search

cube-js / cube

📊 Cube — The Semantic Layer for Building Data Applications
https://cube.dev
Other
17.73k stars 1.75k forks source link

Upgrade Cube to NodeJS 20 #8087

Open spljs opened 5 months ago

spljs commented 5 months ago

Problem Hello, is it possible to upgrade to nodeJS 20 ?

Additional context

I've tried to run cube using nodeJS 20 and it runs well. But there might be some tests i've missed , i would like to know your opinion about that

igorlukanin commented 5 months ago

Hi @spljs 👋

Could you please provide more context on why you'd like this upgrade? Since you're running Cube in Docker (are you?), does the Node version make much difference?

spljs commented 5 months ago

Yes I'm running Cube in Docker . The reason behind this is that Node.js v20.3/v20.4 included the libuv updates that supported cgroups v2. And so we need to have cgroups v2 support for security reasons

igorlukanin commented 5 months ago

@spljs Oh, this is very interesting! Could you please provide a little bit more context on how you apply cgroups?

As for a potential upgrade to v20, let me add @ovr to the conversation.

spljs commented 5 months ago

Initially cgroup is a Linux kernel process, focus on system resources allocation. And croupsv2 is an evolution offering a simplified API, an improved resource management system (unified hierarchy, more granular control) and an enhanced security, inc. for containers.

And so, cgroupsv2 is being progressively deployed since mid 2023 on cloud providers environments, including Kubernetes, that we use for our PaaS environments. Thus we want to upgrade in order to prevent outage with any languages, frameworks & libraries that are not compatible.

jineshshah36 commented 5 months ago

@igorlukanin We have a similar ask. Here's some context for you:

As part of our security and compliance requirements, we do not use versions of nodejs that have reached EOL. Node 16 went EOL in Oct 2023 & node 18 is already in maintenance mode. We have a number of CI systems & processes that check for and enforce our minimum node versions (currently 18, but about to be 20). Having cube lag behind on 16 is a problem, because it makes integrating cube into our engineering processes more challenging. In addition, even though cube is running in a container, node 16 may have active vulnerabilities that have been patched in newer versions, and the nodejs ecosystem generally does not provide support for security fixes, etc. after EOL. I would also add that it is near impossible for anyone to guarantee that they are not affected by vulnerabilities. Docker containers can be vulnerable as well.

We are SOC2 compliant, and I can see that cube is as well. Using unsupported versions of runtimes is generally considered a gap, and should be treated as not being actively compliant, in my opinion.

I, of course, understand that there are many moving pieces and it's not easy to be 100% compliant in all cases, but node 16 is becoming very outdated given that node 22 is targeted to become active this month.

https://nodejs.org/en/about/previous-releases

SunnyR commented 3 weeks ago

hey @igorlukanin, any updates on the node upgrade? Node 18 will go end of life in April (https://endoflife.date/nodejs), and we too are now starting to investigate upgrading our architecture to be node 20 and/or 22 compliant for security.

igorlukanin commented 3 weeks ago

We might do that soon, however, I don't have any ETA to share as of now.

ovr commented 1 week ago

Upgrade to Node.js 20 is coming with a 0.36 release. PR: https://github.com/cube-js/cube/pull/8673