From 5a69946286150d85fe8f713c8da0eed82a6ffd40 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Mon, 6 Jan 2025 16:04:23 -0300 Subject: [PATCH] blog: add Upcoming CVE for EOL Versions post (#7328) * blog: add Upcoming CVE for EOL Versions post Refs: https://github.com/nodejs/security-wg/issues/1401 * update: mention openjs ecosystem sustainability program * update: mention openjs ecosystem sustainability program * fixup! update: mention openjs ecosystem sustainability program * Update apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md Co-authored-by: Michael Dawson Signed-off-by: Rafael Gonzaga * fixup! Update apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md --------- Signed-off-by: Rafael Gonzaga Co-authored-by: Michael Dawson --- .../upcoming-cve-for-eol-versions.md | 84 +++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md diff --git a/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md new file mode 100644 index 0000000000000..f8276463cf55f --- /dev/null +++ b/apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md @@ -0,0 +1,84 @@ +--- +date: '2025-01-06:00:00.000Z' +category: vulnerability +title: Upcoming CVE for End-of-Life Node.js Versions +layout: blog-post +author: The Node.js Project +--- + +The Node.js Project is committed to ensuring the security and reliability of +applications built on Node.js. As part of this commitment, we regularly review +measures to help our users stay informed about security risks. + +## Announcement + +We will soon issue a Common Vulnerabilities and Exposures (CVE) identifier for +**End-of-Life (EOL)** versions of Node.js. This CVE will serve as an official +notification to inform users that these versions are no longer maintained and +may pose significant security risks. + +The CVE will cite **Unsupported When Assigned** under +[CWE-1104](https://cwe.mitre.org/data/definitions/1104.html): _Use of Unmaintained Third Party Components_. +For more details on this decision, you can refer to the discussion in +[this GitHub issue](https://github.com/nodejs/security-wg/issues/1401). + +## Why Issue a CVE? + +Many organizations rely on CVE notifications to track security issues across +their software stacks. The Node.js project aims for a timely resolution and disclosure +for all reported vulnerabilities for the _maintained_ release lines. +However, we do not issue CVEs for EOL release lines. +By issuing a CVE for EOL versions of Node.js, we aim to: + +- **Raise Awareness:** Inform users that running EOL versions exposes their + applications to potential vulnerabilities. +- **Encourage Upgrades:** Prompt organizations and developers to update to + actively supported Node.js versions. +- **Improve Security:** Reduce the number of applications running outdated and + unsupported versions of Node.js. + +> Node.js v16, despite being EOL for over a year, has still 11 million downloads per month. + +## What Does This Mean for You? + +If you are using an EOL version of Node.js, we strongly encourage you to upgrade +to a supported version immediately. You can find the list of actively supported +versions and their maintenance schedules in the [Node.js Release Schedule](https://github.com/nodejs/release#release-schedule). + +To check which version of Node.js your application is running, execute the +following command in your terminal: + +```bash +node -v +``` + +You can also run [`is-my-node-vulnerable`](https://github.com/nodejs/is-my-node-vulnerable) +to check if you are using an EOL version or any version with an CVE issued to it. + +```bash +npx is-my-node-vulnerable +``` + +## Supported Versions + +As of the date of this announcement, the following versions are actively supported: + +- Node.js 23 (Current) +- Node.js 22 (LTS) +- Node.js 20 (Maintenance LTS) +- Node.js 18 (Maintenance LTS) + +All other versions are no longer supported and should be considered deprecated. + +## Questions and Feedback + +We understand that upgrading may require effort, and we’re here to help. If you have +any questions or need assistance, please reach out to us via: + +- [Node.js Help Repository](https://github.com/nodejs/help) + +For organizations or developers who require continued use of EOL Node.js versions, +the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support) +provides commercial support options. + +Thank you for your attention to this important matter.