Update http parser 2.9.1 v10.x

[sam-github]

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

[sam-github]

We might not want to do this, there's a reported bug against http-parser 2.9.x: #30515

[BridgeAR]

@sam-github could maybe the crypto or security team give a recommendation if this should be included in v10.x or not? Seems like not including it is not that safe?

[sam-github]

Should not be included until it can be released with a backport of #30567

[sam-github]

#31253 should also be backported onto this, I'll do it once it has been approved.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/28274/

[sam-github]

Pulled in the test from #30473 (comment), but removed the test I just added for the legacy parser.... it only needs the original default test, because v10.x only has the one parser.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/28338/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/28339/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/28341/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/28343/

[sam-github]

Despited what GH shows above, the ci was green, this is ready to land on v10.x-staging:

ci: https://ci.nodejs.org/job/node-test-pull-request/28343/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/28351/

[richardlau]

Despited what GH shows above, the ci was green,

This is a bug in the way our builds post status to GitHub PRs -- in the case of the containered *sharedlibs builds they only post when the build fails (notice they don't show up otherwise as passing/pending) so resumes/rebuilds don't overwrite the failing status. I'll raise an issue over in build later on and see what we can do to fix it.

[richardlau]

@sam-github Would this be considered semver-minor because of potential breakage of apps that previously accepted invalid headers without using the new non-default flag?

[sam-github]

Its semver-major, but since its a security issue, policy allows releasing it in LTS anyway.

It could be called semver-minor, but that delays release, unless we want to push it out early as a sec release?

When the CLI option is used, it becomes semver-patch.

I just searched our docs, and I can't find where the sec release policy is stated, though I'm pretty sure it used to be. Probably I'm just not finding it.

[richardlau]

Just to be clear, I'm not too hung up on the semverness of this, but would just like to make sure it has been considered.

[sam-github]

I'm sure you are not! :-) But we would like to do the right/documented thing, though, this won't be the last time we make a breaking change in LTS for sec purposes.

@nodejs/lts please weigh in on what semver tag this should get, what has been done in the past?

I poked about a bit, for example https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V010.md#2016-09-27-version-01047-maintenance-rvagg made breaking sec changes, but the PRs were private and didn't get semver tags:

• https://github.com/nodejs-private/node-private/pull/48
• https://github.com/nodejs-private/node-private/pull/48

So, that might be the pattern, not assign semverity/leave it at default (semver-patch).

[richardlau]

FWIW the relevant policy is in the Release readme which says this should be semver-minor:

Note that while it is possible that critical security and bug fixes may lead to
semver-major changes landing within an LTS stream, such situations will be
rare and will land as semver-minor bumps in the LTS covered version.

What isn't stated in the policy is whether if this is done for security purposes the release should be labelled as a security release.

[sam-github]

@nodejs/lts opinion on semverity?

[MylesBorins]

I would say semver minor makes sense. The next 10.x release is semver-minor so it seems reasonable

[MylesBorins]

Also from a process perspective I'm -1 on breaking changes landing as patch. We can always do an out of band semver minor if it is time sensitive. Folks shouldn't have things change from under them in a semver-patch release imho. Doing it as a minor makes it a slightly more explicit upgrade pathl.

[BethGriggs]

What isn't stated in the policy is whether if this is done for security purposes the release should be labelled as a security release.

I think it should be labelled as a security release, but as we don't have that specific policy documented (yet) ping @nodejs/lts for opinions.

If it is labelled as a security release (and includes breaking changes) - should we be adding new features in the same release?

[richardlau]

What isn't stated in the policy is whether if this is done for security purposes the release should be labelled as a security release.

I think it should be labelled as a security release, but as we don't have that specific policy documented (yet) ping @nodejs/lts for opinions.

If it is labelled as a security release (and includes breaking changes) - should we be adding new features in the same release?

I'd support anything released under the policy (breaking changes as semver-minor for security reasons) to be labelled as a security release and for security releases to not contain other non-security features/fixes (other than any necessary test/build changes to ensure the builds still work).

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/28618/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/28625/

[sam-github]

this backport also has #31500 pulled in, since it depends on it.

[sam-github]

Landed in a28e5cc a9849c0 d616722 0082f62 49f4220 via security release.