Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade nodejs to latest npm version 10.9.1 #193

Open
2 tasks done
contactsmrajesh opened this issue Dec 2, 2024 · 8 comments
Open
2 tasks done

Upgrade nodejs to latest npm version 10.9.1 #193

contactsmrajesh opened this issue Dec 2, 2024 · 8 comments
Labels
dont-believe-affects-nodejs dont-fall-in-threat-model When a vulnerability might affect Node.js but do not fall in the Node.js threat model

Comments

@contactsmrajesh
Copy link

contactsmrajesh commented Dec 2, 2024

Node.js Version

22.11.0

NPM Version

10.9.0

Operating System

windows

Subsystem

Other

Description

npm fixed a critical security vulnerability in version 10.9.1. The current LTS of nodejs and the next version 23.3.0 are in npm version 10.9.0.

Usually when nodejs will update the npm version. Also in the meantime the upgrade is done, is there any solution to handle this issue, like we need to manually upgrade to latest npm or upgrade just that library(cross-spawn) in nodejs.

npm/cli#7902
https://nvd.nist.gov/vuln/detail/CVE-2024-21538

Minimal Reproduction

No response

Output

No response

Before You Submit

@richardlau richardlau transferred this issue from nodejs/help Dec 2, 2024
@kl4072
Copy link

kl4072 commented Dec 3, 2024

When do we anticipate this change implemented in the latest images? this causes issues with cross-spawn 7.0.3 vulnerability

@RafaelGSS
Copy link
Member

This should solve nodejs/node#56135.

@RafaelGSS
Copy link
Member

RafaelGSS commented Dec 5, 2024

Does it affect 10.8.x too @nodejs/npm ? In case, Node.js 18.x.

How it affects Node.js? Should we issue a release for Node.js 20 and 18?

@mhdawson
Copy link
Member

mhdawson commented Dec 5, 2024

10.9.1 was pulled in nodejs/node#55951

It should be in the next 23.x
nodejs/node#56119

after which it would be backported to 22.x

@richardlau
Copy link
Member

10.9.1 was pulled in nodejs/node#55951

It should be in the next 23.x nodejs/node#56119

after which it would be backported to 22.x

But currently blocked on 20 and 18: nodejs/node#55951 (comment)

@lukekarrys
Copy link
Member

@aduh95 Do you have more info or some links about Python 3.8 support blocking npm backports (ref nodejs/node#55951 (comment))?

node-gyp and gyp-next are both tested on 3.8 so any breaking change there should be unintentional and I can try and fix in node-gyp.

@richardlau
Copy link
Member

IIRC it's not that support for Python 3.8 was broken, it's that Python 3.8 is now the minimum (see nodejs/node#54358 for the breaking syntax) whereas earlier node-gyp (e.g. in npm@10.8.2) allowed earlier Python 3 (e.g. Python 3.7 which is what is on the current CI macOS 10.15 VMs).

There's two points:

  1. The CI. Either update Python in the macOS 10.15 VMs (not sure how feasible that is -- I know @UlisesGascon / @ryanaslett have had difficulty keeping the 10.15 VMs going as e.g. homebrew have already dropped support for it). Or dropping them for later versions of macOS. (But something will need to happen so we can get passing CI. Note we don't test on macOS 10.15 for Node.js 22+ which is why we haven't had issues there.)
  2. Whether dropping support for Python < 3.8 to compile addons within a release line is a breaking change for users. On one hand Python 3.8 and earlier are all End-of-Life now, but on the other the default python3 on many OSes may be older Python 3 (e.g. IIRC the default Python 3 on RHEL 8 is 3.6 (later Python 3 is available but not installed by default)).

@mcollina
Copy link
Member

How it affects Node.js? Should we issue a release for Node.js 20 and 18?

The vuln is a false positive and all this work is to appease security scanners and overly rigid processes.
There is no way to attack this given node.js threat model.

Given that npm does not really maintain previous lines, I think we would need to patch cross-spawn in our tree in our maintenance lines.

@RafaelGSS RafaelGSS added dont-believe-affects-nodejs dont-fall-in-threat-model When a vulnerability might affect Node.js but do not fall in the Node.js threat model labels Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dont-believe-affects-nodejs dont-fall-in-threat-model When a vulnerability might affect Node.js but do not fall in the Node.js threat model
Projects
None yet
Development

No branches or pull requests

7 participants