Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update node versions #1831

Merged
merged 2 commits into from
Apr 6, 2020
Merged

Update node versions #1831

merged 2 commits into from
Apr 6, 2020

Conversation

bajtos
Copy link
Member

@bajtos bajtos commented Apr 3, 2020

  • Add support for Node.js 13.x
  • Drop support for Node 8.x

Checklist

👉 Read and sign the CLA (Contributor License Agreement) 👈

  • npm test passes on your machine
  • New tests added or existing tests modified to cover all changes
  • Code conforms with the style guide
  • Commit messages are following our guidelines

bajtos added 2 commits April 3, 2020 09:37
@bajtos
Add support for Node.js 13.x
c6e8779 
Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
@bajtos
Drop support for Node 8.x
6d65afc 
Node 8.x is no longer maintained by Node.js project.

Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
@bajtos bajtos self-assigned this Apr 3, 2020
jannyHou
jannyHou approved these changes Apr 3, 2020
View reviewed changes
Copy link
Contributor

@jannyHou jannyHou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM (please rebase before merge)

@bajtos bajtos merged commit f1f7bf2 into master Apr 6, 2020
@delete-merged-branch delete-merged-branch bot deleted the update-node-versions branch April 6, 2020 06:20
@bajtos
Copy link
Member Author

bajtos commented Apr 6, 2020

We will release this change as semver-minor. Cross-posting from loopbackio/loopback-connector#172 (comment):

Ideally, when we remove support for a major Node.js version (e.g. 8.x), then we should publish a major version of our module too.

Unfortunately, this does not work well with our LTS support policy. If we keep supporting EOL versions of Node, and there is a security vulnerability discovered in one of our dependencies, and this vulnerability is fixed in the latest version only, and that latest version no longer supports EOLed version of Node, then we cannot get the fix. If we are not able to fix security vulnerabilities in our LTS versions, then it's IMO no long-term support at all.

We have discussed this for a bit around Node.js 4.x release (pretty much the first relevant release after 2-3 years of having everybody on Node.js 0.10). I believe we reached the conclusion that when having to choose between security fixes and strict adherence to semver rules, we prefer security over user convenience.

BTW this gets even more complicated for major versions of the framework itself (e.g. loopback and loopback-datasource-juggler module). When LB 3.x is Current and LB 2.x is Active LTS, and Node.js 6.x goes EOL, then how should be drop support for Node.js 6.x from LB 2.x? LB 3.x is already taken at that point...

My recommendation is to use package-lock and npm-shrinkwrap functionality to lock down dependencies in your project to the latest versions that still supports the end-of-life Node.js version you are using (e.g. 8.x).

@bajtos bajtos mentioned this pull request Apr 6, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhmlau dhmlau dhmlau approved these changes

@jannyHou jannyHou jannyHou approved these changes

@emonddr emonddr emonddr approved these changes

@zbarbuto zbarbuto Awaiting requested review from zbarbuto

Assignees

@bajtos bajtos

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bajtos @emonddr @jannyHou @dhmlau