This report summarizes the accomplishments made during October and November 2024 within the Node.js project, spanning security initiatives, automation, community engagements, and release processes.
The last two months have been highly productive, with important progress in the release automation, community engagement, and important release policies. This period also included the release of Node.js 23.0.0.
We processed 10 security reports in total: 1 spam, 4 non-applicable, 2 informative, 2 new issues,
and 1 triaged. Improvements to our security release workflow were also achieved.
The git node release --pre-announcement command now updates the website banner and set the location
of the blog post. Additionally, CVE-ID commit metadata
is now automatically included in changelogs, improving the speed of generating security release proposals.
To archive this, three PRs were created:
- One to update our documentation nodejs/node#55830
- One to update
changelog-maker- The tool Node.js uses to generate release changelogs - nodejs/changelog-maker#167 - and one to update
commit-stream- One ofchangelog-makerdependencies - nodejs/commit-stream#15
The alpha-omega sponsored the released of Node.js 23.0.0 (semver-major) and 22.3.0. Additionally, a FAQ section has been created into the releases.md file as an attempt to help relesers during a release promotion.
An important change has dropped into Node.js major releases policy. From Node.js 24 onwards, one month of preparation and testing will be required, which means, no commits will land into a major-release without a baking time of 1 month. This change should allow maintainers to test out canary releases and we ensure Node.js is releasing a stable major version. For more context, see: nodejs/Release#1054.
The last two months were rich in improvements to our release automation. An important millestone has been reached: Node.js could create a release proposal fully automated! This is a very important step aiming an automated release process.
To archive this, several PRs had to land over the last 2 months:
- Two new flags has been created to
git node releasegit node release --releaseDate- nodejs/node-core-utils#863git node release --yes- nodejs/node-core-utils#862
- A new workflow (create-release-proposal) has been created
@nodejs/releasershas been added as CODEOWNERS to guarantee all changes should pass by the team approval- Remove defaults targetting
gh workflow runusers nodejs/node#56042 - Roadmap issue: nodejs/Release#1061
An important work in progress is happening on nodejs/node-core-utils#875
We made significant contributions to the Node.js community. The is-my-node-vulnerable tool was announced a few months ago and we have received a positive feedback from the community. The tool now supports Node.js versions as early as 0.12 and has been simplified by removing unnecessary dependencies. This tool is been discussed to be integrated to Node.js core in nodejs/security-wg#852, however, other actions might be happen meanwhile as:
- Issue a CVE for EOL release lines
- Add a warning to EOL versions of Node.js
We also participated in CityJS Medellin and contributed to the annual Node.js blog post for Alpha Omega
Several other notable updates were made:
- SlowBuffer was runtime deprecated
- Improvements were made to the Permission Model, both in terms of test coverage and user experience when granting access to specific modules. Reference: nodejs/node#55797
- A new flag, --report-exclude-env, was introduced to allow preservation of environment variables in diagnostic reports. Reference: nodejs/node#55697