Skip to content
This repository has been archived by the owner on Mar 13, 2024. It is now read-only.

Why was node 8 dropped? #104

Closed
vweevers opened this issue Jul 28, 2019 · 3 comments · May be fixed by Omrisnyk/npm-lockfiles#147 or Omrisnyk/npm-lockfiles#170
Closed

Why was node 8 dropped? #104

vweevers opened this issue Jul 28, 2019 · 3 comments · May be fixed by Omrisnyk/npm-lockfiles#147 or Omrisnyk/npm-lockfiles#170

Comments

@vweevers
Copy link
Contributor

It'll be at least 5 months before many dependents of dependency-check drop node 8, so until then they're stuck on dependency-check@3. Unless we can update this check, to silently pass?

if (process.version.match(/^v(\d+)\./)[1] < 6) {
console.error('dependency-check: Node 6 or greater is required. `dependency-check` did not run.')
process.exit(0)
}

@voxpelli
Copy link
Collaborator

I had forgotten about that check, thanks for pointing it out, it has now been updated to always check against the engine version defined in the package.json of this module.

On the topic of why dropping Node 8:

I want to minimize the number of major releases to make it easier to with minimal effort stay up to date with this module in ones projects.

As it's so close to Node 8 being dropped I felt that it was better to drop it now than to maybe be "forced" to drop it in some months time due to a dependency requiring it.

I also do want to point out that both older majors 2.x and 3.x are still maintained: https://github.com/dependency-check-team/dependency-check/blob/master/SECURITY.md

@vweevers
Copy link
Contributor Author

Thanks @voxpelli!

than to maybe be "forced" to drop it in some months time due to a dependency requiring it.

That's precisely why I prefer waiting to drop support, because now dependency-check itself forces dependents to drop 8 - if it weren't for that check. And doing a major release later just to drop a node version is perfectly fine IMO. It may even be easier to keep up with 10 small releases than to keep up with 5 big releases. But I'm splitting hairs. Thanks for the quick solution :)

I also do want to point out that both older majors 2.x and 3.x are still maintained: https://github.com/dependency-check-team/dependency-check/blob/master/SECURITY.md

💯

@voxpelli
Copy link
Collaborator

Historically forced to in this module has been more been about dependencies not considering it to be a breaking change to drop support for expired LTS versions and thus does so in minor or patch versions, causing us to not fulfill our support promise without jumping through some trouble 😊

So I want to explicitly show early that we will move cutting-edge development to Node 10, to give an early heads up.

Also: I have weekly crons set up for both 2.x and 3.x branches to check that they stay in working condition with fresh installs + checks that no security problems arise with them: https://github.com/dependency-check-team/dependency-check/blob/3.x/.travis.yml (As GitHub's security check is only for the master branch)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
2 participants