2/3 of Node.Js Users Run an Outdated Version. So OpenJS Announces Program Offering Upgrade Providers (openjsf.org)
- Reference: 0180926458
- News link: https://it.slashdot.org/story/26/03/08/0236233/23-of-nodejs-users-run-an-outdated-version-so-openjs-announces-program-offering-upgrade-providers
- Source link: https://openjsf.org/blog/nodejs-lts-upgrade-program
So they've [1]announced "the Node.js LTS Upgrade and Modernization program " to help enterprises move safely off legacy/end-of-life Node.js. "This program gives enterprises a clear, trusted path to modernize," said the executive director of the OpenJS Foundation, "while staying aligned with the Node.js project and community."
> The Node.js LTS Upgrade and Modernization program connects organizations with experienced Node.js service providers who handle the work of upgrading safely.
>
> Approved partners assess current versions and dependencies, manage phased upgrades to supported LTS releases, and offer temporary security support when immediate upgrades are not possible... Partners are surfaced exactly where users go when upgrades become unavoidable, including the Node.js website, documentation, and end of life guidance.
>
> The program follows the existing OpenJS Ecosystem Sustainability Program revenue model, with partners retaining 85% of revenue and 15% supporting OpenJS and Node.js through Open Collective and foundation operations. OpenJS provides the guardrails, alignment, and oversight to keep the program credible and connected to the project. We're pleased to welcome NodeSource as the inaugural partner in the Node.js LTS Upgrade and Modernization program.
"The goal is simple: reduce risk without breaking production or trust with the upstream project."
[1] https://openjsf.org/blog/nodejs-lts-upgrade-program
This probably ignores most installation... (Score:2)
My personal observation is rather 99%. There are a lot of node.js installations hidden in some software that was last updated when the city of Rome was founded.
Paperwork (Score:2)
The issue isn't technical, its business. Let's just say, in my career, other than when I was the lead architect, I've been stuck dealing with shit-tier quality ass old aged software, because of the amount of paperwork involved for "risk mitigation" due to the fears of poking an otherwise "working" system (security exploits be damned)
reason why (Score:2)
The reason why is node accepts pedantic breaking changes nobody cares about. This adds work to maintainers of downstream libraries and lets be honest, those guys aren't paid enough to deal with this crap. This leads to a situation where we end up having absolutely insane stuff like node version managers because production services at the end of all of this need to take a dependency upgrade that is on a new version of node for an actual reason important to their business, but also can't take a node upgra
Sounds nice, but... (Score:2)
Businesses will have to spend people, time and money on a moving target.
Re: (Score:3)
Just like any other evolving software infrastructure.
Re: (Score:2)
It's amazing how much software is happily working on apparently obsolete platforms. That and node... should folk bounce to next?
Re: (Score:3)
"Businesses will have to spend people, time and money on a moving target"
tell us without telling us you've never heard of Patch Tuesday
Re: (Score:2)
businesses should be doing that anyway, openjs is just providing a new service to assist in migration. to me it sounds more like trying to appear relevant. businesses that do sensible maintenance will not need such a service, businesses that don't probably won't bother with this either. i'd say a less glamurous but more productive effort would be funding audits and backports of security patches to older versions.
updating is a risk in itself and aged software isn't necessarily more risky as long as it is rea
Re: Sounds nice, but... (Score:4, Informative)
As someone who used to managed development stacks at several companies. NodeJS is particularly a PITA to keep up to date with. The other languages that have better tools such as Go and Python do have issues but not as much as NodeJS.
My experience is that unless the NodeJS dev team really craves a new feature of NodeJS, they would rather not upgrade at all since there are less things to learn but also less conflicts to resolve in order to upgrade. There are many libraries in active use that have now become abandonware and these need to either be forked as a new project or fixed.
Unfortunately I have seen devs just copy the abandoned project source code into the private Git repository so that 3rd party tools will no longer flag CVEs. This is bad for the obvious security issue, but also is often a violation of the license. Of course many Devs do not give a crap, and it never becomes an issue until M&A Discovery finds out about it, if it ever does.