Upgrade nodejs to latest npm version 10.9.1

[contactsmrajesh]

Node.js Version

22.11.0

NPM Version

10.9.0

Operating System

windows

Subsystem

Other

Description

npm fixed a critical security vulnerability in version 10.9.1. The current LTS of nodejs and the next version 23.3.0 are in npm version 10.9.0.

Usually when nodejs will update the npm version. Also in the meantime the upgrade is done, is there any solution to handle this issue, like we need to manually upgrade to latest npm or upgrade just that library(cross-spawn) in nodejs.

npm/cli#7902
https://nvd.nist.gov/vuln/detail/CVE-2024-21538

Minimal Reproduction

No response

Output

No response

Before You Submit

• I have looked for issues that already exist before submitting this
• My issue follows the guidelines in the README file, and follows the 'How to ask a good question' guide at https://stackoverflow.com/help/how-to-ask #194

[kl4072]

When do we anticipate this change implemented in the latest images? this causes issues with cross-spawn 7.0.3 vulnerability

[RafaelGSS]

This should solve nodejs/node#56135.

[RafaelGSS]

Does it affect 10.8.x too @nodejs/npm ? In case, Node.js 18.x.

How it affects Node.js? Should we issue a release for Node.js 20 and 18?

[mhdawson]

10.9.1 was pulled in nodejs/node#55951

It should be in the next 23.x
nodejs/node#56119

after which it would be backported to 22.x

[richardlau]

10.9.1 was pulled in nodejs/node#55951

It should be in the next 23.x nodejs/node#56119

after which it would be backported to 22.x

But currently blocked on 20 and 18: nodejs/node#55951 (comment)

[lukekarrys]

@aduh95 Do you have more info or some links about Python 3.8 support blocking npm backports (ref nodejs/node#55951 (comment))?

node-gyp and gyp-next are both tested on 3.8 so any breaking change there should be unintentional and I can try and fix in node-gyp.

[richardlau]

IIRC it's not that support for Python 3.8 was broken, it's that Python 3.8 is now the minimum (see nodejs/node#54358 for the breaking syntax) whereas earlier node-gyp (e.g. in npm@10.8.2) allowed earlier Python 3 (e.g. Python 3.7 which is what is on the current CI macOS 10.15 VMs).

There's two points:

1. The CI. Either update Python in the macOS 10.15 VMs (not sure how feasible that is -- I know @UlisesGascon / @ryanaslett have had difficulty keeping the 10.15 VMs going as e.g. homebrew have already dropped support for it). Or dropping them for later versions of macOS. (But something will need to happen so we can get passing CI. Note we don't test on macOS 10.15 for Node.js 22+ which is why we haven't had issues there.)
2. Whether dropping support for Python < 3.8 to compile addons within a release line is a breaking change for users. On one hand Python 3.8 and earlier are all End-of-Life now, but on the other the default python3 on many OSes may be older Python 3 (e.g. IIRC the default Python 3 on RHEL 8 is 3.6 (later Python 3 is available but not installed by default)).

[mcollina]

How it affects Node.js? Should we issue a release for Node.js 20 and 18?

The vuln is a false positive and all this work is to appease security scanners and overly rigid processes.
There is no way to attack this given node.js threat model.

Given that npm does not really maintain previous lines, I think we would need to patch cross-spawn in our tree in our maintenance lines.

[mjramer]

I'm currently blocked by the cross-spawn vuln in node:20/node:18 image distros. Any update on patching cross-spawn in node 18 and 20 to appease the vuln scans?