Closed eric-hemasystems closed 2 years ago
dazuma
commented
2 years ago We updated Node to 16.15.0; that should be live for new deployments starting today. It's not likely we'll be able to support specifying arbitrary Node versions; the infrastructure to support arbitrary Ruby versions is already complicated enough. But we'll try to keep Node updated more frequently.
eric-hemasystems
commented
2 years ago Thanks for the update.
Just FYI, from using both nodenv and asdf (which internally uses nodenv) installing a new version of Node isn't nearly as big of a deal as a new version of Ruby. Nodejs maintains precompiled binaries vs the custom compile that rbenv uses so it installs in seconds.
This means supporting nodenv might not be as complicated as on the Ruby side since you guys wouldn't need to maintain the precompiled binaries like you do for Ruby. There might be other reasons that allowing the nodejs version to be specified is too much of a hassle on your side but just wanted to let you know the precompiled binaries at least are a non-issue.
There was previously as issue where the version of Node bundled with these containers was so old it was incompatible with Rails. Even though that has been resolved, the current version bundled, 14.16.1, is also fairly old (over a year).
Although the 14 series is still supported there have been numerous CVEs on the 14 series and I think we need to be on the latest of that series to address all of them. The impact of these security issues may be considered minor since Node is primarily used to build the JS bundle in Rails but with the JS being so pervasive some apps may be using NodeJS for other purposes. For example our app uses puppetter to do some HTML-to-PDF conversions.
Also it limits the libraries we can use. For example the latest version of eslint does work on the 14 series but does need at least 14.17.x.
Obviously we could build our own custom container but that greatly increases the level of effort. It would be ideal if we could just specify the version like we do with Ruby. I know you guys use rbenv to install the specified Ruby version (using a pre-built if available). Perhaps you could do a similar thing with nodenv which is based on rbenv. Or if you want a single tool perhaps switch both to asdf.