrade to 1.0.1p #25654
[5a60e0d904] - V8: back-port JitCodeEvent patch from upstream (Ben Noordhuis) #25588
[18d413d299] - win,msi: create npm folder in AppData directory (Steven Rockarts) #8838

2015-06-18, Version 0.10.39 (Maintenance)

Commits

[456c22f63f] - openssl: upgrade to 1.0.1o (Addressing multiple CVEs) #25523
[9d19dfbfdb] - install: fix source path for openssl headers (Oguz Bastemur) #14089
[4028669531] - install: make sure opensslconf.h is overwritten (Oguz Bastemur) #14089
[d38e865fce] - timers: fix timeout when added in timer's callback (Julien Gilli) #17203
[e7c84f82c7] - windows: broadcast WM_SETTINGCHANGE after install (Mathias Küsel) #25100

2015-03-23, Version 0.10.38 (Maintenance)

Commits

[3b511a8ccd] - openssl: upgrade to 1.0.1m (Addressing multiple CVES)

2015-03-11, Version 0.10.37 (Maintenance)

Commits

[dcff5d565c] - uv: update to 0.10.36 (CVE-2015-0278) #9274
[f2a45caf2e] - domains: fix stack clearing after error handled (Jonas Dohse) #9364
[d01a900078] - buffer: reword Buffer.concat error message (Chris Dickinson) #8723
[c8239c08d7] - console: allow Object.prototype fields as labels (Julien Gilli) #9215
[431eb172f9] - V8: log version in profiler log file (Ben Noordhuis) #9043
[8bcd0a4c4a] - http: fix performance regression for GET requests (Florin-Cristian Gavrila) #9026

2015-01-26, Version 0.10.36 (Stable)

Commits

[deef605085] - openssl: update to 1.0.1l
[45f1330425] - v8: Fix debugger and strict mode regression (Julien Gilli)
[6ebd85e105] - v8: don't busy loop in cpu profiler thread (Ben Noordhuis) #8789

2014.12.22, Version 0.10.35 (Stable)

tls: re-add 1024-bit SSL certs removed by f9456a2 (Chris Dickinson)
timers: don't close interval timers when unrefd (Julien Gilli)
timers: don't mutate unref list while iterating it (Julien Gilli)

2014.12.17, Version 0.10.34 (Stable)

https://github.com/nodejs/node/commit/52795f8fcc2de77cf997e671ea58614e5e425dfe

uv: update to v0.10.30
zlib: upgrade to v1.2.8
child_process: check execFile args is an array (Sam Roberts)
child_process: check fork args is an array (Sam Roberts)
crypto: update root certificates (Ben Noordhuis)
domains: fix issues with abort on uncaught (Julien Gilli)
timers: Avoid linear scan in _unrefActive. (Julien Gilli)
timers: fix unref() memory leak (Trevor Norris)
v8: add api for aborting on uncaught exception (Julien Gilli)
debugger: fix when using "use strict" (Julien Gilli)

2014.10.20, Version 0.10.33 (Stable)

https://github.com/nodejs/node/commit/8d045a30e95602b443eb259a5021d33feb4df079

openssl: Update to 1.0.1j (Addressing multiple CVEs)
uv: Update to v0.10.29
child_process: properly support optional args (cjihrig)
crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)

This is a behavior change, by default we will not allow the negotiation to SSLv2 or SSLv3. If you want this behavior, run Node.js with either --enable-ssl2 or --enable-ssl3 respectively.

This does not change the behavior for users specifically requesting SSLv2_method or SSLv3_method. While this behavior is not advised, it is assumed you know what you're doing since you're specifically asking to use these methods.

2014.09.16, Version 0.10.32 (Stable)

https://github.com/nodejs/node/commit/0fe0d121551593c23a565db8397f85f17bb0f00e

npm: Update to 1.4.28
v8: fix a crash introduced by previous release (Fedor Indutny)
configure: add --openssl-no-asm flag (Fedor Indutny)
crypto: use domains for any callback-taking method (Chris Dickinson)
http: do not send 0\r\n\r\n in TE HEAD responses (Fedor Indutny)
querystring: fix unescape override (Tristan Berger)
url: Add support for RFC 3490 separators (Mathias Bynens)

2014.08.19, Version 0.10.31 (Stable)

https://github.com/nodejs/node/commit/7fabdc23d843cb705d2d0739e7bbdaaf50aa3292

v8: backport CVE-2013-6668
openssl: Update to v1.0.1i
npm: Update to v1.4.23
cluster: disconnect should not be synchronous (Sam Roberts)
fs: fix fs.readFileSync fd leak when get RangeError (Jackson Tian)
stream: fix Readable.wrap objectMode falsy values (James Halliday)
timers: fix timers with non-integer delay hanging. (Julien Gilli)

2014.07.31, Version 0.10.30 (Stable)

https://github.com/nodejs/node/commit/bc0ff830aff1e016163d855e86ded5c98b0899e8

uv: Upgrade to v0.10.28
npm: Upgrade to v1.4.21
v8: Interrupts must not mask stack overflow.
Revert "stream: start old-mode read in a next tick" (Fedor Indutny)
buffer: fix sign overflow in readUIn32BE (Fedor Indutny)
buffer: improve {read,write}{U}Int* methods (Nick Apperson)
child_process: handle writeUtf8String error (Fedor Indutny)
deps: backport 4ed5fde4f from v8 upstream (Fedor Indutny)
deps: cherry-pick eca441b2 from OpenSSL (Fedor Indutny)
lib: remove and restructure calls to isNaN() (cjihrig)
module: eliminate double getenv() (Maciej Małecki)
stream2: flush extant data on read of ended stream (Chris Dickinson)
streams: remove unused require('assert') (Rod Vagg)
timers: backport f8193ab (Julien Gilli)
util.h: interface compatibility (Oguz Bastemur)
zlib: do not crash on write after close (Fedor Indutny)

2014.06.05, Version 0.10.29 (Stable)

https://github.com/nodejs/node/commit/ce82d6b8474bde7ac7df6d425fb88fb1bcba35bc

openssl: to 1.0.1h (CVE-2014-0224)
npm: upgrade to 1.4.14
utf8: Prevent Node from sending invalid UTF-8 (Felix Geisendörfer)
- NOTE this introduces a breaking change, previously you could construct invalid UTF-8 and invoke an error in a client that was expecting valid UTF-8, now unmatched surrogate pairs are replaced with the unknown UTF-8 character. To restore the old functionality simply have NODE_INVALID_UTF8 environment variable set.
child_process: do not set args before throwing (Greg Sabia Tucker)
child_process: spawn() does not throw TypeError (Greg Sabia Tucker)
constants: export O_NONBLOCK (Fedor Indutny)
crypto: improve memory usage (Alexis Campailla)
fs: close file if fstat() fails in readFile() (cjihrig)
lib: name EventEmitter prototype methods (Ben Noordhuis)
tls: fix performance issue (Alexis Campailla)

2014.05.01, Version 0.10.28 (Stable)

https://github.com/nodejs/node/commit/b148cbe09d4657766fdb61575ba985734c2ff0a8

npm: upgrade to v1.4.9

2014.05.01, Version 0.10.27 (Stable)

https://github.com/nodejs/node/commit/cb7911f78ae96ef7a540df992cc1359ba9636e86

npm: upgrade to v1.4.8
openssl: upgrade to 1.0.1g
uv: update to v0.10.27
dns: fix certain txt entries (Fedor Indutny)
assert: Ensure reflexivity of deepEqual (Mike Pennisi)
child_process: fix deadlock when sending handles (Fedor Indutny)
child_process: fix sending handle twice (Fedor Indutny)
crypto: do not lowercase cipher/hash names (Fedor Indutny)
dtrace: workaround linker bug on FreeBSD (Fedor Indutny)
http: do not emit EOF non-readable socket (Fedor Indutny)
http: invoke createConnection when no agent (Nathan Rajlich)
stream: remove useless check (Brian White)
timer: don't reschedule timer bucket in a domain (Greg Brail)
url: treat \ the same as / (isaacs)
util: format as Error if instanceof Error (Rod Vagg)

2014.02.18, Version 0.10.26 (Stable)

https://github.com/nodejs/node/commit/cc56c62ed879ad4f93b1fdab3235c43e60f48b7e

uv: Upgrade to v0.10.25 (Timothy J Fontaine)
npm: upgrade to 1.4.3 (isaacs)
v8: support compiling with VS2013 (Fedor Indutny)
cares: backport TXT parsing fix (Fedor Indutny)
crypto: throw on SignFinal failure (Fedor Indutny)
crypto: update root certificates (Ben Noordhuis)
debugger: Fix breakpoint not showing after restart (Farid Neshat)
fs: make unwatchFile() insensitive to path (iamdoron)
net: do not re-emit stream errors (Fedor Indutny)
net: make Socket destroy() re-entrance safe (Jun Ma)
net: reset endEmitted on reconnect (Fedor Indutny)
node: do not close stdio implicitly (Fedor Indutny)
zlib: avoid assertion in close (Fedor Indutny)

2014.01.23, Version 0.10.25 (Stable)

https://github.com/nodejs/node/commit/b0e5f195dfce3e2b99f5091373d49f6616682596

uv: Upgrade to v0.10.23
npm: Upgrade to v1.3.24
v8: Fix enumeration for objects with lots of properties
child_process: fix spawn() optional arguments (Sam Roberts)
cluster: report more errors to workers (Fedor Indutny)
domains: exit() only affects active domains (Ryan Graham)
src: OnFatalError handler must abort() (Timothy J Fontaine)
stream: writes may return false but forget to emit drain (Yang Tianyang)

2013.12.18, Version 0.10.24 (Stable)

https://github.com/nodejs/node/commit/b7fd6bc899ccb629d790c47aee06aba87e535c41

uv: Upgrade to v0.10.21
npm: upgrade to 1.3.21
v8: backport fix for CVE-2013-{6639|6640}
build: unix install node and dep library headers (Timothy J Fontaine)
cluster, v8: fix --logfile=%p.log (Ben Noordhuis)
module: only cache package main (Wyatt Preul)

2013.12.12, Version 0.10.23 (Stable)

https://github.com/nodejs/node/commit/0462bc23564e7e950a70ae4577a840b04db6c7c6

uv: Upgrade to v0.10.20 (Timothy J Fontaine)
npm: Upgrade to 1.3.17 (isaacs)
gyp: update to 78b26f7 (Timothy J Fontaine)
build: include postmortem symbols on linux (Timothy J Fontaine)
crypto: Make Decipher._flush() emit errors. (Kai Groner)
dgram: fix abort when getting fd of closed dgram (Fedor Indutny)
events: do not accept NaN in setMaxListeners (Fedor Indutny)
events: avoid calling once functions twice (Tim Wood)
events: fix TypeError in removeAllListeners (Jeremy Martin)
fs: report correct path when EEXIST (Fedor Indutny)
process: enforce allowed signals for kill (Sam Roberts)
tls: emit 'end' on .receivedShutdown (Fedor Indutny)
tls: fix potential data corruption (Fedor Indutny)
tls: handle ssl.start() errors appropriately (Fedor Indutny)
tls: reset NPN callbacks after SNI (Fedor Indutny)

2013.11.12, Version 0.10.22 (Stable)

https://github.com/nodejs/node/commit/cbff8f091c22fb1df6b238c7a1b9145db950fa65

npm: Upgrade to 1.3.14
uv: Upgrade to v0.10.19
child_process: don't assert on stale file descriptor events (Fedor Indutny)
darwin: Fix "Not Responding" in Mavericks activity monitor (Fedor Indutny)
debugger: Fix bug in sb() with unnamed script (Maxim Bogushevich)
repl: do not insert duplicates into completions (Maciej Małecki)
src: Fix memory leak on closed handles (Timothy J Fontaine)
tls: prevent stalls by using read(0) (Fedor Indutny)
v8: use correct timezone information on Solaris (Maciej Małecki)

2013.10.18, Version 0.10.21 (Stable)

https://github.com/nodejs/node/commit/e2da042844a830fafb8031f6c477eb4f96195210

uv: Upgrade to v0.10.18
crypto: clear errors from verify failure (Timothy J Fontaine)
dtrace: interpret two byte strings (Dave Pacheco)
fs: fix fs.truncate() file content zeroing bug (Ben Noordhuis)
http: provide backpressure for pipeline flood (isaacs)
tls: fix premature connection termination (Ben Noordhuis)

2013.09.30, Version 0.10.20 (Stable)

https://github.com/nodejs/node/commit/d7234c8d50a1af73f60d2d3c0cc7eed17429a481

tls: fix sporadic hang and partial reads (Fedor Indutny)
- fixes "npm ERR! cb() never called!"

2013.09.24, Version 0.10.19 (Stable)

https://github.com/nodejs/node/commit/6b5e6a5a3ec8d994c9aab3b800b9edbf1b287904

uv: Upgrade to v0.10.17
npm: upgrade to 1.3.11
readline: handle input starting with control chars (Eric Schrock)
configure: add mips-float-abi (soft, hard) option (Andrei Sedoi)
stream: objectMode transforms allow falsey values (isaacs)
tls: prevent duplicate values returned from read (Nathan Rajlich)
tls: NPN protocols are now local to connections (Fedor Indutny)

2013.09.04, Version 0.10.18 (Stable)

https://github.com/nodejs/node/commit/67a1f0c52e0708e2596f3f2134b8386d6112561e

uv: Upgrade to v0.10.15
stream: Don't crash on unset _events property (isaacs)
stream: Pass 'buffer' encoding with decoded writable chunks (isaacs)

2013.08.21, Version 0.10.17 (Stable)

https://github.com/nodejs/node/commit/469a4a5091a677df62be319675056b869c31b35c

uv: Upgrade v0.10.14
http_parser: Do not accept PUN/GEM methods as PUT/GET (Chris Dickinson)
tls: fix assertion when ssl is destroyed at read (Fedor Indutny)
stream: Throw on 'error' if listeners removed (isaacs)
dgram: fix assertion on bad send() arguments (Ben Noordhuis)
readline: pause stdin before turning off terminal raw mode (Daniel Chatfield)

2013.08.16, Version 0.10.16 (Stable)

https://github.com/nodejs/node/commit/50b4c905a4425430ae54db4906f88982309e128d

v8: back-port fix for CVE-2013-2882
npm: Upgrade to 1.3.8
crypto: fix assert() on malformed hex input (Ben Noordhuis)
crypto: fix memory leak in randomBytes() error path (Ben Noordhuis)
events: fix memory leak, don't leak event names (Ben Noordhuis)
http: Handle hex/base64 encodings properly (isaacs)
http: improve chunked res.write(buf) performance (Ben Noordhuis)
stream: Fix double pipe error emit (Eran Hammer)

2013.07.25, Version 0.10.15 (Stable)

https://github.com/nodejs/node/commit/2426d65af860bda7be9f0832a99601cc43c6cf63

src: fix process.getuid() return value (Ben Noordhuis)

2013.07.25, Version 0.10.14 (Stable)

https://github.com/nodejs/node/commit/fdf57f811f9683a4ec49a74dc7226517e32e6c9d

uv: Upgrade to v0.10.13
npm: Upgrade to v1.3.5
os: Don't report negative times in cpu info (Ben Noordhuis)
fs: Handle large UID and GID (Ben Noordhuis)
url: Fix edge-case when protocol is non-lowercase (Shuan Wang)
doc: Streams API Doc Rewrite (isaacs)
node: call MakeDomainCallback in all domain cases (Trevor Norris)
crypto: fix memory leak in LoadPKCS12 (Fedor Indutny)

2013.07.09, Version 0.10.13 (Stable)

https://github.com/nodejs/node/commit/e32660a984427d46af6a144983cf7b8045b7299c

uv: Upgrade to v0.10.12
npm: Upgrade to 1.3.2
windows: get proper errno (Ben Noordhuis)
tls: only wait for finish if we haven't seen it (Timothy J Fontaine)
http: Dump response when request is aborted (isaacs)
http: use an unref'd timer to fix delay in exit (Peter Rust)
zlib: level can be negative (Brian White)
zlib: allow zero values for level and strategy (Brian White)
buffer: add comment explaining buffer alignment (Ben Noordhuis)
string_bytes: properly detect 64bit (Timothy J Fontaine)
src: fix memory leak in UsingDomains() (Ben Noordhuis)

2013.06.18, Version 0.10.12 (Stable)

https://github.com/nodejs/node/commit/a088cf4f930d3928c97d239adf950ab43e7794aa

npm: Upgrade to 1.2.32
readline: make ctrl + L clear the screen (Yuan Chuan)
v8: add setVariableValue debugger command (Ben Noordhuis)
net: Do not destroy socket mid-write (isaacs)
v8: fix build for mips32r2 architecture (Andrei Sedoi)
configure: fix cross-compilation host_arch_cc() (Andrei Sedoi)

2013.06.13, Version 0.10.11 (Stable)

https://github.com/nodejs/node/commit/d9d5bc465450ae5d60da32e9ffcf71c2767f1fad

uv: upgrade to 0.10.11
npm: Upgrade to 1.2.30
openssl: add missing configuration pieces for MIPS (Andrei Sedoi)
Revert "http: remove bodyHead from 'upgrade' events" (isaacs)
v8: fix pointer arithmetic undefined behavior (Trevor Norris)
crypto: fix utf8/utf-8 encoding check (Ben Noordhuis)
net: Fix busy loop on POLLERR|POLLHUP on older linux kernels (Ben Noordhuis, isaacs)