Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heads up of Node.js security releases 8 August 2023 #1945

Closed
RafaelGSS opened this issue Jul 31, 2023 · 15 comments · Fixed by #1950
Closed

Heads up of Node.js security releases 8 August 2023 #1945

RafaelGSS opened this issue Jul 31, 2023 · 15 comments · Fixed by #1950

Comments

@RafaelGSS
Copy link
Member

As per the Node.js security release process, this is the FYI that there is going to be a security release on 8 August 2023.

https://nodejs.org/en/blog/vulnerability/august-2023-security-releases
@RafaelGSS
Copy link
Member Author

The release is ready for integration.

@SimenB
Copy link
Member

SimenB commented Aug 10, 2023
edited
Loading

The autoupdater fails to verify the shasum for some reason: https://github.com/nodejs/docker-node/actions/runs/5818818729/job/15775983962.

And the update script doesn't work on mac 😅 #1848

@SimenB
Copy link
Member

SimenB commented Aug 10, 2023

Ok, the issue is that https://nodejs.org/dist is gone, leading the curl to 404.

docker-node/config

Line 1 in c1a8937

baseuri https://nodejs.org/dist

docker-node/update.sh

Line 125 in c1a8937

fullVersion="$(curl -sSL --compressed "${baseuri}" | grep '<a href="v'"${version}." | sed -E 's!.*<a href="v([^"/]+)/?".*!\1!' | cut -d'.' -f2,3 | sort -V | tail -1)"

/cc @nodejs/docker @nodejs/build (sorry, I don't know who to tag for the website)

@UlisesGascon
Copy link
Member

cc: @ovflowd

@UlisesGascon
Copy link
Member

I got a 404 on https://nodejs.org/dist but https://nodejs.org/dist/ is working as expected. Maybe the issue is related to the /?

@SimenB
Copy link
Member

SimenB commented Aug 10, 2023

Haha, wow 😅 great catch 👍 it's definitely a bug (and regression), but adding the trailing slash should at least unblock the update

@UlisesGascon
Copy link
Member

I will create an issue for the webteam regarding the trailing slash, maybe a redirection from https://nodejs.org/dist to https://nodejs.org/dist/ will fix the regression

@UlisesGascon UlisesGascon mentioned this issue Aug 10, 2023
Closed
5 tasks
@UlisesGascon
Copy link
Member

I created a PR that I hope fix this @SimenB nodejs/nodejs.org#5623

@SimenB
Copy link
Member

SimenB commented Aug 10, 2023
edited
Loading

Ah sweet, thanks! Then I'll not change anything here. The cron runs every 15 minutes, so it'll Just Work ™️ once the URL works (as long as cURL follows redirects)

@targos
Copy link
Member

targos commented Aug 10, 2023

I just fixed it in the Cloudflare rule.

@SimenB
Copy link
Member

SimenB commented Aug 10, 2023

cURL doesn't follow redirects, so I'll have to tweak the script

@ovflowd
Copy link
Member

ovflowd commented Aug 10, 2023
edited
Loading

@SimenB no tweak needed, we're not going to make the redirect approach. (We just updated Cloudflare rule, so it should be ok now)

@SimenB
Copy link
Member

SimenB commented Aug 10, 2023

We actually provide -L to curl already, so it'll follow it.

@targos
Copy link
Member

targos commented Aug 10, 2023

It was already a redirect before.

@SimenB
Copy link
Member

SimenB commented Aug 10, 2023

Worked: #1950 🎉

@SimenB SimenB linked a pull request Aug 10, 2023 that will close this issue
feat: Node.js #1950
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Node.js nodejs/docker-node
5 participants
@SimenB @targos @UlisesGascon @ovflowd @RafaelGSS