Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump node 18.16.1 (26-x-y) #39066

Merged
merged 1 commit into from
Jul 20, 2023
Merged

chore: bump node 18.16.1 (26-x-y) #39066

merged 1 commit into from
Jul 20, 2023

Conversation

baparham
Copy link

@baparham baparham commented Jul 12, 2023
edited by codebytere
Loading

Description of Change

Updating Node.js to v18.16.1.

See all changes in v18.16.0..v18.16.1

This would be great to backport into electron 26, since that stream is still in beta and node released many security updates in this version (src: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases)

Please consider including this in the 26 stream 🙏

Cherry picked from main 327af3b

Backport of #38869

cc @ckerr @codebytere @jkleinsc

Checklist

  • PR description included and stakeholders cc'd

Release Notes

Notes: Updated Node.js to v18.16.1 to address security fixes.

@electron-roller @patchup
@codebytere @ckerr @baparham
chore: bump node to v18.16.1 (main) (electron#38869)
a6e9fc8 
* chore: bump node in DEPS to v18.16.1

* chore: update patches

* deps: update c-ares to 1.19.1

nodejs/node#48115

* chore: fix -Wunreachable-code,-Werror FTBFS in c-ares

* chore: disable x509 bssl test

new test added in bf3e2c892

* fixup! chore: fix -Wunreachable-code,-Werror FTBFS in c-ares

also fix related -Werror,-Wunused-function FTBFS

* fixup! chore: fix -Wunreachable-code,-Werror FTBFS in c-ares

also fix another related -Werror,-Wunused-function FTBFS

* fixup! chore: disable x509 bssl test

fix yet another -Werror,-Wunused-function FTBFS

---------

Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
Co-authored-by: Charles Kerr <charles@charleskerr.com>
@baparham baparham requested review from a team as code owners July 12, 2023 10:06
@welcome
Copy link

welcome bot commented Jul 12, 2023

💖 Thanks for opening this pull request! 💖

We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix.

Examples of commit messages with semantic prefixes:

  • fix: don't overwrite prevent_default if default wasn't prevented
  • feat: add app.isPackaged() method
  • docs: app.isDefaultProtocolClient is now available on Linux

Things that will help get your PR across the finish line:

  • Follow the JavaScript, C++, and Python coding style.
  • Run npm run lint locally to catch formatting errors earlier.
  • Document any user-facing changes you've made following the documentation styleguide.
  • Include tests when adding/changing behavior.
  • Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

@electron-cation electron-cation bot added the new-pr 🌱 PR opened in the last 24 hours label Jul 12, 2023
@baparham baparham mentioned this pull request Jul 12, 2023
Merged
@trop trop bot added 26-x-y backport This is a backport PR semver/patch backwards-compatible bug fixes labels Jul 12, 2023
@electron-cation electron-cation bot added new-pr 🌱 PR opened in the last 24 hours and removed new-pr 🌱 PR opened in the last 24 hours labels Jul 12, 2023
@baparham
Copy link
Author

The build failures seem to be failing with src cache was not restored for some reason, idk what happened here... when checking to see if src/third_party/blink is in the checkout. I'm not sure exactly what I can do with that, since it does not appear I have the ability to rerun the failure to see if it was transient (or if that's simply not a normal thing to do in cases like these). Please let me know if there's something I can do or missed in the PR.

codebytere
codebytere requested changes Jul 12, 2023
View reviewed changes
Copy link
Member

@codebytere codebytere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@baparham as a rule, we don't update Node.js versions in existing stable releases. Are there specific security fixes you're interested in?

@baparham
Copy link
Author

baparham commented Jul 12, 2023
edited
Loading

Thanks for the reply and explanation, I appreciate the time you are taking to provide guidance.

@baparham as a rule, we don't update Node.js versions in existing stable releases.

Are the beta releases considered a stable channel? I wouldn't expect us to jump to node 20 for example, or perhaps even a new minor version of node after being promoted to Beta, but a patch version update to node with the benefit of non-trivial security fixes seems like a reasonable risk/reward ratio as a user.

Are there specific security fixes you're interested in?

The c-ares fixes are mostly what I'm interested in.

I believe the openssl fixes with the update to 3.0.9 are irrelevant, since we use boringssl, so the CVEs worth including are in c-ares and node.js directly:

This version of node.js updated c-ares to 1.19.1 which included these CVE fixes:
GHSA-9g78-jv2r-p7vc
GHSA-8r8p-23f3-64c2
GHSA-54xr-f67r-4pc4
GHSA-x6mf-cxr9-8q6v

There are also 3 high and 7 medium node.js specific security fixes that were outlined in the release blog I posted in the description too. I do not know if any have been patched in to Electron, but I assume none or very few would have been patched in as standalone fixes based on the changes in 327af3b not hinting that any patches were no longer required by Electron

@codebytere
Copy link
Member

hey @baparham - as an update, this isn't off the table. We're discussing policy for this right now and seeing if we can adjust to allow for patch updates during the beta phase.

@VerteDinde
Copy link
Member

✅ Approved on behalf of Releases WG.

As @codebytere mentioned above, the Releases WG has decided that as a policy, we'll approve patch bumps for Node by default if the alpha/beta is more than 2 weeks out from stable release, and will vote on minor bumps on a case-by-case basis. This PR is approved for beta - it now just needs a code review, and we can merge. Thanks for submitting this PR!

@baparham
Copy link
Author

Who should review this? @codebytere requested changes, but presumably they were related to the policy, which has been resolved.

What's left that I can help with? (also, thank you to whoever reran the failure in CI 🙏)

codebytere
codebytere approved these changes Jul 20, 2023
View reviewed changes
Copy link
Member

@codebytere codebytere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM post-policy change

@codebytere codebytere merged commit 54cd8e4 into electron:26-x-y Jul 20, 2023
@welcome
Copy link

welcome bot commented Jul 20, 2023

Congrats on merging your first pull request! 🎉🎉🎉

@release-clerk
Copy link

release-clerk bot commented Jul 20, 2023

Release Notes Persisted

Updated Node.js to v18.16.1 to address security fixes.

@baparham baparham deleted the bump-node-18.16.1 branch July 20, 2023 11:26
@mlaurencin
Copy link
Member

For future reference, I am linking the policy changes here: electron/governance#546, #39163

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codebytere codebytere codebytere approved these changes

Assignees
No one assigned
Labels
26-x-y backport This is a backport PR semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@baparham @codebytere @VerteDinde @mlaurencin