v12.11.1 release proposal

.mailmap

@@ -26,6 +26,7 @@ Andreas Offenhaeuser <[email protected]> anoff <[email protected]>
 Andy Bettisworth <[email protected]>
 Angel Stoyanov <[email protected]> atstojanov <[email protected]>
 Anna Henningsen <[email protected]> <[email protected]>
+Anna Henningsen <[email protected]> <[email protected]>
 Anna Magdalena Kedzierska <[email protected]> AnnaMag <[email protected]>
 Antoine Amara <[email protected]> Antoine AMARA <[email protected]>
 Aria Stewart <[email protected]> <[email protected]>
@@ -44,8 +45,10 @@ Ben Noordhuis <[email protected]> <bnoordhuis@bender.(none)>
 Ben Noordhuis <[email protected]> <[email protected]>
 Ben Taber <[email protected]>
 Benjamin Coe <[email protected]> <[email protected]>
+Benjamin Coe <[email protected]> <[email protected]>
 Benjamin Fleischer <[email protected]> Benjamin Fleischer <[email protected]>
-Benjamin Gruenbaum <[email protected]> <[email protected]>
+Benjamin Gruenbaum <[email protected]> <[email protected]>
+Benjamin Gruenbaum <[email protected]> <[email protected]>
 Benjamin Waters <[email protected]> <[email protected]>
 Bert Belder <[email protected]> <bert@piscisaureus2.(none)>
 Bert Belder <[email protected]> <[email protected]>
@@ -158,6 +161,7 @@ Imran Iqbal <[email protected]> <[email protected]>
 Ionică Bizău <[email protected]> <[email protected]>
 Isaac Z. Schlueter <[email protected]>
 Isaac Z. Schlueter <[email protected]> <[email protected]>
+Isaac Z. Schlueter <[email protected]> isaacs <[email protected]>
 Isuru Siriwardana <[email protected]> isurusiri <[email protected]>
 Italo A. Casas <[email protected]> <[email protected]>
 Jackson Tian <[email protected]> <[email protected]>
@@ -304,6 +308,7 @@ Ricardo Sánchez Gregorio <[email protected]> richnologies <[email protected]>
 Rick Olson <[email protected]>
 Rob Adelmann <[email protected]> <[email protected]>
 Rob Adelmann <[email protected]> adelmann <[email protected]>
+Robert Nagy <[email protected]> Robert Nagy <[email protected]>
 Rod Machen <[email protected]> <[email protected]>
 Roman Klauke <[email protected]> <[email protected]>
 Roman Reiss <[email protected]>
@@ -323,12 +328,14 @@ Sam Mikes <[email protected]>
 Sam P Gallagher-Bishop <[email protected]> <[email protected]>
 Sam Shull <[email protected]> <[email protected]>
 Sam Shull <[email protected]> <[email protected]>
-Sambasiva Suda <[email protected]>
 Sam Roberts <[email protected]> <[email protected]>
+Samantha Sample <[email protected]> = <=>
+Sambasiva Suda <[email protected]>
 San-Tai Hsu <[email protected]>
 Santiago Gimeno <[email protected]> <[email protected]>
 Sarah Meyer <[email protected]> sarahmeyer <[email protected]>
 Sartrey Lee <[email protected]> sartrey <[email protected]>
+Saúl Ibarra Corretgé <[email protected]> <[email protected]>
 Scott Blomquist <[email protected]> <[email protected]>
 Segu Riluvan <[email protected]> <[email protected]>
 Sergey Kryzhanovsky <[email protected]> <[email protected]>
@@ -418,6 +425,7 @@ Yazhong Liu <[email protected]> Yorkie Liu <[email protected]>
 Yingchen Xue <[email protected]>
 Yongsheng Zhang <[email protected]>
 Yongsheng Zhang <[email protected]> <[email protected]>
+Yongsheng Zhang <[email protected]> <[email protected]>
 Yoshihiro KIKUCHI <[email protected]>
 Yosuke Furukawa <[email protected]> <[email protected]>
 Yuichiro MASUI <[email protected]>

AUTHORS

@@ -538,7 +538,7 @@ Anton Khlynovskiy <[email protected]>
 Nicolas Talle <[email protected]>
 Mike Pennisi <[email protected]>
 Maxwell Krohn <[email protected]>
-Saúl Ibarra Corretgé <[email protected]>
+Saúl Ibarra Corretgé <[email protected]>
 Greg Brail <[email protected]>
 Shuhei Kagawa <[email protected]>
 Josh Dague <[email protected]>
@@ -707,7 +707,7 @@ Bruno Jouhier <[email protected]>
 René Kooi <[email protected]>
 Petka Antonov <[email protected]>
 Ryan Scheel <[email protected]>
-Benjamin Gruenbaum <inglor@gmail.com>
+Benjamin Gruenbaum <benjamingr@gmail.com>
 Pavel Medvedev <[email protected]>
 Russell Dempsey <[email protected]>
 Tierney Cyren <[email protected]>
@@ -2683,5 +2683,169 @@ Michael Wei <[email protected]>
 Alexander Sattelmaier <[email protected]>
 Avi ד <[email protected]>
 Thomas <[email protected]>
+Aymen Naghmouchi <[email protected]>
+himself65 <[email protected]>
+Geir Hauge <[email protected]>
+Patrick Gansterer <[email protected]>
+Nicolas Moteau <[email protected]>
+Anthony Tuininga <[email protected]>
+Yann Hamon <[email protected]>
+Ben Swinburne <[email protected]>
+Colin Prince <[email protected]>
+TJKoury <[email protected]>
+dnlup <[email protected]>
+Hang Jiang <[email protected]>
+Vladislav Kaminsky <[email protected]>
+Daiki Ihara <[email protected]>
+toshi1127 <[email protected]>
+nd-02110114 <[email protected]>
+dkundel <[email protected]>
+Evan Plaice <[email protected]>
+simon3000 <[email protected]>
+Marcos Casagrande <[email protected]>
+Ruwan Geeganage <[email protected]>
+Maël Nison <[email protected]>
+Gerson Niño <[email protected]>
+freestraws <[email protected]>
+Daniel Beckert <[email protected]>
+Rivaldo Junior <[email protected]>
+Rongjian Zhang <[email protected]>
+tonyhty <[email protected]>
+jyjunyz <[email protected]>
+tongshouyu <[email protected]>
+lixin.atom <[email protected]>
+luoyu <[email protected]>
+xinyulee <[email protected]>
+hardfist <[email protected]>
+shenchen <[email protected]>
+zhoujiamin <[email protected]>
+Chenxi Yuan <[email protected]>
+nilianzhu <[email protected]>
+wuchenkai <[email protected]>
+xuqinggang <[email protected]>
+XGHeaven <[email protected]>
+sinoon <[email protected]>
+Yaphet Ye <[email protected]>
+OneNail <[email protected]>
+陈健 <[email protected]>
+heben <[email protected]>
+sujunfei <[email protected]>
+imhype <[email protected]>
+ptaylor <[email protected]>
+Boxuan Li <[email protected]>
+Aditya Pratap Singh <[email protected]>
+Eugene Ostroukhov <[email protected]>
+Preveen Padmanabhan <[email protected]>
+Benjamin Ki <[email protected]>
+Daniel Nalborczyk <[email protected]>
+Alba Mendez <[email protected]>
+zero1five <[email protected]>
+Gaelan <[email protected]>
+Jacob <[email protected]>
+himself65 <[email protected]>
+Dan Beglin <[email protected]>
+Anish Asrani <[email protected]>
+teams2ua <[email protected]>
+oksana <[email protected]>
+Grigorii K. Shartsev <[email protected]>
+Kopachyov Vitaliy <[email protected]>
+MurkyMeow <[email protected]>
+Evgenii Shchepotev <[email protected]>
+martyns0n <[email protected]>
+Levin Eugene <[email protected]>
+Alexander Avakov <[email protected]>
+Grigory Gorshkov <[email protected]>
+Keroosha <[email protected]>
+Tariq Ramlall <[email protected]>
+Alex Pry <[email protected]>
+Yuriy Vasiyarov <[email protected]>
+Mikhail Kuklin <[email protected]>
+went.out <[email protected]>
+Kyle Zhang <[email protected]>
+Alex Temny <[email protected]>
+Alex Aubuchon <[email protected]>
+Samuel Attard <[email protected]>
+rexagod <[email protected]>
+Antonio Kukas <[email protected]>
+murgatroid99 <[email protected]>
+Saagar Jha <[email protected]>
+vmarchaud <[email protected]>
+Milad Farazmand <[email protected]>
+mutao <[email protected]>
+Samantha Sample <[email protected]>
+nicolasrestrepo <[email protected]>
+Angie M. Delgado <[email protected]>
+Alex Ramirez <[email protected]>
+Duvan Monsalve <[email protected]>
+Luis Gallon <[email protected]>
+kball <[email protected]>
+MistyBlunch <[email protected]>
+Laura Ciro <[email protected]>
+Yomar <[email protected]>
+raveneyex <[email protected]>
+khriztianmoreno <[email protected]>
+David Sánchez <[email protected]>
+melinamejia95 <[email protected]>
+David Carlier <[email protected]>
+Benoît Zugmeyer <[email protected]>
+Julian Correa <[email protected]>
+Felipe <[email protected]>
+Juan Roa <[email protected]>
+Ivan Villa <[email protected]>
+Caleb ツ Everett <[email protected]>
+Miken <[email protected]>
+Eugene Ostroukhov <[email protected]>
+Gabriela Niño <[email protected]>
+Mike MacCana <[email protected]>
+Tim Baverstock <[email protected]>
+Walle Cyril <[email protected]>
+Xu Meng <[email protected]>
+Samuel Attard <[email protected]>
+Ben L. Titzer <[email protected]>
+Ojasvi Monga <[email protected]>
+Shajan Jacob <[email protected]>
+Austin Wright <[email protected]>
+Vickodev <[email protected]>
+Karen He <[email protected]>
+Harshitha KP <[email protected]>
+Tanner Stirrat <[email protected]>
+h3knix <[email protected]>
+Cotton Hou <[email protected]>
+Edward Vielmetti <[email protected]>
+Micha Hanselmann <[email protected]>
+Luca Lindhorst <[email protected]>
+Manuel Ochoa Loaiza <[email protected]>
+Juan Bedoya <[email protected]>
+Andres Bedoya <[email protected]>
+elyalvarado <[email protected]>
+Felipe Duitama <[email protected]>
+Alejandro Nanez <[email protected]>
+Jeroen Ooms <[email protected]>
+PaulBags <[email protected]>
+EduardoRFS <[email protected]>
+Natalie Fearnley <[email protected]>
+pi1024e <[email protected]>
+Giorgos Ntemiris <[email protected]>
+Rainer Poisel <[email protected]>
+Andrew Hughes <[email protected]>
+Tony Brix <[email protected]>
+Anas Aboureada <[email protected]>
+MattIPv4 <[email protected]>
+David Guttman <[email protected]>
+Xavier Stouder <[email protected]>
+ran <[email protected]>
+Nick Schonning <[email protected]>
+Chetan Karande <[email protected]>
+Bradley Farias <[email protected]>
+Nimit Aggarwal <[email protected]>
+Devendra Satram <[email protected]>
+AtticusYang <[email protected]>
+Kamil Rytarowski <[email protected]>
+Aditya <[email protected]>
+Denis Zavershinskiy <[email protected]>
+Levhita <[email protected]>
+claudiahdz <[email protected]>
+Geoffrey Booth <[email protected]>
+Javier Ledezma <[email protected]>
 
 # Generated by tools/update-authors.js

CHANGELOG.md

@@ -28,7 +28,8 @@ release.
 </tr>
 <tr>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V12.md#12.11.0">12.11.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V12.md#12.11.1">12.11.1</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V12.md#12.11.0">12.11.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.10.0">12.10.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.9.1">12.9.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.9.0">12.9.0</a><br/>

Makefile

@@ -1037,7 +1037,6 @@ $(TARBALL): release-only $(NODE_EXE) doc
 	$(RM) -r $(TARNAME)/deps/uv/samples
 	$(RM) -r $(TARNAME)/deps/uv/test
 	$(RM) -r $(TARNAME)/deps/v8/samples
-	$(RM) -r $(TARNAME)/deps/v8/test
 	$(RM) -r $(TARNAME)/deps/v8/tools/profviz
 	$(RM) -r $(TARNAME)/deps/v8/tools/run-tests.py
 	$(RM) -r $(TARNAME)/deps/zlib/contrib # too big, unused
@@ -1049,6 +1048,8 @@ $(TARBALL): release-only $(NODE_EXE) doc
 	$(RM) -r $(TARNAME)/tools/node_modules
 	$(RM) -r $(TARNAME)/tools/osx-*
 	$(RM) -r $(TARNAME)/tools/osx-pkg.pmdoc
+	find $(TARNAME)/deps/v8/test/* -type d ! -regex '.*/test/torque$$' | xargs $(RM) -r
+	find $(TARNAME)/deps/v8/test -type f ! -regex '.*/test/torque/.*' | xargs $(RM)
 	find $(TARNAME)/ -name ".eslint*" -maxdepth 2 | xargs $(RM)
 	find $(TARNAME)/ -type l | xargs $(RM) # annoying on windows
 	tar -cf $(TARNAME).tar $(TARNAME)

SECURITY.md

@@ -1,37 +1,75 @@
 # Security
 
-If you find a security vulnerability in Node.js, please report it to
-[email protected]. Please withhold public disclosure until after the security
-team has addressed the vulnerability.
+## Reporting a Bug in Node.js
 
-The security team will acknowledge your email within 24 hours. You will receive
-a more detailed response within 48 hours.
+Report security bugs in Node.js via [HackerOne](https://hackerone.com/nodejs).
 
-There are no hard and fast rules to determine if a bug is worth reporting as a
-security issue. Here are some examples of past issues and what the Security
-Response Team thinks of them. When in doubt, please do send us a report
-nonetheless.
+Your report will be acknowledged within 24 hours, and you’ll receive a more
+detailed response to your report within 48 hours indicating the next steps in
+handling your submission.
 
-## Public disclosure preferred
+After the initial reply to your report, the security team will endeavor to keep
+you informed of the progress being made towards a fix and full announcement,
+and may ask for additional information or guidance surrounding the reported
+issue.  These updates will be sent at least every five days; in practice, this
+is more likely to be every 24-48 hours.
 
-* [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain
-  function can be used to cause segfaults_. Requires the ability to execute
-  arbitrary JavaScript code. That is already the highest level of privilege
-  possible.
+### Node.js Bug Bounty Program
 
-## Private disclosure preferred
+The Node.js project engages in an official bug bounty program for security
+researchers and responsible public disclosures.  The program is managed through
+the HackerOne platform. See <https://hackerone.com/nodejs> for further details.
 
-* [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):
-  _Fix invalid wildcard certificate validation check_. This was a high-severity
-  defect. It caused Node.js TLS clients to accept invalid wildcard certificates.
+## Reporting a Bug in a third party module
 
-* [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes
-  the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities
-  in the TLS/SSL protocols also affect Node.js.
+Security bugs in third party modules should be reported to their respective
+maintainers and should also be coordinated through the Node Ecosystem Security
+Team via [HackerOne](https://hackerone.com/nodejs-ecosystem).
 
-* [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):
-  _Fix defects in HTTP header parsing for requests and responses that can allow
-  response splitting_. This was a remotely-exploitable defect in the Node.js
-  HTTP implementation.
+Details regarding this process can be found in the
+[Security Working Group repository](https://github.com/nodejs/security-wg/blob/master/processes/third_party_vuln_process.md).
 
-When in doubt, please do send us a report.
+Thank you for improving the security of Node.js and its ecosystem. Your efforts
+and responsible disclosure are greatly appreciated and will be acknowledged.
+
+## Disclosure Policy
+
+Here is the security disclosure policy for Node.js
+
+* The security report is received and is assigned a primary handler. This
+  person will coordinate the fix and release process. The problem is confirmed
+  and a list of all affected versions is determined. Code is audited to find
+  any potential similar problems. Fixes are prepared for all releases which are
+  still under maintenance. These fixes are not committed to the public
+  repository but rather held locally pending the announcement.
+
+* A suggested embargo date for this vulnerability is chosen and a CVE (Common
+  Vulnerabilities and Exposures (CVE®)) is requested for the vulnerability.
+
+* On the embargo date, the Node.js security mailing list is sent a copy of the
+  announcement. The changes are pushed to the public repository and new builds
+  are deployed to nodejs.org. Within 6 hours of the mailing list being
+  notified, a copy of the advisory will be published on the Node.js blog.
+
+* Typically the embargo date will be set 72 hours from the time the CVE is
+  issued. However, this may vary depending on the severity of the bug or
+  difficulty in applying a fix.
+
+* This process can take some time, especially when coordination is required
+  with maintainers of other projects. Every effort will be made to handle the
+  bug in as timely a manner as possible; however, it’s important that we follow
+  the release process above to ensure that the disclosure is handled in a
+  consistent manner.
+
+## Receiving Security Updates
+
+Security notifications will be distributed via the following methods.
+
+* <https://groups.google.com/group/nodejs-sec>
+* <https://nodejs.org/en/blog/>
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+[pull request](https://github.com/nodejs/nodejs.org) or
+[file an issue](https://github.com/nodejs/security-wg/issues/new) to discuss.