Join GitHub today
I think there is a strong likelihood that Node 10 will be EOL before we release 9.0, so I think we need to upgrade to Node 12 in both 7.x and 8.0. It would need to block 8.0 unless we were OK with rolling out a major node upgrade in a 7.x patch, which I don't think we should be.
Node.js 12 thoughts from a security perspective:
Node.js 12 updates OpenSSL to v1.1.1b (nodejs/node#26327).
Node.js 12 adds support for TLSv1.3 (nodejs/node#26209).
The old http_parser was a bit of a mess and wasn't spec-compliant and had historically contained a few security bugs. And since nobody wanted to touch it there was a higer-than-normal risk of security-related issues hiding inside it.
You can tell Node.js 12 to keep using the old parser using the command line flag
I think there is a strong likelihood that Node.js 12 will no longer be Active LTS once we release 8.0. So we should consider jumping directly to Node.js 14 if this is targeted for the v8.0 release.
Node.js 14 initial release: 2020-04-21