New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update version of ws
to handle node security advisory
#931
Comments
Indeed, the breaking of node.js 0.10 is precisely why we've not been able to update already. |
https://github.com/nodejs/LTS is stating that node 0.10.x is going to be in end of life in two months. Keeping security vulnerabilities for everyone because there are old devices that can't support newer patched and secure software, is a practice that needs to be improved. How about all of the following as the solution to resolve this issue:
|
We are well aware of all this and are trying to come up with the plan to handle it. The main problem is the Raspberry pi. Based on Debian Stable, it isn't going to move away from 0.10 in its official repos or many months - way past 0.10s eol. We are investigating options to help the Pi team move up quicker than Debian Stable is... but there are no quick/easy solutions. But clearly this needs resolving. |
I don't use Raspberry pi, would something like the following as one of the steps in node-red documents for moving to the new breaking major version of node-red help?
|
The problem is not how you manually install node 4 on a pi. We provide those instructions and it is easy enough to do. The problem is what is preinstalled on the Raspbian image; which must be packaged as Debian deb and takes from the Debian Stable release. The version of node the official repos offer is 0.10 and there's no escaping that. As I said, we are actively working through a number of options. |
In the latest version for Pi, we also include a script |
I just verified that the current version of node is still 0.10.29 on raspbian (stable). I understand that breaking raspberry pi "out of the box" support would be unacceptable. What is the recommended way to mitigate the following advisories with the latest node-red version ? |
Our next release, 0.16, will drop support for node 0.10 and enable us to update these modules (and others) that have already dropped support for node 0.10. |
@hardillb I understand how to upgrade node.js either manually or using the script but does the script address the |
Done in 0.16 |
(which will be released in the next few days) |
The current
packages.json
loads a version ofws
that is reported to have a denial of service condition noted here:https://nodesecurity.io/advisories/120
"DoS due to excessively large websocket message June 24th, 2016"
and the upstream issue (now resolved) is
nodejs/node#7388
with the recommendation to update
ws
(at this writing the latest is 1.1.1).Note that this would be a breaking change for anyone still running on 0.10.x of node.js, as the release notes say: "Discontinued support for all node versions except for 0.12, 4.0 and 5.0."
https://github.com/websockets/ws/releases
The text was updated successfully, but these errors were encountered: