Node.JS 16.X now out of maintenance window

dwqlik82 · ‎2023-10-30

Hi,

Is there any plan to move Alerting to a supported version of node.js? The requirements of Alerting point to 16.18.0 which was released over a year ago now, even the current latest version of 16.X (16.20.2 at time of writing) is from August (from what i can glean from node's website 16.X as a whole is now out of maintenance so presumably no longer recieving security updates.

Last time our infrastructure guys updated node to a later version it completely broke alerting but could revert to 16.18.1 and that worked, are we ok to move to 16.20.2 or preferably to a supported version? Bit confused as to why a migration didn't happen with the latest July release just before 16.X went out of support (unless I'm reading node's website incorrectly)

Cheers,

Dale

Alan_Slaughter · ‎2023-11-01

Hi, July 2023 supports 16.18.1.

dwqlik82 · ‎2023-11-01

Hi,

the issue is there have been quite a few CVE's released since 16.18.1 (from Node's archive it looks like 4th Nov 22) and 16.X as a whole is now out of even maintenance support (unless i'm reading node's website incorrectly). The latest version of 16 is 16.20.2 (released 8th August)

Previous Releases | Node.js (nodejs.org)

Am assuming that no fixes will be released for 16 as its out of its maintenance window? I know from previous experience that just going to a newer major version broke the previous version of alerting, does alerting support 16.20.2 at least as that will fix some vulnerabilities at least:

Node v16.20.2 (LTS) | Node.js (nodejs.org)

ta

Dale

Alan_Slaughter · ‎2023-11-01

HI Dale, I was told that we support a NodeJS version where the vulnerabilities are fixed, i e 16.18.1.

dwqlik82 · ‎2023-11-01

but what about vulnerabilities discovered since 16.18.1 was released in November last year?

from Node's own site there have been 3 security releases since then (February, June and August) that would presumably be covered by 16.20.2 Vulnerabilities | Node.js (nodejs.org). As 16 is no longer supported the vulnerabilities in the October release will presumably never be addressed. Are there any mitigating actions I can share with our security team around this you are aware of (I appreciate you are just acting as go between and am grateful for your response)

ta

Dale

Alan_Slaughter · ‎2023-11-01

Hi Dale, The Node JS library used in the 2023 version will be: 18.12.1

dwqlik82 · ‎2023-11-01

Thanks for this 🙂 but doesn't the same issue apply? 18.12.1 was released the same date as 16.18.1 so will potentially have same/similar number of vulns? latest version of the LTS version of 18.X is 18.18.2 and released a few weeks ago.

Alan_Slaughter · ‎2023-11-01

Qlik is on a different NodeJs library with a little more runway - we continually review our product for required library updates.

Vicky_Z · ‎2023-11-03

@dwqlik82 I checked internally and got confirmation that Alerting supports node 18.12.1. You can upgrade node to this version.

dwqlik82 · ‎2023-11-03

Hi Vicky,

thanks, i believe Alan said the same above, the main issue is 18.12.1 is now a year behind on security updates (same as 16.18.1 - they were released the same day) by my count using Node's security release documentation just CVE's there are 6 Highs,9 Mediums that affect 16.X an 18.X that have been fixed by going to the latest version (plus any other things like openssl fixes etc). I would presume that the latest version of 18.X (18.18.2) would be ok to use but would be nice to get confirmation

Administration

Client Managed

Configuration

General Question