fix(security): upgrade Node.js to 22.22.0 for security vulnerability fix#10157
fix(security): upgrade Node.js to 22.22.0 for security vulnerability fix#10157davidfirst merged 5 commits intomasterfrom
Conversation
Addresses Node.js security release CVE-2025-xxx affecting RSC and APM tools.
There was a problem hiding this comment.
Pull request overview
This pull request aims to upgrade Node.js from version 22.14.0 to 22.22.0 across the entire codebase to address a stated critical security vulnerability. However, there is a significant concern: Node.js version 22.22.0 appears to be invalid or non-existent based on the Node.js versioning scheme and release history.
Changes:
- Updated
nodeVersionandbvm.nodeconfiguration in workspace.jsonc - Updated all Node.js version references throughout CircleCI configuration including Docker images, Windows setup, and build parameters
- Updated commented-out version references for consistency
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| workspace.jsonc | Updates Node.js version in dependency resolver configuration (nodeVersion) and package.json BVM configuration (bvm.node) from 22.14.0 to 22.22.0 |
| .circleci/config.yml | Comprehensive update of all Node.js version references including CircleCI Docker images, Windows nvm installation commands, Docker base images for various build jobs, and commented code examples |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| return this.runCmd( | ||
| `bit install ${packages} ${parsedOpts}`, | ||
| cwd, | ||
| 'pipe', | ||
| undefined, | ||
| false, | ||
| runCmdOpts?.envVariables | ||
| ); |
There was a problem hiding this comment.
This formatting change appears to be unrelated to the Node.js version upgrade or tsx integration. The multi-line formatting is less readable than the original single-line call. Consider reverting this formatting change to keep the diff focused on the actual functional changes.
| return this.runCmd( | |
| `bit install ${packages} ${parsedOpts}`, | |
| cwd, | |
| 'pipe', | |
| undefined, | |
| false, | |
| runCmdOpts?.envVariables | |
| ); | |
| return this.runCmd(`bit install ${packages} ${parsedOpts}`, cwd, 'pipe', undefined, false, runCmdOpts?.envVariables); |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
package.json
Outdated
| "mocha-circleci": "cross-env NODE_OPTIONS='--no-warnings --max-old-space-size=5000 --import tsx' registry-mock prepare && mocha --reporter mocha-multi-reporters --reporter-options configFile=mocha-multi-reporters-config.json --colors", | ||
| "e2e-test": "registry-mock prepare && cross-env NODE_OPTIONS='--no-warnings --import tsx' mocha './e2e/**/*.e2e*.ts'", |
There was a problem hiding this comment.
The NODE_OPTIONS value should be quoted consistently. The single quotes around the entire NODE_OPTIONS value are correct for the cross-env command, but ensure this works correctly on all platforms (Windows, macOS, Linux) as expected.
package.json
Outdated
| "mocha-circleci": "cross-env NODE_OPTIONS='--no-warnings --max-old-space-size=5000 --import tsx' registry-mock prepare && mocha --reporter mocha-multi-reporters --reporter-options configFile=mocha-multi-reporters-config.json --colors", | ||
| "e2e-test": "registry-mock prepare && cross-env NODE_OPTIONS='--no-warnings --import tsx' mocha './e2e/**/*.e2e*.ts'", | ||
| "e2e-test:debug": "npm run e2e-test --debug", | ||
| "e2e-test-circle": "cross-env NODE_OPTIONS='--no-warnings --max-old-space-size=5000' mocha --require ./babel-register --reporter mocha-multi-reporters --reporter-options configFile=mocha-multi-reporters-config.json --colors './e2e/**/*.e2e*.ts'", | ||
| "performance-test": "mocha --require ./babel-register ./e2e/performance/*.performance*.ts", | ||
| "e2e-test-circle": "cross-env NODE_OPTIONS='--no-warnings --max-old-space-size=5000 --import tsx' mocha --reporter mocha-multi-reporters --reporter-options configFile=mocha-multi-reporters-config.json --colors './e2e/**/*.e2e*.ts'", | ||
| "performance-test": "cross-env NODE_OPTIONS='--import tsx' mocha ./e2e/performance/*.performance*.ts", | ||
| "performance-test:debug": "npm run performance-test --debug", | ||
| "performance-test-circle": "mocha --require ./babel-register --reporter mocha-multi-reporters --reporter-options configFile=mocha-multi-reporters-config.json --colors ./e2e/performance/*.performance*.ts", | ||
| "bit-hub-test-circle": "mocha --require ./babel-register --reporter mocha-multi-reporters --reporter-options configFile=mocha-multi-reporters-config.json --colors ./e2e/bit-hub/*.ts", | ||
| "performance-test-circle": "cross-env NODE_OPTIONS='--import tsx' mocha --reporter mocha-multi-reporters --reporter-options configFile=mocha-multi-reporters-config.json --colors ./e2e/performance/*.performance*.ts", | ||
| "bit-hub-test-circle": "cross-env NODE_OPTIONS='--import tsx' mocha --reporter mocha-multi-reporters --reporter-options configFile=mocha-multi-reporters-config.json --colors ./e2e/bit-hub/*.ts", |
There was a problem hiding this comment.
The PR description states this is only for upgrading Node.js for security vulnerability fixes, but it also includes a significant migration from babel-register to tsx for TypeScript execution. This change should be explicitly mentioned in the PR description as it's a substantial modification to the build and test infrastructure.
| # # - run: choco install nodejs --version 22.22.0 | ||
| # # - run: node -v | ||
| # - run: cinst nodejs --version 22.14.0 | ||
| # - run: cinst nodejs --version 22.22.0 |
There was a problem hiding this comment.
These commented-out references to Node.js version 22.22.0 should be updated to match the correct Node.js version once it's determined. While these are comments, maintaining consistency helps avoid future confusion.
| const env = envVariables ? { ...process.env, ...envVariables } : undefined; | ||
| // Clear NODE_OPTIONS that include --import tsx to prevent child processes from failing | ||
| // when tsx is not installed in the temporary workspace | ||
| const cleanedNodeOptions = process.env.NODE_OPTIONS?.replace(/--import\s+tsx/g, '').trim() || ''; |
There was a problem hiding this comment.
The regex pattern used to clean NODE_OPTIONS may leave extra whitespace if there are multiple flags. Consider using a more robust approach that handles multiple whitespace patterns, such as replacing with a space and then collapsing multiple spaces, or splitting and filtering the flags properly.
| const cleanedNodeOptions = process.env.NODE_OPTIONS?.replace(/--import\s+tsx/g, '').trim() || ''; | |
| const originalNodeOptions = process.env.NODE_OPTIONS ?? ''; | |
| const nodeOptionsTokens = originalNodeOptions.split(/\s+/).filter(Boolean); | |
| const cleanedNodeOptionsTokens: string[] = []; | |
| for (let i = 0; i < nodeOptionsTokens.length; i += 1) { | |
| const token = nodeOptionsTokens[i]; | |
| // Skip occurrences of "--import tsx" and "--import=tsx" | |
| if (token === '--import' && nodeOptionsTokens[i + 1] === 'tsx') { | |
| i += 1; // skip the "tsx" token as well | |
| continue; | |
| } | |
| if (token === '--import=tsx') continue; | |
| cleanedNodeOptionsTokens.push(token); | |
| } | |
| const cleanedNodeOptions = cleanedNodeOptionsTokens.join(' '); |
components/legacy/constants/esm.mjs
Outdated
| @@ -0,0 +1,208 @@ | |||
| // ESM wrapper for Node.js v22.22.0+ compatibility | |||
| // eslint-disable-next-line import/no-unresolved | |||
| import cjsModule from './constants.js'; | |||
There was a problem hiding this comment.
The ESM wrapper imports './constants.js' which assumes the TypeScript file compiles to the same directory. Ensure that the build configuration outputs the compiled constants.js file to the same directory as this esm.mjs file, otherwise this import will fail at runtime.
components/legacy/constants/esm.mjs
Outdated
| @@ -0,0 +1,208 @@ | |||
| // ESM wrapper for Node.js v22.22.0+ compatibility | |||
There was a problem hiding this comment.
The comment indicates this is an "ESM wrapper for Node.js v22.22.0+ compatibility" but Node.js v22.22.0 does not exist. This comment should be updated to reflect the actual Node.js version being targeted once the correct version is determined.
| // ESM wrapper for Node.js v22.22.0+ compatibility | |
| // ESM wrapper for Node.js ESM compatibility |
davidfirst
force-pushed
the
upgrade-nodejs-22.22.0
branch
from
979e214 to
6138260
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…fix (#10157) Upgrades Node.js from 22.14.0 to 22.22.0 to address a security vulnerability affecting Node.js apps.
Upgrades Node.js from 22.14.0 to 22.22.0 to address a security vulnerability affecting Node.js apps.
Changes:
nodeVersionandbvm.nodein workspace.jsonc