2253524 – Upgrade to last supported NodeJS 16 version

Bug 2253524 - Upgrade to last supported NodeJS 16 version

Summary: Upgrade to last supported NodeJS 16 version

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	nodejs
Sub Component:
Version:	epel7
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	NodeJS Packaging SIG
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-12-07 21:22 UTC by Nicholas Clark
Modified:	2023-12-17 01:03 UTC (History)
CC List:	5 users (show)
Fixed In Version:	nodejs-16.20.2-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-12-17 01:03:57 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Nicholas Clark 2023-12-07 21:22:45 UTC

Description of problem:
Missing a supported version of nodejs for EPEL 7 and known vulnerabilities in nodejs 16.18.1.

Version of nodejs in epel 7 is at 16.18.1, the last release of 16 is 16.20.2 which includes remediation for multiple vulnerabilities since 16.18.1.

Version-Release number of selected component (if applicable):
nodejs-16.18.1-3.el7.x86_64


Additional info:
NodeJS 16 is EOL from upstream as of September 11, 2023, https://nodejs.org/en/blog/announcements/nodejs16-eol
However, Red Hat still provides support for 16 on RHEL 8.5 and later. RHEL 7 is still supported until June 2024, but Red Hat does not list any supported version of nodejs for RHEL 7: https://access.redhat.com/articles/3376841

I have relied on EPEL 7 for supporting nodejs 16. What is the state of support for nodejs for EPEL 7? Could we get an update to at least 16.20.2 so that the known vulnerabilities could be remediated in EPEL 7's distribution of nodejs 16? https://nodejs.org/en/blog/release/v16.20.2

Comment 1 Nicholas Clark 2023-12-07 21:32:31 UTC

Related CVE Bug IDs:
https://bugzilla.redhat.com/show_bug.cgi?id=2233375 (CVE-2023-32002)
https://bugzilla.redhat.com/show_bug.cgi?id=2233388 (CVE-2023-32006)
https://bugzilla.redhat.com/show_bug.cgi?id=2233397 (CVE-2023-32559)

Comment 2 Stephen Gallagher 2023-12-08 13:59:21 UTC

To be entirely honest, I didn't realize they had made any further updates past 16.18.1. I'll see if I can get it to build on EPEL 7 still.

That being said, the likelihood of vulnerabilities remaining is high, since it's not receiving new security fixes. I'll backport whatever patches RHEL 9's version of Node.js 16 incorporates as I can, but I don't guarantee anything.

Given that RHEL 7 is going EOL in about six months, I don't think it makes sense to go through the effort of upgrading to Node.js 18+ here either.

Comment 3 Fedora Update System 2023-12-08 16:04:11 UTC

FEDORA-EPEL-2023-8ea1dafefe has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-8ea1dafefe

Comment 4 Nicholas Clark 2023-12-08 17:14:23 UTC

Thanks for the quick update on the status. This works for me.

Comment 5 Fedora Update System 2023-12-09 02:54:04 UTC

FEDORA-EPEL-2023-8ea1dafefe has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-8ea1dafefe

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2023-12-17 01:03:57 UTC

FEDORA-EPEL-2023-8ea1dafefe has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.