Node.js 16 生命周期 结束日期提前

将 Node.js 16 的生命周期终止日期更改为 2023 年 9 月 11 日

  • 概括
  • Summary
  • 为什么?
  • Why?
    • 我们评估了以下选项
  • We have evaluated the following options:

概括

Node.js 16 的生命周期终止日期提前了7个月,以与2023年9月11日结束对 OpenSSL 1.1.1 的支持相吻合

Summary

We are moving the End-of-Life date of Node.js 16 by seven months to coincide with the end of support of OpenSSL 1.1.1 on September 11th, 2023.

为什么?

当我们将 Node.js 16 放在一起时,希望我们能够包含 OpenSSL 3。不幸的是,发布的时间不允许这样做,我们发布了带有 OpenSSL 1.1.1 的 Node.js 16。 OpenSSL 1.1.1 计划支持到 2023 年 9 月 11 日 ,比 Node.js 16 计划的生命周期结束日期(2024 年 4 月)提前七个月。

Why?

When we put together Node.js 16 the hope was that we would be able to include OpenSSL 3. Unfortunately, the timing of the releases did not allow that to be possible, and we released Node.js 16 with OpenSSL 1.1.1. OpenSSL 1.1.1 is scheduled to be supported up until September 11th, 2023, which is seven months before the planned End-of-Life date of Node.js 16 (April 2024).

我们评估了以下选项

  • 没做什么。 Node.js 16 在其生命周期的最后七个月内将面临 OpenSSL 1.1.1 中的任何漏洞的风险。
  • 2023 年 9 月上旬结束对 Node.js 16 的支持,以配合 OpenSSL 1.1.1 的 EOL。 当我们 提前四个月结束对 Node.js 8 的支持以配合 OpenSSL 1.0.2 的 EOL 时,我们有这样做的先例。
  • 尝试切换到 OpenSSL 3。根据针对 Node.js 17 和 18(在 OpenSSL 3 上)报告的问题以及需要对我们的测试套件进行的调整,这被认为是有风险的,并且可能会导致某些应用程序出现兼容性问题.
  • 尝试将 OpenSSL 1.1.1 替换 为 CentOS Stream 8 中的 OpenSSL 1.1.1 版本。 CentOS Stream 8 是 Red Hat Enterprise Linux 8 (RHEL 8) 的上游,它的 openssl 软件包将在 RHEL 8 期间( 直到 2024 年 5 月 31 日 )受支持。 不幸的是,对 CentOS Stream 8 的 OpenSSL 所做的更改导致了差异(例如, 删除了几种算法 ),这将导致某些应用程序出现兼容性问题。

经过考虑,我们决定风险最小的选择是避免发布中的 OpenSSL 开关的潜在重大更改,并将 Node.js 16 的终止日期提前到与结束日期相同的日期。支持 OpenSSL 1.1.1,2023 年 9 月 11 日。

We have evaluated the following options:

  • Do nothing. Node.js 16 will be at risk for any vulnerabilities in OpenSSL 1.1.1 for the last seven months of its lifetime.
  • End support for Node.js 16 early in September 2023 to coincide with EOL of OpenSSL 1.1.1. We have precedent for doing this when we ended support for Node.js 8 four months early to coincide with the EOL of OpenSSL 1.0.2.
  • Attempt a switch to OpenSSL 3. Based on issues reported against Node.js 17 and 18 (which are on OpenSSL 3) and adjustments that needed to be made to our test suite, this is considered risky and will likely cause compatibility issues for some applications.
  • Attempt to replace OpenSSL 1.1.1 with the version of OpenSSL 1.1.1 from CentOS Stream 8. CentOS Stream 8 is upstream Red Hat Enterprise Linux 8 (RHEL 8) and its openssl package would be supported for the duration of RHEL 8 (until May 31st, 2024). Unfortunately, the changes made to OpenSSL for CentOS Stream 8 result in differences (e.g., removal of several algorithms) which would cause compatibility issues for some applications.

After consideration, we have decided that the least risky option is to avoid the potential breaking change of an in-release OpenSSL switch and bring forward the End-of-Life date of Node.js 16 to be on the same day as the end of support of OpenSSL 1.1.1, September 11th, 2023.

你可能感兴趣的:(前端,node.js,linux,运维)