topic Re: Node.JS 16.X now out of maintenance window in Reporting Service & Alerting

Node.JS 16.X now out of maintenance window

dwqlik82 — Wed, 29 Jan 2025 15:57:23 GMT

Hi,

Is there any plan to move Alerting to a supported version of node.js? The requirements of Alerting point to 16.18.0 which was released over a year ago now, even the current latest version of 16.X (16.20.2 at time of writing) is from August (from what i can glean from node's website 16.X as a whole is now out of maintenance so presumably no longer recieving security updates.

Last time our infrastructure guys updated node to a later version it completely broke alerting but could revert to 16.18.1 and that worked, are we ok to move to 16.20.2 or preferably to a supported version? Bit confused as to why a migration didn't happen with the latest July release just before 16.X went out of support (unless I'm reading node's website incorrectly)

Cheers,

Dale

Re: Node.JS 16.X now out of maintenance window

Alan_Slaughter — Wed, 01 Nov 2023 11:35:58 GMT

Hi, July 2023 supports 16.18.1.

Re: Node.JS 16.X now out of maintenance window

dwqlik82 — Wed, 01 Nov 2023 12:01:22 GMT

Hi,

the issue is there have been quite a few CVE's released since 16.18.1 (from Node's archive it looks like 4th Nov 22) and 16.X as a whole is now out of even maintenance support (unless i'm reading node's website incorrectly). The latest version of 16 is 16.20.2 (released 8th August)

Previous Releases | Node.js (nodejs.org)

Am assuming that no fixes will be released for 16 as its out of its maintenance window? I know from previous experience that just going to a newer major version broke the previous version of alerting, does alerting support 16.20.2 at least as that will fix some vulnerabilities at least:

Node v16.20.2 (LTS) | Node.js (nodejs.org)

Dale

Re: Node.JS 16.X now out of maintenance window

Alan_Slaughter — Wed, 01 Nov 2023 12:24:42 GMT

HI Dale, I was told that we support a NodeJS version where the vulnerabilities are fixed, i e 16.18.1.

Re: Node.JS 16.X now out of maintenance window

dwqlik82 — Wed, 01 Nov 2023 12:43:55 GMT

but what about vulnerabilities discovered since 16.18.1 was released in November last year?

from Node's own site there have been 3 security releases since then (February, June and August) that would presumably be covered by 16.20.2 Vulnerabilities | Node.js (nodejs.org). As 16 is no longer supported the vulnerabilities in the October release will presumably never be addressed. Are there any mitigating actions I can share with our security team around this you are aware of (I appreciate you are just acting as go between and am grateful for your response)

Dale

Re: Node.JS 16.X now out of maintenance window

Alan_Slaughter — Wed, 01 Nov 2023 13:58:00 GMT

Hi Dale, The Node JS library used in the 2023 version will be: 18.12.1

Re: Node.JS 16.X now out of maintenance window

dwqlik82 — Wed, 01 Nov 2023 14:18:04 GMT

Thanks for this 🙂 but doesn't the same issue apply? 18.12.1 was released the same date as 16.18.1 so will potentially have same/similar number of vulns? latest version of the LTS version of 18.X is 18.18.2 and released a few weeks ago.

Re: Node.JS 16.X now out of maintenance window

Alan_Slaughter — Wed, 01 Nov 2023 15:36:46 GMT

Qlik is on a different NodeJs library with a little more runway - we continually review our product for required library updates.

Re: Node.JS 16.X now out of maintenance window

Vicky_Z — Fri, 03 Nov 2023 05:39:34 GMT

@dwqlik82 I checked internally and got confirmation that Alerting supports node 18.12.1. You can upgrade node to this version.

Re: Node.JS 16.X now out of maintenance window

dwqlik82 — Fri, 03 Nov 2023 08:29:30 GMT

Hi Vicky,

thanks, i believe Alan said the same above, the main issue is 18.12.1 is now a year behind on security updates (same as 16.18.1 - they were released the same day) by my count using Node's security release documentation just CVE's there are 6 Highs,9 Mediums that affect 16.X an 18.X that have been fixed by going to the latest version (plus any other things like openssl fixes etc). I would presume that the latest version of 18.X (18.18.2) would be ok to use but would be nice to get confirmation

Re: Node.JS 16.X now out of maintenance window

Alan_Slaughter — Fri, 03 Nov 2023 11:19:57 GMT

HI dwqlik82, it is confirmed by the Alert team that you can safely use 18.12.1.