-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a warning on EOL versions #1401
Comments
@RafaelGSS as you mentioned if they pin they won't get a warning. If instead we published as CVE indicating the release was EOL they would get if they are running CVE scans. I suspect this would be a more reliable way of having it be recognized as a risk. |
I think we could do both, issue a single CVE alerting EOL (after a sec release) and create a patch release with a warning? |
I think doing both makes sense to me, provide we have a volunteer to do the patch release (as I think that's more work that doing the CVE). |
Right, how can we move forward with it? Should we open a PR to document it somewhere? |
For the warning, presumably there'd be an env/NODE_OPTIONS way to disable it, so as to not break CI and child process workflows? |
Yes, we can use the same --security-revert CLI |
I'm not entirely convinced a warning is needed, but the idea of a cve is great. Can we start by issuing one for all past releases? |
I think so, I think it needs to go through a H1 report |
Let's do it for v16.x, v19.x, and v21.x. I can take care of it early this week. |
I've been talking with @rginn who suggested announcing on Node.js social before making this move. I asked her to provide some details about openjs health here. |
FYI I'm going to create an "announcement" (https://github.com/orgs/nodejs/discussions/categories/announcements) informing Node.js collaborators that next week we'll be issuing a CVE for Node.js 16, 19 and 21, then I'll ask @nodejs/social to share a post that I can create or the official account can create informing our users. |
@RafaelGSS please write a public blog post instead, and set the date on or after the 7th of January. Doing this right before the holidays is not helping anyone. |
+1 for a blog post holiday. I would not announce on social media without giving adequate information and context via a blog. Jen and I can help with the draft and posting across our channels. |
Ok, that makes sense. I can write a draft and ask for Jan, Robin and TSC input. I will put it on my backlog |
Please see: nodejs/nodejs.org#7328 |
* blog: add Upcoming CVE for EOL Versions post Refs: nodejs/security-wg#1401 * update: mention openjs ecosystem sustainability program * update: mention openjs ecosystem sustainability program * fixup! update: mention openjs ecosystem sustainability program * Update apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md Co-authored-by: Michael Dawson <mdawson@devrus.com> Signed-off-by: Rafael Gonzaga <rafael.nunu@hotmail.com> * fixup! Update apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md --------- Signed-off-by: Rafael Gonzaga <rafael.nunu@hotmail.com> Co-authored-by: Michael Dawson <mdawson@devrus.com>
It would be intersting if the CVE will be picked up by security tools like snyk cc @lirantal |
I would assume it would be automatically picked up, just like other CVEs? |
I'll issue the CVEs in the next security release |
I was talking with @marco-ippolito and we were discussing having ways for people to know when they are using an insecure version of Node.js. Instead of having a flag (#852), what if we release a patch version after one or two months of EOL alerting users they are using an EOL version?
I mean, if they pin the version and don't get the last release, they won't see the warning, but I assume it will affect most users. We could try to do it to non-LTS versions first, and then we expand the coverage to all EOL versions (starting this year, of course).
cc: @nodejs/security-wg @nodejs/tsc
The text was updated successfully, but these errors were encountered: