GNU bug report logs - #34526
Updating node from version 10

Previous Next

Full log

Message #32 received at 34526 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Christopher Lemmer Webber <cwebber <at> dustycloud.org>, 34526 <at> debbugs.gnu.org
Cc: jlicht <at> fsfe.org
Subject: Re: bug#34526: Updating node.js
Date: Sun, 17 Nov 2019 19:25:33 +0100

[Message part 1 (text/plain, inline)]

Christopher Lemmer Webber <cwebber <at> dustycloud.org> writes:

> Daniel Gerber writes:
>
>> Hi,
>>
>> 2019-02-20, Jelle Licht:
>>> Daniel Gerber <dg <at> atufi.org> writes:
>>>
>>>>   [snip]
>>>> What about statically linking llhttp's C "sources" included in
>>>> node?   Building v11.10.0 succeeds with this:
>>>
>>> You could do this, of course, but afaics this is not acceptable for
>>> inclusion in Guix proper.
>>>
>>> I don't really see any way forward between convincing the fine node
>>> folks to see the 'error of their ways', or to implement a
>>> ABI-compatible
>>> replacement for llhttp that we can actually bootstrap.
>>
>> Although I would prefer the convincing-the-fine-node-folks solution,
>> here are two more ways to avoid dropping node with the EOL of 8.x(LTS)
>> at the end of 2019.
>>
>> - Remove llhttp and keep only the "legacy" http-parser, or
>>
>> - Accept to bootstrap it -- I mean use intermediary self-compiling
>> steps, like ccl, golang, java, or haskell do.
>> The build-time dependencies are: node <at> 11.x -> llhttp -> ts-node ->
>> typescript -> self (typescript), plus quite a few npm packages.
>> It seems that node <at> 8.x or 9.x should be a native-input to later
>> versions, but I do not know enough of Guile / Guix packaging to do it
>> myself anytime soon.
>
> Hello,
>
> Went through the process of trying to update node myself, not having
> remembered this bug.  Ran into the same issue.
>
> The bug was closed; I doubt we are going to convince the Node folks.
>
> Quite a few high-importance projects rely on Node at this point, and we
> are running an out of date Node which I suspect probably has quite a few
> insecurities.
>
> Our version of Node:   v10.16.0
> LTS Node:              v12.13.0
> Latest Node:           v13.1.0
>
> One way or another, we will probably need to update.  Both Chromium and
> Icecat depend on Node at this point.  I'm not sure if either of them use
> Node in any active way that an insecruity could manifest or if it's
> "just for packaging" but I think there's good reason to be nervous about
> being so out of date.

Node 10.x is maintained until April 2021 though:

https://nodejs.org/en/about/releases/

...so we still have some time to figure out how to bootstrap Node 12.x
and later.

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.