generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #274 from ossf/oct-updates
doc: add nodejs oct 23 update
- Loading branch information
Showing
1 changed file
with
89 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| # Update 2023-10 | ||
|
|
||
| This is a summary of the work accomplished in the Alpha-Omega project October 2023 | ||
| in the Node.js scope. | ||
|
|
||
| ## Summary | ||
|
|
||
| October was a monthly quite busy due to the latest security release affecting Node.js 18 and Node.js 20. | ||
| A day after the security release, we've released a new major version of Node.js, 21. | ||
|
|
||
| ### Security Release | ||
|
|
||
| In response to the latest security concerns, Node.js promptly addressed 4 CVEs within Node.js itself and 2 in its dependencies, | ||
| namely `undici` and `nghttp2`. The vulnerabilities were categorized as follows: | ||
|
|
||
| - 2 High severity issues | ||
| - 1 Medium severity issue | ||
| - 1 Low severity issue in Node.js | ||
| - Security updates for `undici` and `nghttp2` | ||
|
|
||
| The 20.x release line of Node.js was vulnerable to 2 high severity issues, 1 medium severity issue, and 1 low severity issue. | ||
| The 18.x release line of Node.js was vulnerable to 1 medium severity issue, and 1 low severity issue. | ||
|
|
||
| For detailed information, refer to the security release blog post: [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases). | ||
| Users can check their version's vulnerability status by running: | ||
|
|
||
| ```console | ||
| $ npx is-my-node-vulnerable | ||
| ``` | ||
|
|
||
| In addition to the security release, some tiny adjusts were made to the next-security-release template: | ||
|
|
||
| * https://github.com/nodejs/node-core-utils/pull/744 | ||
| * https://github.com/nodejs/node-core-utils/pull/739 | ||
|
|
||
| As a fact of curiosity, this security release was very quickly in time due to the upcoming major release. | ||
| It took just 3 days of work! Usually, we lock the CI for at least 5 days. This was only possible due to the recent | ||
| changes to the CITGM and the automation of the security release proposal. | ||
|
|
||
| ### Node.js 21 | ||
|
|
||
| October was the month we released a new major version of Node.js. Major releases take a significant amount of work | ||
| to collect and condense all the information to the community. | ||
|
|
||
| Node.js 21 comes with interesting updates to ESM, stable version of `fetch` and `WebStreams` and many more. | ||
| See our [release post](https://nodejs.org/en/blog/announcements/v21-release-announce). | ||
| Also note this means a transition from Node.js 20 to LTS and Node.js 21 as our 'Current' release. | ||
|
|
||
| Pull requests created to the Node.js 21 release: | ||
|
|
||
| * [Node.js 21 Release plan](https://github.com/nodejs/Release/issues/932) | ||
| * [doc: add command to keep major branch sync](https://github.com/nodejs/node/pull/50102) | ||
| * [doc: add command to get patch, minors, and majors](https://github.com/nodejs/node/pull/50067) | ||
| * [add expected assets for Node.js 21](https://github.com/nodejs/build/pull/3510) | ||
| * [Node.js 21 proposal](https://github.com/nodejs/node/pull/49870) | ||
|
|
||
| ### Security initiatives and assessments | ||
|
|
||
| Recently, OpenSSL disclosed 3 security releases which were assessed by the Node.js team | ||
| as a non-critical patch, therefore, they were handled in regular releases. | ||
|
|
||
| The assessment was published at: https://nodejs.org/en/blog/vulnerability/openssl-fixes-in-regular-releases-oct2023. | ||
|
|
||
| Apart from that, two pull requests were created to update the Permission Model stability (moving it to 1.1 - Active development) | ||
| and to document some files that can be read before the V8 initializaton - affecting direct the Permission Model | ||
|
|
||
| 1. https://github.com/nodejs/node/pull/50068 | ||
| 2. https://github.com/nodejs/node/pull/50072 | ||
|
|
||
| With the intention of improving the scorecard of different repositories under Node.js organization, we've | ||
| created 5 pull requests to pin github actions by commit-hash: | ||
|
|
||
| 1. https://github.com/nodejs/diagnostics/pull/621 | ||
| 2. https://github.com/nodejs/build/pull/3516 | ||
| 3. https://github.com/nodejs/citgm/pull/1010 | ||
| 4. https://github.com/nodejs/llhttp/pull/255 | ||
| 5. https://github.com/nodejs/undici/pull/2325 | ||
|
|
||
| We are evaluating how effective this approach is for non-libraries since it can cause some maintenance burden | ||
| to the maintainers. Consider that you can pin github actions by tag without having to manually (or through dependabot) | ||
| update semver-minor and semver-patch releases -- `actions/checkout@v2` will always fetch the latest release of v2. | ||
|
|
||
| In October, we've added support Ada and `simdtuf` to our [dependency-vulnerability-scanner](https://github.com/nodejs/nodejs-dependency-vuln-assessments) | ||
| through the [#158 PR](https://github.com/nodejs/nodejs-dependency-vuln-assessments/pull/158) and Node.js 21 was added to the | ||
| cycle. | ||
|
|
||
| As a final update, we've identified that a previous security release might have broken the usage of `esm` npm package, however, | ||
| considering this package is now _archieved_ and the usage of monkey patching isn't guaranteed by Node.js, it's unlikely to have a patch for that. | ||
| Reference: https://github.com/nodejs/node/pull/50109. |