Re: RFC: Change Node.js default version from v0.12 to v4


Jack Cai
 

+1

Jack

On Tue, Mar 1, 2016 at 6:54 AM, Mike Dalessio <mdalessio(a)pivotal.io> wrote:

Potentially relevant to the Node community's decision to consent to this
change is the fact that Node 4.x and later vendors openssl 1.0.2.

This means that, with Node 4.x and later, when there's a security
vulnerability in openssl (like the one [about to be patched](
https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-corruption-via-bio_printf/)),
that a rootfs upgrade is **not sufficient** to address the vulnerability.

This was discussed in detail in the [original RFC for Node 4.x support](
https://github.com/cloudfoundry/nodejs-buildpack/issues/32).

With that in mind, I'd really like to hear "yay" votes from the CF Node
developer community.


On Mon, Feb 29, 2016 at 5:07 PM, Danny Rosen <drosen(a)pivotal.io> wrote:

Hi There,

Currently, the Node.js buildpack will assume that a user who has not
explicitly defined a version of node.js in their package.json will want to
use v0.12. As of April 2016 [1] the Node.js long term support release
schedule will only support 0.12 in a maintenance capacity.

In order to provide users with a longer active LTS schedule we are
proposing to change the default version from v0.12 to v4.

Our preference is to move forward with the change to the buildpack by
3/15/2016. If you have any concerns or feedback please comment on this
issue [2].

[1] - https://raw.githubusercontent.com/nodejs/LTS/master/schedule.png

[2] - https://github.com/cloudfoundry/nodejs-buildpack/issues/50

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.