Warn against using vulnerable Node.js versions

[ehmicky]

Background

Custom Node.js version

Sites can specify a custom Node.js version by using a .nvmrc file, .node_version file or NODE_VERSION environment variable.

Node.js versioning

Node.js maintains a list of supported major releases. Unsupported major releases do not receive security fixes anymore.

Node.js also alternates between odd and even numbered releases. Odd-numbered releases are only supported when they are the latest major release number. Even-numbered releases are supported for 3 years.

At the time of writing this, this is the list of:

• Supported releases: 12 (but only until end of April 2022), 14, 16 and 17.
• Unsupported releases: <12, 13, 15

According to the following list of the Node.js versions used in the last 7 days, per build:

• 18% are <12
• 0.2% are 13
• 0.8% are 15

Problem

Some sites might specify a custom Node.js version that is not supported anymore. This is a bad pattern since it prevents them from receiving security fixes.

Additionally, some sites might not use a custom Node.js version, but have last linked their repository several years ago. Since the default Node.js version is assigned at link-time, and we have updated the default Node.js version roughly every year, those sites might get assigned a default Node.js version that is old and unsupported.

Solution

We should print a log message in the build logs when this happens. The log message should warn but not have colors.

We should detect this by checking the resolved Node.js version, after both the default and custom Node.js versions have been assigned.