Node.js 是一个基于 Chrome V8 引擎的 JavaScript 运行环境。
Node.js 使用了一个事件驱动、非阻塞式 I/O 模型,使其轻量又高效。
Node.js 的包管理器 npm,是全球最大的开源库生态系统。
Node.js 项目由 Node.js 基金会 提供支持。贡献、策略和发布都是在一个开放的治理模型下进行管理的。
这个项目受到行为准则的约束。
Node.js 贡献者在解决一般支持问题方面的可用性有限。请确保您使用的是目前支持的node.js版本。
在寻找支持的时候,请首先在这些地点搜索你的问题:
- Node.js 网站
- Node.js Help
- Open or closed issues in the Node.js GitHub organization
- StackOverflow 上的 'node.js' 问题标记
如果你没有在上面的某个地点找到答案,你可以:
- 加入这个非官方的 chat.freenode.net 上的 node.js 频道. 查看 http://nodeirc.info/ 获得更多信息。
GitHub的问题是为了追踪增强和bug,而不是一般的支持。
记住,自由!=免费;开放源码许可授予您使用和修改的自由,但他人的时间的不是义务的 。请尊重他人,并相应地设定你的期望。
Node.js 项目维护多种发行类型:
-
Current: 从这个存储库的活动开发分支中发布出来,由 SemVer 进行版本控制,并由发布团队的成员签署。当前版本的代码是由这个存储库中主版本号组织的。例如:v4.x。当前版本的主版本号将每6个月增加一次,以允许对将要引入的更改进行修改。这发生在每年的4月和10月。目前的发行版从每年10月开始,每年最多支持8个月。目前每年4月开始的发行版将在6个月后转换为LTS(见下文),并获得30个月的进一步支持。
-
LTS: 获得长期支持的发行版,主要关注稳定性和安全性。每一秒的当前发行版(主要版本)将成为LTS系列,并接受18个月的 活动LTS 支持和12个月的 维护。LTS的发行版以字母顺序排列的代号,从 v4 氩开始。LTS版本不太频繁,并且会尝试保持一致的主要和次要版本号,只增加补丁版本号。除了在某些特殊情况下,没有任何更改或特性添加。
-
Nightly: 这个存储库中的当前的 Current分支上的的代码版本,每24小时自动构建一次变更。请谨慎使用。
更多信息请参阅LTS README.
二进制文件, 安装程序, 和 源 tarball 可用都是可用的,请访问 https://nodejs.org.
https://nodejs.org/download/release/ 上的Current 和 LTS 版本都是可用的, 在它们的版本字符串中列出。 latest 目录是最新 Current版本的别名。最新的LTS版本 LTS系列最新的LTS版本可以在表单中找到:latest-代号. 例如: https://nodejs.org/download/release/latest-argon.
https://nodejs.org/download/nightly/上的 Nightly 构建是可用的,在发布头部列出包含日期(UTC时间)和提交SHA的版本字符串
每一个发布版本和每夜版本的 docs 目录下的API 文档 都是可用的。https://nodejs.org/api/ 指向最新稳定版本的 API文档。
Current, LTS 和 Nightly 下载目录都包含一个 SHASUMS256.txt 文件,这个文件列出了可供下载的每个文件的SHA校验和。
可以使用 curl 下载 SHASUMS256.txt 文件。
$ curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt
要检查下载的文件是否与校验和匹配,可以通过 sha256sum
运行它,并使用如下命令:
$ grep node-vx.y.z.tar.gz SHASUMS256.txt | sha256sum -c -
("node-vx.y.z.tar.gz"是你下载的文件的名称)
另外,Current和LTS发行版(非每夜)具有 SHASUMS256.txt 的 GPG 分离签名作为 SHASUMS256.txt.sig。您可以使用 gpg
来验证 SHASUMS256.txt 是否被篡改过。
为了验证 SHASUMS256.txt 没有被更改,您首先需要导入个人授权的所有GPG密钥来创建发布。他们被罗列在Release Team下面的README的底部。使用这样的命令来导入密钥:
$ gpg --keyserver pool.sks-keyservers.net --recv-keys DD8F2338BAE7501E3DD5AC78C273792F7D83545D
(请参阅这个README的底部,以获得一个完整的脚本,以导入活动 发布keys)
接下来,下载 SHASUMS256.txt.sig 用于发布:
$ curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
下载适当的 SHASUMS256.txt 和 SHASUMS256.txt.sig 文件之后,你可以使用gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
来验证该文件已由 Node.js 团队的授权成员签署。
一旦验证了,使用 SHASUMS256.txt 文件来获得上面的二进制验证命令的校验和。
查看 BUILDING.md 获得关于如何从源代码构建 Node.js 的说明。该文档还包含一个官方支持的平台列表。
Node.js 中的所有安全漏洞都被认真对待,应该通过电子邮件 [email protected] 来报告。这将交付给负责处理安全问题的项目团队的一个小团队。在被安全团队处理之前,请不要公开地安全漏洞。
你的电子邮件将在24小时内得到确认,你将在48小时内收到一封更详细的回复邮件,表明下一步将处理你的报告。
没有严格的规则来确定一个bug是否值得作为安全问题报告。一般规则是任何值得报告的问题都必须允许攻击者破坏 Node.js 应用程序或它的系统的机密性、完整性或可用性,然而攻击者还没有能力。
为了说明这一点,下面是一些过去问题的例子,以及安全团队对他们的看法。然而,当有疑问的时候,请给我们发一份报告。
-
#14519: Internal domain function can be used to cause segfaults. Causing program termination using either the public JavaScript APIs or the private bindings layer APIs requires the ability to execute arbitrary JavaScript code, which is already the highest level of privilege possible.
-
#12141: buffer: zero fill Buffer(num) by default. The buffer constructor behaviour was documented, but found to be prone to mis-use. It has since been changed, but despite much debate, was not considered misuse prone enough to justify fixing in older release lines and breaking our API stability contract.
-
CVE-2016-7099: Fix invalid wildcard certificate validation check. This is a high severity defect that would allow a malicious TLS server to serve an invalid wildcard certificate for its hostname and be improperly validated by a Node.js client.
-
#5507: Fix a defect that makes the CacheBleed Attack possible. Many, though not all, OpenSSL vulnerabilities in the TLS/SSL protocols also effect Node.js.
-
CVE-2016-2216: Fix defects in HTTP header parsing for requests and responses that can allow response splitting. While the impact of this vulnerability is application and network dependent, it is remotely exploitable in the HTTP protocol.
When in doubt, please do send us a report.
The Node.js project team comprises a group of core collaborators and a sub-group that forms the Technical Steering Committee (TSC) which governs the project. For more information about the governance of the Node.js project, see GOVERNANCE.md.
- addaleax - Anna Henningsen <[email protected]> (she/her)
- ChALkeR - Сковорода Никита Андреевич <[email protected]> (he/him)
- cjihrig - Colin Ihrig <[email protected]>
- evanlucas - Evan Lucas <[email protected]> (he/him)
- fhinkel - Franziska Hinkelmann <[email protected]> (she/her)
- Fishrock123 - Jeremiah Senkpiel <[email protected]>
- indutny - Fedor Indutny <[email protected]>
- jasnell - James M Snell <[email protected]> (he/him)
- joshgav - Josh Gavant <[email protected]>
- joyeecheung - Joyee Cheung <[email protected]> (she/her)
- mcollina - Matteo Collina <[email protected]> (he/him)
- mhdawson - Michael Dawson <[email protected]> (he/him)
- mscdex - Brian White <[email protected]>
- MylesBorins - Myles Borins <[email protected]> (he/him)
- ofrobots - Ali Ijaz Sheikh <[email protected]>
- rvagg - Rod Vagg <[email protected]>
- targos - Michaël Zasso <[email protected]> (he/him)
- thefourtheye - Sakthipriyan Vairamani <[email protected]> (he/him)
- trevnorris - Trevor Norris <[email protected]>
- Trott - Rich Trott <[email protected]> (he/him)
- bnoordhuis - Ben Noordhuis <[email protected]>
- chrisdickinson - Chris Dickinson <[email protected]>
- isaacs - Isaac Z. Schlueter <[email protected]>
- nebrius - Bryan Hughes <[email protected]>
- orangemocha - Alexis Campailla <[email protected]>
- piscisaureus - Bert Belder <[email protected]>
- shigeki - Shigeki Ohtsu <[email protected]> (he/him)
- abouthiroppy - Yuta Hiroto <[email protected]> (he/him)
- addaleax - Anna Henningsen <[email protected]> (she/her)
- ak239 - Aleksei Koziatinskii <[email protected]>
- andrasq - Andras <[email protected]>
- AndreasMadsen - Andreas Madsen <[email protected]> (he/him)
- AnnaMag - Anna M. Kedzierska <[email protected]>
- apapirovski - Anatoli Papirovski <[email protected]> (he/him)
- aqrln - Alexey Orlenko <[email protected]> (he/him)
- bengl - Bryan English <[email protected]> (he/him)
- benjamingr - Benjamin Gruenbaum <[email protected]>
- bmeck - Bradley Farias <[email protected]>
- bmeurer - Benedikt Meurer <[email protected]>
- bnoordhuis - Ben Noordhuis <[email protected]>
- brendanashworth - Brendan Ashworth <[email protected]>
- BridgeAR - Ruben Bridgewater <[email protected]>
- bzoz - Bartosz Sosnowski <[email protected]>
- calvinmetcalf - Calvin Metcalf <[email protected]>
- ChALkeR - Сковорода Никита Андреевич <[email protected]> (he/him)
- chrisdickinson - Chris Dickinson <[email protected]>
- cjihrig - Colin Ihrig <[email protected]>
- claudiorodriguez - Claudio Rodriguez <[email protected]>
- danbev - Daniel Bevenius <[email protected]>
- DavidCai1993 - David Cai <[email protected]> (he/him)
- edsadr - Adrian Estrada <[email protected]> (he/him)
- eljefedelrodeodeljefe - Robert Jefe Lindstaedt <[email protected]>
- estliberitas - Alexander Makarenko <[email protected]>
- eugeneo - Eugene Ostroukhov <[email protected]>
- evanlucas - Evan Lucas <[email protected]> (he/him)
- fhinkel - Franziska Hinkelmann <[email protected]> (she/her)
- firedfox - Daniel Wang <[email protected]>
- Fishrock123 - Jeremiah Senkpiel <[email protected]>
- gabrielschulhof - Gabriel Schulhof <[email protected]>
- geek - Wyatt Preul <[email protected]>
- gibfahn - Gibson Fahnestock <[email protected]> (he/him)
- gireeshpunathil - Gireesh Punathil <[email protected]> (he/him)
- guybedford - Guy Bedford <[email protected]> (he/him)
- hashseed - Yang Guo <[email protected]> (he/him)
- iarna - Rebecca Turner <[email protected]>
- imran-iq - Imran Iqbal <[email protected]>
- imyller - Ilkka Myller <[email protected]>
- indutny - Fedor Indutny <[email protected]>
- italoacasas - Italo A. Casas <[email protected]> (he/him)
- JacksonTian - Jackson Tian <[email protected]>
- jasnell - James M Snell <[email protected]> (he/him)
- jasongin - Jason Ginchereau <[email protected]>
- jbergstroem - Johan Bergström <[email protected]>
- jhamhader - Yuval Brik <[email protected]>
- jkrems - Jan Krems <[email protected]> (he/him)
- joaocgreis - João Reis <[email protected]>
- joshgav - Josh Gavant <[email protected]>
- joyeecheung - Joyee Cheung <[email protected]> (she/her)
- julianduque - Julian Duque <[email protected]> (he/him)
- JungMinu - Minwoo Jung <[email protected]> (he/him)
- kfarnung - Kyle Farnung <[email protected]> (he/him)
- kunalspathak - Kunal Pathak <[email protected]>
- lance - Lance Ball <[email protected]>
- lpinca - Luigi Pinca <[email protected]> (he/him)
- lucamaraschi - Luca Maraschi <[email protected]> (he/him)
- maclover7 - Jon Moss <[email protected]> (he/him)
- matthewloring - Matthew Loring <[email protected]>
- mcollina - Matteo Collina <[email protected]> (he/him)
- mhdawson - Michael Dawson <[email protected]> (he/him)
- micnic - Nicu Micleușanu <[email protected]> (he/him)
- mikeal - Mikeal Rogers <[email protected]>
- misterdjules - Julien Gilli <[email protected]>
- mscdex - Brian White <[email protected]>
- MylesBorins - Myles Borins <[email protected]> (he/him)
- not-an-aardvark - Teddy Katz <[email protected]>
- ofrobots - Ali Ijaz Sheikh <[email protected]>
- orangemocha - Alexis Campailla <[email protected]>
- othiym23 - Forrest L Norvell <[email protected]> (he/him)
- phillipj - Phillip Johnsen <[email protected]>
- pmq20 - Minqi Pan <[email protected]>
- princejwesley - Prince John Wesley <[email protected]>
- Qard - Stephen Belanger <[email protected]> (he/him)
- refack - Refael Ackermann <[email protected]> (he/him)
- richardlau - Richard Lau <[email protected]>
- rmg - Ryan Graham <[email protected]>
- robertkowalski - Robert Kowalski <[email protected]>
- romankl - Roman Klauke <[email protected]>
- ronkorving - Ron Korving <[email protected]>
- RReverser - Ingvar Stepanyan <[email protected]>
- rvagg - Rod Vagg <[email protected]>
- saghul - Saúl Ibarra Corretgé <[email protected]>
- sam-github - Sam Roberts <[email protected]>
- santigimeno - Santiago Gimeno <[email protected]>
- sebdeckers - Sebastiaan Deckers <[email protected]>
- seishun - Nikolai Vavilov <[email protected]>
- shigeki - Shigeki Ohtsu <[email protected]> (he/him)
- silverwind - Roman Reiss <[email protected]>
- srl295 - Steven R Loomis <[email protected]>
- stefanmb - Stefan Budeanu <[email protected]>
- targos - Michaël Zasso <[email protected]> (he/him)
- thefourtheye - Sakthipriyan Vairamani <[email protected]> (he/him)
- thekemkid - Glen Keane <[email protected]> (he/him)
- thlorenz - Thorsten Lorenz <[email protected]>
- TimothyGu - Timothy Gu <[email protected]> (he/him)
- tniessen - Tobias Nießen <[email protected]>
- trevnorris - Trevor Norris <[email protected]>
- Trott - Rich Trott <[email protected]> (he/him)
- tunniclm - Mike Tunnicliffe <[email protected]>
- vkurchatkin - Vladimir Kurchatkin <[email protected]>
- vsemozhetbyt - Vse Mozhet Byt <[email protected]> (he/him)
- watilde - Daijiro Wachi <[email protected]> (he/him)
- whitlockjc - Jeremy Whitlock <[email protected]>
- XadillaX - Khaidi Chu <[email protected]> (he/him)
- yorkie - Yorkie Liu <[email protected]>
- yosuke-furukawa - Yosuke Furukawa <[email protected]>
- isaacs - Isaac Z. Schlueter <[email protected]>
- lxe - Aleksey Smolenchuk <[email protected]>
- monsanto - Christopher Monsanto <[email protected]>
- Olegas - Oleg Elifantiev <[email protected]>
- petkaantonov - Petka Antonov <[email protected]>
- piscisaureus - Bert Belder <[email protected]>
- rlidwka - Alex Kocharin <[email protected]>
- tellnes - Christian Tellnes <[email protected]>
Collaborators follow the COLLABORATOR_GUIDE.md in maintaining the Node.js project.
Node.js releases are signed with one of the following GPG keys:
- Colin Ihrig <[email protected]>
94AE36675C464D64BAFA68DD7434390BDBE9B9C5
- Evan Lucas <[email protected]>
B9AE9905FFD7803F25714661B63B535A4C206CA9
- Gibson Fahnestock <[email protected]>
77984A986EBC2AA786BC0F66B01FBB92821C587A
- Italo A. Casas <[email protected]>
56730D5401028683275BD23C23EFEFE93C4CFFFE
- James M Snell <[email protected]>
71DCFD284A79C3B38668286BC97EC7A07EDE3FC1
- Jeremiah Senkpiel <[email protected]>
FD3A5288F042B6850C66B31F09FE44734EB7990E
- Myles Borins <[email protected]>
C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8
- Rod Vagg <[email protected]>
DD8F2338BAE7501E3DD5AC78C273792F7D83545D
The full set of trusted release keys can be imported by running:
gpg --keyserver pool.sks-keyservers.net --recv-keys 94AE36675C464D64BAFA68DD7434390BDBE9B9C5
gpg --keyserver pool.sks-keyservers.net --recv-keys FD3A5288F042B6850C66B31F09FE44734EB7990E
gpg --keyserver pool.sks-keyservers.net --recv-keys 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1
gpg --keyserver pool.sks-keyservers.net --recv-keys DD8F2338BAE7501E3DD5AC78C273792F7D83545D
gpg --keyserver pool.sks-keyservers.net --recv-keys C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8
gpg --keyserver pool.sks-keyservers.net --recv-keys B9AE9905FFD7803F25714661B63B535A4C206CA9
gpg --keyserver pool.sks-keyservers.net --recv-keys 56730D5401028683275BD23C23EFEFE93C4CFFFE
gpg --keyserver pool.sks-keyservers.net --recv-keys 77984A986EBC2AA786BC0F66B01FBB92821C587A
See the section above on Verifying Binaries for details on what to do with these keys to verify that a downloaded file is official.
Previous releases may also have been signed with one of the following GPG keys:
- Chris Dickinson <[email protected]>
9554F04D7259F04124DE6B476D5A82AC7E37093B
- Isaac Z. Schlueter <[email protected]>
93C7E9E91B49E432C2F75674B0A78B0A6C481CF6
- Julien Gilli <[email protected]>
114F43EE0176B71C7BC219DD50A3051F888C628D
- Timothy J Fontaine <[email protected]>
7937DFD2AB06298B2293C3187D33FF9D0246406D