Re: Node.JS 16.X now out of maintenance window - Qlik Community

dwqlik82 · ‎2023-10-30

Hi,

Is there any plan to move Alerting to a supported version of node.js? The requirements of Alerting point to 16.18.0 which was released over a year ago now, even the current latest version of 16.X (16.20.2 at time of writing) is from August (from what i can glean from node's website 16.X as a whole is now out of maintenance so presumably no longer recieving security updates.

Last time our infrastructure guys updated node to a later version it completely broke alerting but could revert to 16.18.1 and that worked, are we ok to move to 16.20.2 or preferably to a supported version? Bit confused as to why a migration didn't happen with the latest July release just before 16.X went out of support (unless I'm reading node's website incorrectly)

Cheers,

Dale

Alan_Slaughter · ‎2023-11-01

Hi, July 2023 supports 16.18.1.

dwqlik82 · ‎2023-11-01

Hi,

the issue is there have been quite a few CVE's released since 16.18.1 (from Node's archive it looks like 4th Nov 22) and 16.X as a whole is now out of even maintenance support (unless i'm reading node's website incorrectly). The latest version of 16 is 16.20.2 (released 8th August)

Previous Releases | Node.js (nodejs.org)

Am assuming that no fixes will be released for 16 as its out of its maintenance window? I know from previous experience that just going to a newer major version broke the previous version of alerting, does alerting support 16.20.2 at least as that will fix some vulnerabilities at least:

Node v16.20.2 (LTS) | Node.js (nodejs.org)

ta

Dale

Alan_Slaughter · ‎2023-11-01

HI Dale, I was told that we support a NodeJS version where the vulnerabilities are fixed, i e 16.18.1.

dwqlik82 · ‎2023-11-01

but what about vulnerabilities discovered since 16.18.1 was released in November last year?

from Node's own site there have been 3 security releases since then (February, June and August) that would presumably be covered by 16.20.2 Vulnerabilities | Node.js (nodejs.org). As 16 is no longer supported the vulnerabilities in the October release will presumably never be addressed. Are there any mitigating actions I can share with our security team around this you are aware of (I appreciate you are just acting as go between and am grateful for your response)

ta

Dale

Alan_Slaughter · ‎2023-11-01

Hi Dale, The Node JS library used in the 2023 version will be: 18.12.1

dwqlik82 · ‎2023-11-01

Thanks for this 🙂 but doesn't the same issue apply? 18.12.1 was released the same date as 16.18.1 so will potentially have same/similar number of vulns? latest version of the LTS version of 18.X is 18.18.2 and released a few weeks ago.

Alan_Slaughter · ‎2023-11-01

Qlik is on a different NodeJs library with a little more runway - we continually review our product for required library updates.

Vicky_Z · ‎2023-11-03

@dwqlik82 I checked internally and got confirmation that Alerting supports node 18.12.1. You can upgrade node to this version.

dwqlik82 · ‎2023-11-03

Hi Vicky,

thanks, i believe Alan said the same above, the main issue is 18.12.1 is now a year behind on security updates (same as 16.18.1 - they were released the same day) by my count using Node's security release documentation just CVE's there are 6 Highs,9 Mediums that affect 16.X an 18.X that have been fixed by going to the latest version (plus any other things like openssl fixes etc). I would presume that the latest version of 18.X (18.18.2) would be ok to use but would be nice to get confirmation

Node.JS 16.X now out of maintenance window

Administration

Client Managed

Configuration

General Question