v12.11.1 release proposal

.mailmap

@@ -26,6 +26,7 @@ Andreas Offenhaeuser <offenhaeuser@gmail.com> anoff <offenhaeuser@gmail.com>
 Andy Bettisworth <andy.bettisworth@accreu.com>
 Angel Stoyanov <atstojanov@gmail.com> atstojanov <atstojanov@gmail.com>
 Anna Henningsen <anna@addaleax.net> <sqrt@entless.org>
+Anna Henningsen <anna@addaleax.net> <github@addaleax.net>
 Anna Magdalena Kedzierska <anna.mag.kedzierska@gmail.com> AnnaMag <AnnaMag@users.noreply.github.com>
 Antoine Amara <amara.antoine@gmail.com> Antoine AMARA <amara.antoine@gmail.com>
 Aria Stewart <aredridel@dinhe.net> <aredridel@nbtsc.org>
@@ -44,8 +45,10 @@ Ben Noordhuis <info@bnoordhuis.nl> <bnoordhuis@bender.(none)>
 Ben Noordhuis <info@bnoordhuis.nl> <ben@strongloop.com>
 Ben Taber <ben.taber@gmail.com>
 Benjamin Coe <bencoe@gmail.com> <ben@npmjs.com>
+Benjamin Coe <bencoe@gmail.com> <bencoe@google.com>
 Benjamin Fleischer <github@benjaminfleischer.com> Benjamin Fleischer <benjamin.fleischer@swipesense.com>
-Benjamin Gruenbaum <inglor@gmail.com> <benji@peer5.com>
+Benjamin Gruenbaum <benjamingr@gmail.com> <benji@peer5.com>
+Benjamin Gruenbaum <benjamingr@gmail.com> <inglor@gmail.com>
 Benjamin Waters <benjamin.waters@outlook.com> <ben25890@gmail.com>
 Bert Belder <bertbelder@gmail.com> <bert@piscisaureus2.(none)>
 Bert Belder <bertbelder@gmail.com> <info@2bs.nl>
@@ -158,6 +161,7 @@ Imran Iqbal <imran@imraniqbal.org> <imrani@ca.ibm.com>
 Ionică Bizău <bizauionica@gmail.com> <bizauionica@yahoo.com>
 Isaac Z. Schlueter <i@izs.me>
 Isaac Z. Schlueter <i@izs.me> <i@foohack.com>
+Isaac Z. Schlueter <i@izs.me> isaacs <nope@not.real>
 Isuru Siriwardana <isuruanatomy@gmail.com> isurusiri <isuruanatomy@gmail.com>
 Italo A. Casas <me@italoacasas.com> <italo@italoacasas.com>
 Jackson Tian <shyvo1987@gmail.com> <puling.tyq@alibaba-inc.com>
@@ -304,6 +308,7 @@ Ricardo Sánchez Gregorio <me@richnologies.io> richnologies <me@richnologies.io>
 Rick Olson <technoweenie@gmail.com>
 Rob Adelmann <adelmann@adobe.com> <robadelmann@gmail.com>
 Rob Adelmann <adelmann@adobe.com> adelmann <adelmann@adobe.com>
+Robert Nagy <ronagy@icloud.com> Robert Nagy <robertnagy@Roberts-MacBook-Pro.local>
 Rod Machen <rod.machen@help.com> <mail@rodmachen.com>
 Roman Klauke <romaaan.git@gmail.com> <romankl@users.noreply.github.com>
 Roman Reiss <me@silverwind.io>
@@ -323,12 +328,14 @@ Sam Mikes <smikes@cubane.com>
 Sam P Gallagher-Bishop <samgallagherb@gmail.com> <SPGB@users.noreply.github.com>
 Sam Shull <brickysam26@gmail.com> <brickysam26@samuel-shulls-computer.local>
 Sam Shull <brickysam26@gmail.com> <sshull@squaremouth.com>
-Sambasiva Suda <sambasivarao@gmail.com>
 Sam Roberts <vieuxtech@gmail.com> <sam@strongloop.com>
+Samantha Sample <ssample812@gmail.com> = <=>
+Sambasiva Suda <sambasivarao@gmail.com>
 San-Tai Hsu <v@fatpipi.com>
 Santiago Gimeno <santiago.gimeno@gmail.com> <santiago.gimeno@ionide.es>
 Sarah Meyer <sarahsaltrick@gmail.com> sarahmeyer <sarahsaltrick@gmail.com>
 Sartrey Lee <sartrey@163.com> sartrey <sartrey@163.com>
+Saúl Ibarra Corretgé <s@saghul.net> <saghul@gmail.com>
 Scott Blomquist <github@scott.blomqui.st> <sblom@microsoft.com>
 Segu Riluvan <rilwan22@hotmail.com> <riluvan@gmail.com>
 Sergey Kryzhanovsky <skryzhanovsky@gmail.com> <another@dhcp199-223-red.yandex.net>
@@ -418,6 +425,7 @@ Yazhong Liu <yorkiefixer@gmail.com> Yorkie Liu <yorkiefixer@gmail.com>
 Yingchen Xue <yingchenxue@qq.com>
 Yongsheng Zhang <zyszys98@gmail.com>
 Yongsheng Zhang <zyszys98@gmail.com> <17367077526@163.com>
+Yongsheng Zhang <zyszys98@gmail.com> <zhangyongsheng@youzan.com>
 Yoshihiro KIKUCHI <yknetg@gmail.com>
 Yosuke Furukawa <yosuke.furukawa@gmail.com> <furukawa.yosuke@dena.jp>
 Yuichiro MASUI <masui@masuidrive.jp>

AUTHORS

@@ -538,7 +538,7 @@ Anton Khlynovskiy <subzey@gmail.com>
 Nicolas Talle <dev@nicolab.net>
 Mike Pennisi <mike@mikepennisi.com>
 Maxwell Krohn <themax@gmail.com>
-Saúl Ibarra Corretgé <saghul@gmail.com>
+Saúl Ibarra Corretgé <s@saghul.net>
 Greg Brail <greg@apigee.com>
 Shuhei Kagawa <shuhei.kagawa@gmail.com>
 Josh Dague <daguej@email.uc.edu>
@@ -707,7 +707,7 @@ Bruno Jouhier <bjouhier@gmail.com>
 René Kooi <rene@kooi.me>
 Petka Antonov <petka_antonov@hotmail.com>
 Ryan Scheel <ryan.havvy@gmail.com>
-Benjamin Gruenbaum <inglor@gmail.com>
+Benjamin Gruenbaum <benjamingr@gmail.com>
 Pavel Medvedev <pmedvedev@gmail.com>
 Russell Dempsey <sgtpooki@gmail.com>
 Tierney Cyren <hello@bnb.im>
@@ -2683,5 +2683,169 @@ Michael Wei <mwei@cs.ucsd.edu>
 Alexander Sattelmaier <alexander.sattelmaier@gmail.com>
 Avi ד <avi.the.coder@gmail.com>
 Thomas <hakerh403@gmail.com>
+Aymen Naghmouchi <aymen.aymen@live.it>
+himself65 <himself6565@gmail.com>
+Geir Hauge <geir.hauge@gmail.com>
+Patrick Gansterer <paroga@paroga.com>
+Nicolas Moteau <nicolas.moteau@orange.com>
+Anthony Tuininga <anthony.tuininga@oracle.com>
+Yann Hamon <yann.hamon@contentful.com>
+Ben Swinburne <ben.swinburne@gmail.com>
+Colin Prince <col@colinprince.com>
+TJKoury <TJKoury@gmail.com>
+dnlup <dwon.dnl@gmail.com>
+Hang Jiang <jianghangscu@gmail.com>
+Vladislav Kaminsky <wlodzislav@outlook.com>
+Daiki Ihara <sasurau4@gmail.com>
+toshi1127 <toshi.matsumoto.2n@stu.hosei.ac.jp>
+nd-02110114 <nd.12021218@gmail.com>
+dkundel <dominik.kundel@gmail.com>
+Evan Plaice <evanplaice@gmail.com>
+simon3000 <simon300000@users.noreply.github.com>
+Marcos Casagrande <marcoscvp90@gmail.com>
+Ruwan Geeganage <rpgeeg@gmail.com>
+Maël Nison <mael@fb.com>
+Gerson Niño <meta.author@gersonnino.me>
+freestraws <freestraws1@gmail.com>
+Daniel Beckert <drbeckert@gmail.com>
+Rivaldo Junior <jrcavalcantejr@gmail.com>
+Rongjian Zhang <pd4d10@gmail.com>
+tonyhty <tonyhty@outlook.com>
+jyjunyz <jyjunyz@163.com>
+tongshouyu <tongshouyu@bytedance.com>
+lixin.atom <lixin.atom@bytedance.com>
+luoyu <luoyu@bytedance.com>
+xinyulee <lixinyu1994123@gmail.com>
+hardfist <1562502418@qq.com>
+shenchen <shenchen@bytedance.com>
+zhoujiamin <zhoujiamin@bytedance.com>
+Chenxi Yuan <yuanchenxi95@gmail.com>
+nilianzhu <nilianzhu@bytedance.com>
+wuchenkai <wuchenkai@bytedance.com>
+xuqinggang <xuqinggang@bytedance.com>
+XGHeaven <xgheaven@gmail.com>
+sinoon <sinoon1218@gmail.com>
+Yaphet Ye <tsyeyuanfeng@126.com>
+OneNail <OneNail@yeah.net>
+陈健 <chenjian.bzh@bytedance.com>
+heben <heben@bytedance.com>
+sujunfei <sujunfei@bytedance.com>
+imhype <543717080@qq.com>
+ptaylor <paul.e.taylor@me.com>
+Boxuan Li <liboxuan@connect.hku.hk>
+Aditya Pratap Singh <adisinghrajput@gmail.com>
+Eugene Ostroukhov <eostroukhov@netflix.com>
+Preveen Padmanabhan <dxb1230@gmail.com>
+Benjamin Ki <me@benjaminki.com>
+Daniel Nalborczyk <dnalborczyk@gmail.com>
+Alba Mendez <me@alba.sh>
+zero1five <zerodengyin@gmail.com>
+Gaelan <gbs@canishe.com>
+Jacob <jacobq@gmail.com>
+himself65 <himself65@outlook.com>
+Dan Beglin <dbeglinuk@gmail.com>
+Anish Asrani <anishasrani@gmail.com>
+teams2ua <teams2ua@gmail.com>
+oksana <ok.semonenko@gmail.com>
+Grigorii K. Shartsev <me@shgk.me>
+Kopachyov Vitaliy <kopachyov.vitaliy@yandex.ru>
+MurkyMeow <dinosowermurky@gmail.com>
+Evgenii Shchepotev <evgenii.schepotiev@gmail.com>
+martyns0n <zogacc@gmail.com>
+Levin Eugene <lzhnek@gmail.com>
+Alexander Avakov <yaavakov@gmail.com>
+Grigory Gorshkov <petralmazov100@gmail.com>
+Keroosha <mr.dead.toast@gmail.com>
+Tariq Ramlall <srcmake@gmail.com>
+Alex Pry <opterione@gmail.com>
+Yuriy Vasiyarov <yvasiyarov@ozon.travel>
+Mikhail Kuklin <mihan007@ya.ru>
+went.out <went.out@gmail.com>
+Kyle Zhang <icese7en@gmail.com>
+Alex Temny <dashkamimicry100@gmail.com>
+Alex Aubuchon <alex@aub.dev>
+Samuel Attard <samuel.r.attard@gmail.com>
+rexagod <rexagod@gmail.com>
+Antonio Kukas <tonykukas@gmail.com>
+murgatroid99 <mlumish@google.com>
+Saagar Jha <saagar@saagarjha.com>
+vmarchaud <contact@vmarchaud.fr>
+Milad Farazmand <miladfar@ca.ibm.com>
+mutao <mutao-hf@loongson.cn>
+Samantha Sample <ssample812@gmail.com>
+nicolasrestrepo <nicolasrestrepo34@gmail.com>
+Angie M. Delgado <amelisdl@gmail.com>
+Alex Ramirez <alexander.ramirez@gmail.com>
+Duvan Monsalve <duvanmonsa@gmail.com>
+Luis Gallon <luisgallon@gmail.com>
+kball <kball@zendev.com>
+MistyBlunch <gracenikole@gmail.com>
+Laura Ciro <ltciro@gmail.com>
+Yomar <yomar.guti@gmail.com>
+raveneyex <raveneyex@gmail.com>
+khriztianmoreno <khriztianmoreno@gmail.com>
+David Sánchez <d4vsanchez@gmail.com>
+melinamejia95 <melinamejia95@gmail.com>
+David Carlier <devnexen@gmail.com>
+Benoît Zugmeyer <bzugmeyer@gmail.com>
+Julian Correa <julian.alexis.correa@gmail.com>
+Felipe <afvasquezt@gmail.com>
+Juan Roa <jdroa92@gmail.com>
+Ivan Villa <trezeguet55@gmail.com>
+Caleb ツ Everett <calebev@amazon.com>
+Miken <omarlozano053@gmail.com>
+Eugene Ostroukhov <eostroukhov@gmail.com>
+Gabriela Niño <gabynr@gmail.com>
+Mike MacCana <mike.maccana@gmail.com>
+Tim Baverstock <tim.baverstock@corp.badoo.com>
+Walle Cyril <cyril.walle@protonmail.com>
+Xu Meng <mengxumx@cn.ibm.com>
+Samuel Attard <sattard@slack-corp.com>
+Ben L. Titzer <titzer@google.com>
+Ojasvi Monga <ojasvi@Ojasvis-MacBook-Air.local>
+Shajan Jacob <shajanjp@gmail.com>
+Austin Wright <aaa@bzfx.net>
+Vickodev <harvic3@gmail.com>
+Karen He <32376376+baekrxnn@users.noreply.github.com>
+Harshitha KP <harshi46@in.ibm.com>
+Tanner Stirrat <tstirrat@gmail.com>
+h3knix <h3knix@gmail.com>
+Cotton Hou <himcotton@gmail.com>
+Edward Vielmetti <edward.vielmetti@gmail.com>
+Micha Hanselmann <deermichel@github.com>
+Luca Lindhorst <info@lucalindhorst.de>
+Manuel Ochoa Loaiza <mochoa1127@gmail.com>
+Juan Bedoya <juansb827@gmail.com>
+Andres Bedoya <mortiis.angel@gmail.com>
+elyalvarado <elyalvarado@gmail.com>
+Felipe Duitama <felipedc09@gmail.com>
+Alejandro Nanez <alejonanez@gmail.com>
+Jeroen Ooms <jeroenooms@gmail.com>
+PaulBags <19583196+PaulBags@users.noreply.github.com>
+EduardoRFS <theeduardorfs@gmail.com>
+Natalie Fearnley <nfearnley@gmail.com>
+pi1024e <doremylover123@gmail.com>
+Giorgos Ntemiris <ntemirisgiorgos3@gmail.com>
+Rainer Poisel <rainer.poisel@gmail.com>
+Andrew Hughes <Andrew.Hughes1@ibm.com>
+Tony Brix <tony@brix.ninja>
+Anas Aboureada <anas.ieee@gmail.com>
+MattIPv4 <matthew@cowley.org.uk>
+David Guttman <david@js.la>
+Xavier Stouder <xavier@stouder.io>
+ran <abbshrsoufii@gmail.com>
+Nick Schonning <nschonni@gmail.com>
+Chetan Karande <kchetan.tech@gmail.com>
+Bradley Farias <bfarias@godaddy.com>
+Nimit Aggarwal <nimitagg95@gmail.com>
+Devendra Satram <devendra4sci@gmail.com>
+AtticusYang <yyongtai@163.com>
+Kamil Rytarowski <n54@gmx.com>
+Aditya <adityashnkr5@gmail.com>
+Denis Zavershinskiy <zaverden@gmail.com>
+Levhita <levhita@gmail.com>
+claudiahdz <cghr1990@gmail.com>
+Geoffrey Booth <GeoffreyBooth@users.noreply.github.com>
+Javier Ledezma <juls0593@gmail.com>
 
 # Generated by tools/update-authors.js

CHANGELOG.md

@@ -28,7 +28,8 @@ release.
 </tr>
 <tr>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V12.md#12.11.0">12.11.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V12.md#12.11.1">12.11.1</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V12.md#12.11.0">12.11.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.10.0">12.10.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.9.1">12.9.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V12.md#12.9.0">12.9.0</a><br/>

Makefile

@@ -1037,7 +1037,6 @@ $(TARBALL): release-only $(NODE_EXE) doc
 	$(RM) -r $(TARNAME)/deps/uv/samples
 	$(RM) -r $(TARNAME)/deps/uv/test
 	$(RM) -r $(TARNAME)/deps/v8/samples
-	$(RM) -r $(TARNAME)/deps/v8/test
 	$(RM) -r $(TARNAME)/deps/v8/tools/profviz
 	$(RM) -r $(TARNAME)/deps/v8/tools/run-tests.py
 	$(RM) -r $(TARNAME)/deps/zlib/contrib # too big, unused
@@ -1049,6 +1048,8 @@ $(TARBALL): release-only $(NODE_EXE) doc
 	$(RM) -r $(TARNAME)/tools/node_modules
 	$(RM) -r $(TARNAME)/tools/osx-*
 	$(RM) -r $(TARNAME)/tools/osx-pkg.pmdoc
+	find $(TARNAME)/deps/v8/test/* -type d ! -regex '.*/test/torque$$' | xargs $(RM) -r
+	find $(TARNAME)/deps/v8/test -type f ! -regex '.*/test/torque/.*' | xargs $(RM)
 	find $(TARNAME)/ -name ".eslint*" -maxdepth 2 | xargs $(RM)
 	find $(TARNAME)/ -type l | xargs $(RM) # annoying on windows
 	tar -cf $(TARNAME).tar $(TARNAME)

SECURITY.md

@@ -1,37 +1,75 @@
 # Security
 
-If you find a security vulnerability in Node.js, please report it to
-security@nodejs.org. Please withhold public disclosure until after the security
-team has addressed the vulnerability.
+## Reporting a Bug in Node.js
 
-The security team will acknowledge your email within 24 hours. You will receive
-a more detailed response within 48 hours.
+Report security bugs in Node.js via [HackerOne](https://hackerone.com/nodejs).
 
-There are no hard and fast rules to determine if a bug is worth reporting as a
-security issue. Here are some examples of past issues and what the Security
-Response Team thinks of them. When in doubt, please do send us a report
-nonetheless.
+Your report will be acknowledged within 24 hours, and you’ll receive a more
+detailed response to your report within 48 hours indicating the next steps in
+handling your submission.
 
-## Public disclosure preferred
+After the initial reply to your report, the security team will endeavor to keep
+you informed of the progress being made towards a fix and full announcement,
+and may ask for additional information or guidance surrounding the reported
+issue.  These updates will be sent at least every five days; in practice, this
+is more likely to be every 24-48 hours.
 
-* [#14519](https://github.com/nodejs/node/issues/14519): _Internal domain
-  function can be used to cause segfaults_. Requires the ability to execute
-  arbitrary JavaScript code. That is already the highest level of privilege
-  possible.
+### Node.js Bug Bounty Program
 
-## Private disclosure preferred
+The Node.js project engages in an official bug bounty program for security
+researchers and responsible public disclosures.  The program is managed through
+the HackerOne platform. See <https://hackerone.com/nodejs> for further details.
 
-* [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):
-  _Fix invalid wildcard certificate validation check_. This was a high-severity
-  defect. It caused Node.js TLS clients to accept invalid wildcard certificates.
+## Reporting a Bug in a third party module
 
-* [#5507](https://github.com/nodejs/node/pull/5507): _Fix a defect that makes
-  the CacheBleed Attack possible_. Many, though not all, OpenSSL vulnerabilities
-  in the TLS/SSL protocols also affect Node.js.
+Security bugs in third party modules should be reported to their respective
+maintainers and should also be coordinated through the Node Ecosystem Security
+Team via [HackerOne](https://hackerone.com/nodejs-ecosystem).
 
-* [CVE-2016-2216](https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/):
-  _Fix defects in HTTP header parsing for requests and responses that can allow
-  response splitting_. This was a remotely-exploitable defect in the Node.js
-  HTTP implementation.
+Details regarding this process can be found in the
+[Security Working Group repository](https://github.com/nodejs/security-wg/blob/master/processes/third_party_vuln_process.md).
 
-When in doubt, please do send us a report.
+Thank you for improving the security of Node.js and its ecosystem. Your efforts
+and responsible disclosure are greatly appreciated and will be acknowledged.
+
+## Disclosure Policy
+
+Here is the security disclosure policy for Node.js
+
+* The security report is received and is assigned a primary handler. This
+  person will coordinate the fix and release process. The problem is confirmed
+  and a list of all affected versions is determined. Code is audited to find
+  any potential similar problems. Fixes are prepared for all releases which are
+  still under maintenance. These fixes are not committed to the public
+  repository but rather held locally pending the announcement.
+
+* A suggested embargo date for this vulnerability is chosen and a CVE (Common
+  Vulnerabilities and Exposures (CVE®)) is requested for the vulnerability.
+
+* On the embargo date, the Node.js security mailing list is sent a copy of the
+  announcement. The changes are pushed to the public repository and new builds
+  are deployed to nodejs.org. Within 6 hours of the mailing list being
+  notified, a copy of the advisory will be published on the Node.js blog.
+
+* Typically the embargo date will be set 72 hours from the time the CVE is
+  issued. However, this may vary depending on the severity of the bug or
+  difficulty in applying a fix.
+
+* This process can take some time, especially when coordination is required
+  with maintainers of other projects. Every effort will be made to handle the
+  bug in as timely a manner as possible; however, it’s important that we follow
+  the release process above to ensure that the disclosure is handled in a
+  consistent manner.
+
+## Receiving Security Updates
+
+Security notifications will be distributed via the following methods.
+
+* <https://groups.google.com/group/nodejs-sec>
+* <https://nodejs.org/en/blog/>
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+[pull request](https://github.com/nodejs/nodejs.org) or
+[file an issue](https://github.com/nodejs/security-wg/issues/new) to discuss.