Skip to content

Commit 5a69946

Browse files
RafaelGSSmhdawson
andauthored
blog: add Upcoming CVE for EOL Versions post (#7328)
* blog: add Upcoming CVE for EOL Versions post Refs: nodejs/security-wg#1401 * update: mention openjs ecosystem sustainability program * update: mention openjs ecosystem sustainability program * fixup! update: mention openjs ecosystem sustainability program * Update apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md Co-authored-by: Michael Dawson <[email protected]> Signed-off-by: Rafael Gonzaga <[email protected]> * fixup! Update apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md --------- Signed-off-by: Rafael Gonzaga <[email protected]> Co-authored-by: Michael Dawson <[email protected]>
1 parent 20e35b7 commit 5a69946

File tree

1 file changed

+84
-0
lines changed

1 file changed

+84
-0
lines changed
Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
---
2+
date: '2025-01-06:00:00.000Z'
3+
category: vulnerability
4+
title: Upcoming CVE for End-of-Life Node.js Versions
5+
layout: blog-post
6+
author: The Node.js Project
7+
---
8+
9+
The Node.js Project is committed to ensuring the security and reliability of
10+
applications built on Node.js. As part of this commitment, we regularly review
11+
measures to help our users stay informed about security risks.
12+
13+
## Announcement
14+
15+
We will soon issue a Common Vulnerabilities and Exposures (CVE) identifier for
16+
**End-of-Life (EOL)** versions of Node.js. This CVE will serve as an official
17+
notification to inform users that these versions are no longer maintained and
18+
may pose significant security risks.
19+
20+
The CVE will cite **Unsupported When Assigned** under
21+
[CWE-1104](https://cwe.mitre.org/data/definitions/1104.html): _Use of Unmaintained Third Party Components_.
22+
For more details on this decision, you can refer to the discussion in
23+
[this GitHub issue](https://github.com/nodejs/security-wg/issues/1401).
24+
25+
## Why Issue a CVE?
26+
27+
Many organizations rely on CVE notifications to track security issues across
28+
their software stacks. The Node.js project aims for a timely resolution and disclosure
29+
for all reported vulnerabilities for the _maintained_ release lines.
30+
However, we do not issue CVEs for EOL release lines.
31+
By issuing a CVE for EOL versions of Node.js, we aim to:
32+
33+
- **Raise Awareness:** Inform users that running EOL versions exposes their
34+
applications to potential vulnerabilities.
35+
- **Encourage Upgrades:** Prompt organizations and developers to update to
36+
actively supported Node.js versions.
37+
- **Improve Security:** Reduce the number of applications running outdated and
38+
unsupported versions of Node.js.
39+
40+
> Node.js v16, despite being EOL for over a year, has still 11 million downloads per month.
41+
42+
## What Does This Mean for You?
43+
44+
If you are using an EOL version of Node.js, we strongly encourage you to upgrade
45+
to a supported version immediately. You can find the list of actively supported
46+
versions and their maintenance schedules in the [Node.js Release Schedule](https://github.com/nodejs/release#release-schedule).
47+
48+
To check which version of Node.js your application is running, execute the
49+
following command in your terminal:
50+
51+
```bash
52+
node -v
53+
```
54+
55+
You can also run [`is-my-node-vulnerable`](https://github.com/nodejs/is-my-node-vulnerable)
56+
to check if you are using an EOL version or any version with an CVE issued to it.
57+
58+
```bash
59+
npx is-my-node-vulnerable
60+
```
61+
62+
## Supported Versions
63+
64+
As of the date of this announcement, the following versions are actively supported:
65+
66+
- Node.js 23 (Current)
67+
- Node.js 22 (LTS)
68+
- Node.js 20 (Maintenance LTS)
69+
- Node.js 18 (Maintenance LTS)
70+
71+
All other versions are no longer supported and should be considered deprecated.
72+
73+
## Questions and Feedback
74+
75+
We understand that upgrading may require effort, and we’re here to help. If you have
76+
any questions or need assistance, please reach out to us via:
77+
78+
- [Node.js Help Repository](https://github.com/nodejs/help)
79+
80+
For organizations or developers who require continued use of EOL Node.js versions,
81+
the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support)
82+
provides commercial support options.
83+
84+
Thank you for your attention to this important matter.

0 commit comments

Comments
 (0)