We run CI based on the same version that are used on the Wikimedia cluster. The breakdown being:

The npm Jenkins job runs on Trusty. We will migrate it to Jessie on Nodepool instances eventually.

So either:

• the dependencies needs to have an upper bound that match node
• upstream libs are setting random values
• we don't use code path in upstream libs that might require a newer nodejs

+ Services since they have a bunch of nodejs daemon.

For RB, we are looking into the current LTS 4.2 instead: T107762

I just bumped the priority on that one, and hope that we can start the gradual migration soon. It will likely be a Jessie-only migration, so services that aren't using Jessie yet & need a newer node version will need to switch.

There have been a bunch of security patches for the node 0.10.x series, for example 0.10.37 was a security release: http://dailyjs.com/2015/03/18/1399-node-roundup/

For that reason I'm a bit surprised that the maintained ubuntu releases aren't following releases on node's stable branch. I *hope* they are cherry-picking security fixes at least.

@cscott wrote:
For that reason I'm a bit surprised that the maintained ubuntu releases aren't following releases on node's stable branch. I *hope* they are cherry-picking security fixes at least.

That's a common misconception about Ubuntu's security support: nodejs is from Ubuntu's universe archive section. Such packages are in theory "community maintained" [1], but in practice that usually means that packages from universe are not covered by security support...

[1] https://wiki.ubuntu.com/SecurityTeam/FAQ