From 418c1b2b1074862acedc070e5c4942b4f4f8a893 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 12 Dec 2024 11:16:32 -0300 Subject: [PATCH 1/6] blog: add Upcoming CVE for EOL Versions post Refs: https://github.com/nodejs/security-wg/issues/1401 --- .../upcoming-cve-for-eol-versions.md | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md diff --git a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md new file mode 100644 index 0000000000000..86649dc10bbbe --- /dev/null +++ b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md @@ -0,0 +1,79 @@ +--- +date: '2025-01-14T16:00:00.000Z' +category: vulnerability +title: Upcoming CVE for End-of-Life Node.js Versions +layout: blog-post +author: The Node.js Project +--- + +The Node.js Project is committed to ensuring the security and reliability of +applications built on Node.js. As part of this commitment, we regularly review +measures to help our users stay informed about security risks. + +## Announcement + +We will soon issue a Common Vulnerabilities and Exposures (CVE) identifier for +**End-of-Life (EOL)** versions of Node.js. This CVE will serve as an official +notification to inform users that these versions are no longer maintained and +may pose significant security risks. + +The CVE will cite **Unsupported When Assigned** under +[CWE-1104](https://cwe.mitre.org/data/definitions/1104.html): *Use of Unmaintained Third Party Components*. +For more details on this decision, you can refer to the discussion in +[this GitHub issue](https://github.com/nodejs/security-wg/issues/1401). + +## Why Issue a CVE? + +Many organizations rely on CVE notifications to track security issues across +their software stacks. By issuing a CVE for EOL versions of Node.js, we aim to: + +* **Raise Awareness:** Inform users that running EOL versions exposes their +applications to potential vulnerabilities. +* **Encourage Upgrades:** Prompt organizations and developers to update to +actively supported Node.js versions. +* **Improve Security:** Reduce the number of applications running outdated and +unsupported versions of Node.js. + +## What Does This Mean for You? + +If you are using an EOL version of Node.js, we strongly encourage you to upgrade +to a supported version immediately. You can find the list of actively supported +versions and their maintenance schedules in the [Node.js Release Schedule](https://github.com/nodejs/release#release-schedule). + +To check which version of Node.js your application is running, execute the +following command in your terminal: + +```bash +node -v +``` + +If your version is no longer supported, please refer to our +[Migration Guide](https://nodejs.org/en/docs/guides/upgrading/) for assistance +in upgrading. + +You can also run [`is-my-node-vulnerable`](https://github.com/RafaelGSS/is-my-node-vulnerable) +to check if you are using an EOL version or any version with an CVE issued to it. + +```bash +npx is-my-node-vulnerable +``` + +## Supported Versions + +As of the date of this announcement, the following versions are actively supported: + +* Node.js 23 (Current) +* Node.js 22 (LTS) +* Node.js 20 (Maintenance LTS) +* Node.js 18 (Maintenance LTS) + +All other versions are no longer supported and should be considered deprecated. + +## Questions and Feedback + +We understand that upgrading may require effort, and we’re here to help. If you have +any questions or need assistance, please reach out to us via: + +* [Node.js Help Repository](https://github.com/nodejs/help) + +Thank you for your attention to this important matter. From f1cef3f2da754aa82f0d3252fbb9a80106b58fb4 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 12 Dec 2024 11:36:31 -0300 Subject: [PATCH 2/6] update: mention openjs ecosystem sustainability program --- .../en/blog/vulnerability/upcoming-cve-for-eol-versions.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md index 86649dc10bbbe..a6fa620f96101 100644 --- a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md +++ b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md @@ -76,4 +76,8 @@ any questions or need assistance, please reach out to us via: * [Node.js Help Repository](https://github.com/nodejs/help) +For organizations or developers who require continued use of EOL Node.js versions, +the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support) +provides commercial support options. + Thank you for your attention to this important matter. From aa83f1731c27b34c44ec0d79810cb6357746da0f Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 12 Dec 2024 11:36:31 -0300 Subject: [PATCH 3/6] update: mention openjs ecosystem sustainability program --- .../en/blog/vulnerability/upcoming-cve-for-eol-versions.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md index a6fa620f96101..b489402496c78 100644 --- a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md +++ b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md @@ -25,7 +25,10 @@ For more details on this decision, you can refer to the discussion in ## Why Issue a CVE? Many organizations rely on CVE notifications to track security issues across -their software stacks. By issuing a CVE for EOL versions of Node.js, we aim to: +their software stacks. The Node.js project guarantee a timely resolution and disclosure +for all reported vulnerabilities for the _maintained_ release lines. +However, we do not issue CVEs for EOL release lines. +By issuing a CVE for EOL versions of Node.js, we aim to: * **Raise Awareness:** Inform users that running EOL versions exposes their applications to potential vulnerabilities. @@ -34,6 +37,8 @@ actively supported Node.js versions. * **Improve Security:** Reduce the number of applications running outdated and unsupported versions of Node.js. +> Node.js v16, despite being EOL for over a year, has still 11 million downloads per month. + ## What Does This Mean for You? If you are using an EOL version of Node.js, we strongly encourage you to upgrade From 2042f365906aebd973b62028ba5fdd526a769bbd Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Sun, 22 Dec 2024 22:52:17 -0300 Subject: [PATCH 4/6] fixup! update: mention openjs ecosystem sustainability program --- .../en/blog/vulnerability/upcoming-cve-for-eol-versions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md index b489402496c78..377f64810a1da 100644 --- a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md +++ b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md @@ -56,7 +56,7 @@ If your version is no longer supported, please refer to our [Migration Guide](https://nodejs.org/en/docs/guides/upgrading/) for assistance in upgrading. -You can also run [`is-my-node-vulnerable`](https://github.com/RafaelGSS/is-my-node-vulnerable) +You can also run [`is-my-node-vulnerable`](https://github.com/nodejs/is-my-node-vulnerable) to check if you are using an EOL version or any version with an CVE issued to it. ```bash From 8e5ef67e05ab7afd98d2448ff935065385e3800b Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Mon, 23 Dec 2024 21:43:46 -0300 Subject: [PATCH 5/6] Update apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md Co-authored-by: Michael Dawson Signed-off-by: Rafael Gonzaga --- .../upcoming-cve-for-eol-versions.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md index 377f64810a1da..77edc94d02efc 100644 --- a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md +++ b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md @@ -1,5 +1,5 @@ --- -date: '2025-01-14T16:00:00.000Z' +date: '2025-01-06:00:00.000Z' category: vulnerability title: Upcoming CVE for End-of-Life Node.js Versions layout: blog-post @@ -18,24 +18,24 @@ notification to inform users that these versions are no longer maintained and may pose significant security risks. The CVE will cite **Unsupported When Assigned** under -[CWE-1104](https://cwe.mitre.org/data/definitions/1104.html): *Use of Unmaintained Third Party Components*. +[CWE-1104](https://cwe.mitre.org/data/definitions/1104.html): _Use of Unmaintained Third Party Components_. For more details on this decision, you can refer to the discussion in [this GitHub issue](https://github.com/nodejs/security-wg/issues/1401). ## Why Issue a CVE? Many organizations rely on CVE notifications to track security issues across -their software stacks. The Node.js project guarantee a timely resolution and disclosure +their software stacks. The Node.js project aims for a timely resolution and disclosure for all reported vulnerabilities for the _maintained_ release lines. However, we do not issue CVEs for EOL release lines. By issuing a CVE for EOL versions of Node.js, we aim to: -* **Raise Awareness:** Inform users that running EOL versions exposes their -applications to potential vulnerabilities. -* **Encourage Upgrades:** Prompt organizations and developers to update to -actively supported Node.js versions. -* **Improve Security:** Reduce the number of applications running outdated and -unsupported versions of Node.js. +- **Raise Awareness:** Inform users that running EOL versions exposes their + applications to potential vulnerabilities. +- **Encourage Upgrades:** Prompt organizations and developers to update to + actively supported Node.js versions. +- **Improve Security:** Reduce the number of applications running outdated and + unsupported versions of Node.js. > Node.js v16, despite being EOL for over a year, has still 11 million downloads per month. @@ -67,10 +67,10 @@ npx is-my-node-vulnerable As of the date of this announcement, the following versions are actively supported: -* Node.js 23 (Current) -* Node.js 22 (LTS) -* Node.js 20 (Maintenance LTS) -* Node.js 18 (Maintenance LTS) +- Node.js 23 (Current) +- Node.js 22 (LTS) +- Node.js 20 (Maintenance LTS) +- Node.js 18 (Maintenance LTS) All other versions are no longer supported and should be considered deprecated. @@ -79,7 +79,7 @@ All other versions are no longer supported and should be considered deprecated. We understand that upgrading may require effort, and we’re here to help. If you have any questions or need assistance, please reach out to us via: -* [Node.js Help Repository](https://github.com/nodejs/help) +- [Node.js Help Repository](https://github.com/nodejs/help) For organizations or developers who require continued use of EOL Node.js versions, the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support) From 832117be014901b434e150ed5ab361cfce951f05 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 6 Jan 2025 11:16:15 -0300 Subject: [PATCH 6/6] fixup! Update apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md --- .../en/blog/vulnerability/upcoming-cve-for-eol-versions.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md index 77edc94d02efc..f8276463cf55f 100644 --- a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md +++ b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md @@ -52,10 +52,6 @@ following command in your terminal: node -v ``` -If your version is no longer supported, please refer to our -[Migration Guide](https://nodejs.org/en/docs/guides/upgrading/) for assistance -in upgrading. - You can also run [`is-my-node-vulnerable`](https://github.com/nodejs/is-my-node-vulnerable) to check if you are using an EOL version or any version with an CVE issued to it.