Heads up of Node.js security releases 4th November 2022

[juanarbol]

Heads up of Node.js security releases 4th November 2022
As per the Node.js security release process this is the FYI that there is going to be a security release 4 November 2022

[juanarbol]

The Release is ready for integration. ❤️

[SimenB]

@nodejs/build the musl build for 14.21.1 hasn't appeared: https://unofficial-builds.nodejs.org/download/release/v14.21.1/

[targos]

What about v16.18.1?

[brutuscat]

And v18.12.1

[SimenB]

@nodejs/docker ^ since we don't want the bot to make partial auto PRs, somebody has to do a manual one.

[emzeidan]

I believe that PR #1803 should address this – I used ./update.sh to bump these versions, and all the checks are passing.

[nschonni]

Thanks!
Upstream PR for 16, 18, and 19 is open now docker-library/official-images#13488
Blocked on the 14 due to nodejs/unofficial-builds#65

[emzeidan]

@nschonni I think 14 may also be good; the Actions on my PR picked up the patched version (14.21.1).

[nschonni]

The musl build isn't available yet because of the failed build in the linked issue

[emzeidan]

Ahh! Got it, thank you!

[nschonni]

@nodejs/docker I think we need to git reset --hard 6186eff9cea628d90d4f83657d56d0502b515ced to go back before the PR, as it is messing up the stackbrew having the mixed versions of 14 included.
Right now the force push is blocked, so I'd need to toggle off the setting to do this. If I don't hear any objections by tomorrow (or the 14 musl builds show up and maybe fix that), I'll go ahead and do that

[emzeidan]

@nschonni If we need to, I can also do a PR without v14 tomorrow after the git reset.
Update: #1806 is the v16,18,19 only (after git reset --hard). Feel free to close it if it isn't needed. 😄

[nschonni]

The 14 musl build has been requeued, so I pushed back the main branch. When that build finishes, we should get a clean auto-pr

[nschonni]

Upstream PR has landed for 14, 16, 18, and 19, so they builds should start showing up on the docker hub in the next few hours