[Pkg-javascript-devel] Bug#989266: Version has known security issues, and soon to be unmaintained by upstream

[Jérémy Lal]

Package: nodejs
Followup-For: Bug #989266

Hi,

> This version has security issues, which have been fixed with 12.21.1 -
> see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.22.1

well actually 12.21.1 security issues don't apply to nodejs 12.21.0~dfsg-4.
This fact has been checked by the security team and by nodejs maintainer.

> Also, the upstream maintenance support for Version 12 will end in
> April 2022, meaning,  the Debian Security Team and/or maintainer will
> have the sole responsibility to keep this package secure from then on,
> with no support from upstream, if it will be delivered like this with
> bullseye.

True. However, it is simply not possible to move to node 14 without
updating all of the modules currently in debian, potentially breaking
applications using them, etc. This has to be an orchestrated work,
involving many debian maintainers - most of them on their free time.
Nodejs 14 will be for bullseyes+1, and it's at least one year too late
to change that.

On the other hand, many nodejs critical security issues come from
the libraries it depends on - which are covered by the security team.
Typically the 12.21.1 version is only fixing openssl/npm issues,
which means the fixes are made in the corresponding debian packages.

Also LTS maintenance sometimes continue on further than initially
advertised - and even if not, several outsiders are maintaining
security backports to recently dead nodejs branches - debian is not alone
on that side of the time.

Jérémy