Add a warning on EOL versions

[RafaelGSS]

I was talking with @marco-ippolito and we were discussing having ways for people to know when they are using an insecure version of Node.js. Instead of having a flag (#852), what if we release a patch version after one or two months of EOL alerting users they are using an EOL version?

I mean, if they pin the version and don't get the last release, they won't see the warning, but I assume it will affect most users. We could try to do it to non-LTS versions first, and then we expand the coverage to all EOL versions (starting this year, of course).

cc: @nodejs/security-wg @nodejs/tsc

[mhdawson]

@RafaelGSS as you mentioned if they pin they won't get a warning.

If instead we published as CVE indicating the release was EOL they would get if they are running CVE scans. I suspect this would be a more reliable way of having it be recognized as a risk.

[marco-ippolito]

The CVE could be for weakness CWE-1104 or CWE-1329
which would make sense

[RafaelGSS]

I think we could do both, issue a single CVE alerting EOL (after a sec release) and create a patch release with a warning?

[mhdawson]

I think doing both makes sense to me, provide we have a volunteer to do the patch release (as I think that's more work that doing the CVE).

[mhdawson]

In terms of the CVE's I think I prefer CWE-1104 as it is possible to update Node.js, you just need to move to a later Major so CWE-1329 does not seem like as good a fit to me.

[RafaelGSS]

Right, how can we move forward with it? Should we open a PR to document it somewhere?

[ljharb]

For the warning, presumably there'd be an env/NODE_OPTIONS way to disable it, so as to not break CI and child process workflows?

[RafaelGSS]

Yes, we can use the same --security-revert CLI

[mcollina]

I'm not entirely convinced a warning is needed, but the idea of a cve is great.

Can we start by issuing one for all past releases?

[marco-ippolito]

I'm not entirely convinced a warning is needed, but the idea of a cve is great.

Can we start by issuing one for all past releases?

I think so, I think it needs to go through a H1 report

[RafaelGSS]

Let's do it for v16.x, v19.x, and v21.x. I can take care of it early this week.

[RafaelGSS]

I've been talking with @rginn who suggested announcing on Node.js social before making this move. I asked her to provide some details about openjs health here.

[RafaelGSS]

FYI I'm going to create an "announcement" (https://github.com/orgs/nodejs/discussions/categories/announcements) informing Node.js collaborators that next week we'll be issuing a CVE for Node.js 16, 19 and 21, then I'll ask @nodejs/social to share a post that I can create or the official account can create informing our users.

[mcollina]

@RafaelGSS please write a public blog post instead, and set the date on or after the 7th of January. Doing this right before the holidays is not helping anyone.

[rginn]

+1 for a blog post holiday. I would not announce on social media without giving adequate information and context via a blog. Jen and I can help with the draft and posting across our channels.

[RafaelGSS]

@RafaelGSS please write a public blog post instead, and set the date on or after the 7th of January. Doing this right before the holidays is not helping anyone.

Ok, that makes sense. I can write a draft and ask for Jan, Robin and TSC input. I will put it on my backlog

[RafaelGSS]

Please see: nodejs/nodejs.org#7328