This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/ for details on patched vulnerabilities.
A New LTS Release Line
v6.9.0 marks the transition of Node.js v6 into Long Term Support (LTS) with the codename "Boron". The v6 release line now moves in to "Active LTS" and will remain so until April 2018. After that time it will move in to "Maintenance" until end of life in April 2019.
LTS Migration
Some highlights for users migrating from Node.js v4 LTS "Argon" to Node.js v6 LTS "Boron":
The Buffer() constructor has been deprecated in the documentation in favour of the new Buffer.from(), Buffer.alloc() and Buffer.allocUnsafe() for security and safety. See the Buffer documentation for full details. As a documentation-only deprecation there will be no warnings printed to standard error, this is the first phase in a long deprecation cycle.
Support has been dropped for Windows Vista and earlier and macOS 10.7 and earlier.
Many warning messages and error messages have been cleaned up and made more consistent.
The --prof-process command line argument can be used to process output files created when using the V8 --prof command line argument.
A new EventEmitter#eventNames() method can be used to list all events currently being listened to on an EventEmitter.
fs.mkdtemp() is a fast and safe way to make a unique temporary directory using operating system primitives.
process.cpuUsage() will allow insight into CPU resources being consumed by the current process.
Very large arrays are now truncated when passed through util.inspect(), this also applies to console.log() and friends.
When a native Promise incurs a rejection but there is no handler to receive it, a warning will be printed to standard error.
A new experimental debugging protocol can be activated with the --inspector command line argument. This uses the "v8_inspector" protocol and can be consumed directly by Chrome DevTools, Visual Studio Code and others.
While there are some breaking API changes appearing in both v5.0.0 and v6.0.0, they are relatively minor and should not have significant impact on most users.
In addition to Node.js changes, we also have a number of V8 upgrades between Node.js v4 LTS and this new v6 LTS release, including these JavaScript language enhancements:
The spread operator for arrays and function calls
Rest parameters
Default function parameters
Destructuring
Proxies
Array#includes()
It's time to start planning your migration from Node.js v4 LTS "Argon" to Node.js v6 "Boron". Argon remains in Active LTS until April, 2017 and then moves in to Maintenance until April 2018 when support will cease. These details and more can be found in the Node.js LTS plan, located at https://github.com/nodejs/LTS.
If you would like help with Node.js, please open an issue at https://github.com/nodejs/help
If you would like to report a bug with Node.js, please open an issue at https://github.com/nodejs/node
Node.js v6.9.0 LTS "Boron"
Notable changes
crypto: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSL_CONF environment variable or from the default location for the current platform. Always triggering a configuration file load attempt may allow an attacker to load compromised OpenSSL configuration into a Node.js process if they are able to place a file in a default location. (Fedor Indutny, Rod Vagg)
node: Introduce the process.release.lts property, set to "Boron". This value is "Argon" for v4 LTS releases and undefined for all other releases. (Rod Vagg)
V8: Backport fix for CVE-2016-5172, an arbitrary memory read. The parser in V8 mishandled scopes, potentially allowing an attacker to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. This vulnerability would require an attacker to be able to execute arbitrary JavaScript code in a Node.js process. (Rod Vagg)
v8_inspector: Generate a UUID for each execution of the inspector. This provides additional security to prevent unauthorized clients from connecting to the Node.js process via the v8_inspector port when running with --inspect. Since the debugging protocol allows extensive access to the internals of a running process, and the execution of arbitrary code, it is important to limit connections to authorized tools only. Vulnerability originally reported by Jann Horn. (Eugene Ostroukhov)
Commits
[99e4eee8ef] - build: do not define ZLIB_CONST (Bradley T. Hughes) #9122
[cae9eb35f0] - crypto: fix openssl.cnf FIPS handling & testing (Rod Vagg) nodejs/node-private#82
[c947d448da] - deps: cherry-pick 0e14baf712 from V8 upstream (Rod Vagg) nodejs/node-private#80
[647afe9d9a] - inspector: generate UUID for debug targets (Eugene Ostroukhov) nodejs/node-private#79
[1ea0358a91] - node: --openssl-config cli argument (Fedor Indutny) nodejs/node-private#78
[455272ad33] - (SEMVER-MINOR) src: add process.release.lts property (Rod Vagg) #3212
[9ace073949] - win,build: try multiple timeservers when signing (Rod Vagg) #9155
Windows 32-bit Installer: https://nodejs.org/dist/v6.9.0/node-v6.9.0-x86.msi
Windows 64-bit Installer: https://nodejs.org/dist/v6.9.0/node-v6.9.0-x64.msi
Windows 32-bit Binary: https://nodejs.org/dist/v6.9.0/win-x86/node.exe
Windows 64-bit Binary: https://nodejs.org/dist/v6.9.0/win-x64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v6.9.0/node-v6.9.0.pkg
macOS 64-bit Binary: https://nodejs.org/dist/v6.9.0/node-v6.9.0-darwin-x64.tar.gz
Linux 32-bit Binary: https://nodejs.org/dist/v6.9.0/node-v6.9.0-linux-x86.tar.xz
Linux 64-bit Binary: https://nodejs.org/dist/v6.9.0/node-v6.9.0-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v6.9.0/node-v6.9.0-linux-ppc64le.tar.xz
SunOS 32-bit Binary: https://nodejs.org/dist/v6.9.0/node-v6.9.0-sunos-x86.tar.xz
SunOS 64-bit Binary: https://nodejs.org/dist/v6.9.0/node-v6.9.0-sunos-x64.tar.xz
ARMv6 32-bit Binary: https://nodejs.org/dist/v6.9.0/node-v6.9.0-linux-armv6l.tar.xz
ARMv7 32-bit Binary: https://nodejs.org/dist/v6.9.0/node-v6.9.0-linux-armv7l.tar.xz
ARMv8 64-bit Binary: https://nodejs.org/dist/v6.9.0/node-v6.9.0-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v6.9.0/node-v6.9.0.tar.gz
Other release files: https://nodejs.org/dist/v6.9.0/
Documentation: https://nodejs.org/docs/v6.9.0/api/
SHASUMS