@zephraph => [Node] Patch update to v10.19 for critical security fix #5022
Conversation
|
cc @joeyAghion I'm fairly certain that we're going to experience the http timing issue that caused us to rollback node updates last time if we merge this. The catch 22 is that we're also vulnerable. |
|
Followed up with a recommended fix from nodejs/node#27363 I somewhat arbitrarily set the following values:
We can merge and possibly try this on staging. I believe the ELB updates should be rolled out automatically on a deploy to staging (or one can via |
|
Why do this rather than the v12 upgrade that's in an open PR already? (I assume they both would contain the necessary security patch.) Either way, we'll need to monitor for the connection issue in staging. (And maybe even hammer staging a little proactively.) Might be helpful to run just the upgrade in staging first. The risk of adjusting timeouts in anticipation of the behavior is that it can introduce new problems between ELB<->nginx and nginx<->express, and dropped connections around deploys or scale-ups/downs. |
|
@joeyAghion well, this PR might be ready to go (🍏), and gets us a security fix in addition to being a good place to test this connection issue. Nothing stopping us from merging this and still working on the v12 branch. If you look at that in-progress v12 PR, it is ❌ and there are C-level stack traces on Whereas this one is I think. So why not try it out? It's Friday, Force is freshly deployed with nothing in the pipeline, etc. |
|
That works for me assuming someone will monitor in staging and eventually production, or block production releases in the meantime. |
|
Cool, let's try it. We can always revert. |
Seems easy enough (on paper)! Let's see what Circle/Docker thinks of it (seems to be fine locally).