proposal: support limiting results to security releases

[knksmith57]

Back in May, the node.js Releases team added a new security property to the index (nodejs/nodejs-dist-indexer#9).

The property is a boolean that indicates if the release is a security release, which is useful for a few reasons (many described in nodejs/Release#437 (comment)); the one that I believe justifies adding functionality to resolve-node is this one (emphasis mine):

Theoretically, developers (us included!) could use this in a few ways:
...

• loop over every release in a release line until they encounter true – when they encounter true for the first time, they know that version is the minimum secure version

The proposal is to add support for a security query param on all endpoints that causes the eligible list of versions to be filtered by security === true before applying the maxSatisfying() query.

eg:

$ curl https://resolve-node.now.sh/lts/dubnium
v10.17.0

$ curl https://resolve-node.now.sh/lts/dubnium?security=true
v10.16.3

This tells us that, at the time of the query, anyone running Dubnium < 10.16.3 is on a known, potentially insecure version.

what do y'all think? should I whip together a PR?

[knksmith57]

half way through typing up the proposal I realized this would be a fairly trivial change, so I crunched out a first pass so y'all could see what it might look like implemented 😅

no pressure, but #6 should give you an idea of what I had in mind should you agree that this could be a useful feature.

thanks!