-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Print a warning if the current major version is out of LTS #50746
Comments
I can't remember where but I think there was a previous discussion along these lines which ultimately led to https://github.com/RafaelGSS/is-my-node-vulnerable. |
I think part of the discussion happened in #44942 |
The previous discussion was to include a runtime check and a call to an endpoint on one of our servers. This is not a version checker as it 100% relies on builtin information. |
|
Yes |
A significant difference to previous discussions is that this check would provide marginal security guarantees at best. My understanding is that there would be no warning issued to users of Node.js 20.0.0 until 2026-04-30, even though that version should likely be considered insecure long before then. |
We are not in agreement. Node.js 14 was downloaded almost 19 million times in last month (October 2023), while Node.js v12 was still downloaded 3 million times, and Node.js 10 wad downloaded 2 millions times in the same period. Seems the users are not updating because they don't know that they need to update. |
Well, or they know and don’t care. Add it to the backlog. I think the proper comparison isn’t against what might theoretically be possible, but rather against the status quo. Surely printing a warning that a version has reached EOL is better than not printing such a warning. Especially if the warning is somewhat stern:
|
I'm not convinced that the majority of users are not updating because they don't know they need to. I suspect it's also made up of a mass of:
Also, the first time users will see this warning is in April 2025 if we backport to Node.js 18, or April 2026 for Node.js 20. So, I don't think this will impact the immediate concern of people using already EOL versions. (edit: April 2024 for Node 21.) I do wonder if this would be better to be added to version managers rather than |
And April 2024 for Node 21. |
LTS dates aren't even strictly adhered to; they change for all sorts of reasons. It doesn't make sense to hardcode a timebomb into node, especially one that won't even necessarily be accurate. |
Sure, but also, why not both? |
How would we know that a version is out of LTS without making a remote call? A few approaches that come quickly to my mind are to have this information built-in and trust in the environment to correctly check the date and correlate with LTS times, but that's quite flaky IMO. |
Yes, that's how we would do it. The EOL dates are set years in advance. If someone's system has the wrong date set in their clock, so be it. It's just a warning. The warning itself can include the EOL date; see my example above. |
Despite being set years in advance, node 16’s EOL date was moved up (for example). Releasers may have conflicts that delay the date as well. If dates are hardcoded, there will inevitably be a time when they’re wrong (setting aside that system clocks are often incorrect and timezones are complex and often change according to government whim) |
I'm open to suggestions on how to encourage folks to upgrade. |
If security warnings from automated tooling, performance improvements, lack of platform support, and new features aren’t incentive enough for a user, what are the reasons node needs to be concerned with what version they’re using? |
This is not a timebomb - it's a warning message. I'm also not convinced that inaccuracy is a problem here. If EOL is moved one week back, users will be incentivized to upgrade one week earlier than they otherwise would be - nothing else happens. How is this a problem? Especially since they should really be upgrading before EOL anyway, since any security issue even one day after EOL would not be fixed. |
Spurious console output can definitely break things, like log parsing, child process output parsing, etc. |
Are you saying that it is ok that 50% of our users have not yet updated to a maintained version? This is an interesting take. |
I'd suspect we'd get more benefit from:
I really do suspect that this warning in most cases would either go unseen in abandoned/legacy projects or just irritate people who know they're stuck on old versions. Also, surely a lot of people stuck on old versions of Node.js are also stuck on old npm versions of modules that still support those versions? I can imagine many are already getting a number of npm audit warnings in their output. (Not -1, but generally think our efforts are better placed elsewhere to encourage people to upgrade.) |
I cannot see anywhere in this thread where anyone has that position. And, this issue was abruptly closed when I proposed genuine suggestions to encourage upgrades 😕 |
I haven't seen your message when I closed this @BethGriggs. Reopening. |
To be clear, it’s not that it’s OK, it’s that i suspect it’s likely beyond the power of node to control, and that the warnings will likely cause more problems for users who want and know to upgrade, than it will help inform and motivate unaware users to do so. |
Opt-in or opt-out?I think it would be very valuable going forward if there was a way to tell people when they are running an out of date and unsupported version of Node.js. I do not know the best way to do that, but I do think we should have something available. Assuming that there is agreement that it would be good to have something rather than nothing, than the first thing to figure out is probably whether it should be opt-in or opt-out. If it's opt-in with no plans to switch to opt-out with a future version, then there are several possibilities that otherwise aren't available. Some possibilities are:
The downside is that most people probably won't run it. But it could be useful for CI and other situations. If it's opt-in but where we want to keep the option of making it opt-out in the future, then that reduces the possibilities and still has the small-audience downside, but allows us to ship something as a proof-of-concept without it being something that will cause a lot of unexpected disruption. Shipping something that is opt-out will notify the most people, of course, but risks the kind of warning-fatigue that we see with |
I agree with that analysis - shipping an opt-in mechanism for a sizable period of time at least would provide a way to surface some of the potential issues mentioned. |
I think nothing is better than something that’s opt-in. We discussed that in #44942 and decided it wasn’t a good idea. Users already have plenty of ways to make a call to see if their current version of Node is the latest one, or in EOL. And anyone with the awareness to run an opt-in check doesn’t need us to notify them of anything. Opt-out, however, I think is worth pursuing. |
@GeoffreyBooth What makes you say there was a decision that it wasn't a good idea? That's not my impression, reviewing the conversation. People involved in that conversation who seemed to conclude that opt-in was a viable option include:
The only people I see in that conversation that seem opposed to opt-in seem to be:
I suppose you could also add the people who concluded that any type of version checker isn't going to be useful, but I don't see too many of those. (Maybe @RaisinTen?) Perhaps I'm not reading closely enough and doing too much searching-for-the-term-"opt-in", but I'm not seeing any widely-endorsed conclusion that it's not a good idea. |
I was basing it on the fact that that issue was closed and nothing got implemented. Sure that's not a decision, I should more accurately have described it as an outcome. |
A long time ago, @Fishrock123 used to put together those types of guides and then found it to be an impossible amount of work at some point. However, the challenge would be greatly reduced if coupled with another suggestion from @BethGriggs:
|
There has been no activity on this feature request for 5 months. To help maintain relevant open issues, please add the
never-stale
|
There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment. For more information on how the project manages feature requests, please consult the feature request management document. |
As I was exploring the data of the download numbers in nodedownloads.nodeland.dev, I saw that our users do not update their installed Node.js version.
Given that we know when a LTS version will become unmaintained, we could print a message to standard output telling the user to update. This will be annoying, so maybe we should also add a way to turn it off.
cc @nodejs/lts @nodejs/tsc
The text was updated successfully, but these errors were encountered: