I've never played with node.js, but I'd have guessed that saying "we introduced it in this version, and it's still there" would make it relatively easy to track down, shouldn't it? Even with changes along the say, git blame for current lines introduced in 0.12 is going to give you some hefty pointers, no?
Node.js sysadmins, get ready to patch
Sysadmins: within around the next 24 to 48 hours, watch out for an upcoming update to node.js to cover off a couple of vulnerabilities. The most serious, CVE-2015-8027, is a remotely-exploitable denial-of-service (DoS) bug that the node.js Foundation is keeping embargoed until the patch is issued. The DoS bug affects all …