Bug 2253524

Summary: Upgrade to last supported NodeJS 16 version
Product: [Fedora] Fedora EPEL Reporter: Nicholas Clark <nicholas.clark>
Component: nodejsAssignee: NodeJS Packaging SIG <nodejs-sig>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: epel7CC: mrunge, nodejs-sig, sgallagh, thrcka, zsvetlik
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-16.20.2-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-17 01:03:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nicholas Clark 2023-12-07 21:22:45 UTC 
Description of problem:
Missing a supported version of nodejs for EPEL 7 and known vulnerabilities in nodejs 16.18.1.

Version of nodejs in epel 7 is at 16.18.1, the last release of 16 is 16.20.2 which includes remediation for multiple vulnerabilities since 16.18.1.

Version-Release number of selected component (if applicable):
nodejs-16.18.1-3.el7.x86_64


Additional info:
NodeJS 16 is EOL from upstream as of September 11, 2023, https://nodejs.org/en/blog/announcements/nodejs16-eol
However, Red Hat still provides support for 16 on RHEL 8.5 and later. RHEL 7 is still supported until June 2024, but Red Hat does not list any supported version of nodejs for RHEL 7: https://access.redhat.com/articles/3376841

I have relied on EPEL 7 for supporting nodejs 16. What is the state of support for nodejs for EPEL 7? Could we get an update to at least 16.20.2 so that the known vulnerabilities could be remediated in EPEL 7's distribution of nodejs 16? https://nodejs.org/en/blog/release/v16.20.2
Comment 1 Nicholas Clark 2023-12-07 21:32:31 UTC 
Related CVE Bug IDs:
https://bugzilla.redhat.com/show_bug.cgi?id=2233375 (CVE-2023-32002)
https://bugzilla.redhat.com/show_bug.cgi?id=2233388 (CVE-2023-32006)
https://bugzilla.redhat.com/show_bug.cgi?id=2233397 (CVE-2023-32559)
Comment 2 Stephen Gallagher 2023-12-08 13:59:21 UTC 
To be entirely honest, I didn't realize they had made any further updates past 16.18.1. I'll see if I can get it to build on EPEL 7 still.

That being said, the likelihood of vulnerabilities remaining is high, since it's not receiving new security fixes. I'll backport whatever patches RHEL 9's version of Node.js 16 incorporates as I can, but I don't guarantee anything.

Given that RHEL 7 is going EOL in about six months, I don't think it makes sense to go through the effort of upgrading to Node.js 18+ here either.
Comment 3 Fedora Update System 2023-12-08 16:04:11 UTC 
FEDORA-EPEL-2023-8ea1dafefe has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-8ea1dafefe
Comment 4 Nicholas Clark 2023-12-08 17:14:23 UTC 
Thanks for the quick update on the status. This works for me.
Comment 5 Fedora Update System 2023-12-09 02:54:04 UTC 
FEDORA-EPEL-2023-8ea1dafefe has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-8ea1dafefe

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2023-12-17 01:03:57 UTC 
FEDORA-EPEL-2023-8ea1dafefe has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.