Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to Node.js v14.17.6 when using Node Version Manager #1076

Merged
merged 1 commit into from
Sep 9, 2021
Merged

Update to Node.js v14.17.6 when using Node Version Manager #1076

merged 1 commit into from
Sep 9, 2021

Conversation

lfdebrux
Copy link
Member

@lfdebrux lfdebrux commented Sep 9, 2021
edited
Loading

We want to make sure our users are using a secure version of npm. This commit bumps default Node.js version specified by .nvmrc to the latest Node 14 version. This includes the latest version of npm, which is patched to close an arbitrary code execution vulnerability. This follows a recommendation by the GitHub security blog [1].

@govuk-design-system-ci govuk-design-system-ci temporarily deployed to govuk-prototype-kit-pr-1076 September 9, 2021 09:40 Inactive
@govuk-design-system-ci govuk-design-system-ci temporarily deployed to govuk-prototype-kit-pr-1076 September 9, 2021 09:43 Inactive
@lfdebrux lfdebrux changed the title Bump default Node.js to 14.17.6 Update Node.js to 14.17.6 when using Node Version Manager Sep 9, 2021
@lfdebrux lfdebrux changed the title Update Node.js to 14.17.6 when using Node Version Manager Update to Node.js v14.17.6 when using Node Version Manager Sep 9, 2021
@lfdebrux
Upgrade to Node.js v14.17.6 when using Node Version Manager
d74174c 
We want to make sure our users are using a secure version of npm. This
commit bumps default Node.js version specified by `.nvmrc` to the latest
Node 14 version. This includes the latest version of npm, which is
patched to close an arbitrary code execution vulnerability. This follows
a recommendation by the GitHub security blog [[1]].

[1]: https://github.blog/2021-09-08-github-security-update-vulnerabilities-tar-npmcli-arborist/
@govuk-design-system-ci govuk-design-system-ci temporarily deployed to govuk-prototype-kit-pr-1076 September 9, 2021 10:11 Inactive
@lfdebrux lfdebrux merged commit 75a97c3 into main Sep 9, 2021
@lfdebrux lfdebrux deleted the ldeb-bump-node branch September 9, 2021 10:13
joelanman
joelanman approved these changes Sep 9, 2021
View reviewed changes
Copy link
Contributor

@joelanman joelanman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

its a good change, we just need to think carefully about how we tell the community given this was never a documented feature and its an advanced technique

@lfdebrux
Copy link
Member Author

lfdebrux commented Sep 9, 2021

@joelanman, agree, I'm thinking about that, I've opened a separate issue where we can discuss this further: #1077

@EoinShaughnessy EoinShaughnessy mentioned this pull request Oct 4, 2021
Merged
@vanitabarrett vanitabarrett mentioned this pull request Oct 4, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vanitabarrett vanitabarrett vanitabarrett approved these changes

@joelanman joelanman joelanman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lfdebrux @joelanman @vanitabarrett @govuk-design-system-ci