Update node_js to latest 0.10.x release
Closed, DeclinedPublic

Description

Steps to reproduce

based on https://gerrit.wikimedia.org/r/#/c/227659/

Actual results

  • It comes up with error

18:17:35 npm WARN engine hawk@3.1.2: wanted: {"node":">=0.10.32"} (current: {"node":"0.10.25","npm":"2.7.6"})

18:17:39 npm WARN engine hoek@2.16.3: wanted: {"node":">=0.10.40"} (current: {"node":"0.10.25","npm":"2.7.6"})
18:17:39 npm WARN engine cryptiles@2.0.5: wanted: {"node":">=0.10.40"} (current: {"node":"0.10.25","npm":"2.7.6"})
18:17:39 npm WARN engine boom@2.10.1: wanted: {"node":">=0.10.40"} (current: {"node":"0.10.25","npm":"2.7.6"})

Expected results

  • There should be no errors. So we should update node_js to latest 0.10.x release which is 0.10.40.

https://nodejs.org/download/release/v0.10.40/

Paladox created this task.Nov 20 2015, 6:34 PM
Paladox updated the task description. (Show Details)
Paladox raised the priority of this task from to Needs Triage.
Paladox added a subscriber: Paladox.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptNov 20 2015, 6:34 PM
hashar added a subscriber: hashar.Nov 20 2015, 7:08 PM

We run CI based on the same version that are used on the Wikimedia cluster. The breakdown being:

Precise0.8.2-1chl1~precise1
 Trusty0.10.25~dfsg2-2ubuntu1
Jessie0.10.29~dfsg-2

The npm Jenkins job runs on Trusty. We will migrate it to Jessie on Nodepool instances eventually.

So either:

  • the dependencies needs to have an upper bound that match node
  • upstream libs are setting random values
  • we don't use code path in upstream libs that might require a newer nodejs
hashar set Security to None.
hashar added a project: Services.

+ Services since they have a bunch of nodejs daemon.

GWicke added a subscriber: GWicke.Nov 20 2015, 7:17 PM

For RB, we are looking into the current LTS 4.2 instead: T107762

I just bumped the priority on that one, and hope that we can start the gradual migration soon. It will likely be a Jessie-only migration, so services that aren't using Jessie yet & need a newer node version will need to switch.

cscott added a subscriber: cscott.Nov 20 2015, 7:27 PM

There have been a bunch of security patches for the node 0.10.x series, for example 0.10.37 was a security release: http://dailyjs.com/2015/03/18/1399-node-roundup/

For that reason I'm a bit surprised that the maintained ubuntu releases aren't following releases on node's stable branch. I *hope* they are cherry-picking security fixes at least.

fgiunchedi triaged this task as Normal priority.Dec 1 2015, 1:32 PM
fgiunchedi added a subscriber: fgiunchedi.

@cscott wrote:
For that reason I'm a bit surprised that the maintained ubuntu releases aren't following releases on node's stable branch. I *hope* they are cherry-picking security fixes at least.

That's a common misconception about Ubuntu's security support: nodejs is from Ubuntu's universe archive section. Such packages are in theory "community maintained" [1], but in practice that usually means that packages from universe are not covered by security support...

[1] https://wiki.ubuntu.com/SecurityTeam/FAQ

hashar closed this task as Declined.Feb 4 2016, 1:25 PM
hashar claimed this task.

We are moving to Jessie and a backport of Nodejs 4.2.4. Example: T124989: Move all Node.JS services to Jessie and Node 4

The child task for CI is T119143: Migrate javascript npm CI jobs to Nodepool