Migration from Node 6 to Node 10 | warning messages

[ghost]

Question, Bug, or Feature?
Type: Question

Enter Task Name: Universal Packages

Environment

• Agent - Hosted

Issue Description

We are starting to see this warning message for some tasks:

Task : Universal packages Description : Download or publish Universal Packages Version : 0.190.0 Author : Microsoft Corporation Help : https://docs.microsoft.com/azure/devops/pipelines/tasks

[warning]This task uses Node 6 execution handler, which will be deprecated soon. If you are the developer of the task - please consider the migration guideline to Node 10 handler - https://aka.ms/migrateTaskNode10. If you are the user - feel free to reach out to the owners of this task to proceed on migration.

May I ask when the migration will be done for such kind of tasks from Node6 to Node10? Getting tons of warning messages because of this.

[anatolybolshakov]

Hi @attila-szabo1-epam the target date for Node 6->Node 10 migration is March 31st 2022 at the moment.

[badsyntax]

@anatolybolshakov Just curious, I've got 2 questions:

1. What's the reason for delaying the upgrade? Node 6 is end-of-life (i believe since 2019).
2. What's the reason for using really old end-of-life versions? Seems like it could be a security issue to use really old unmaintained versions. Why won't you upgrade to current (active) LTS? Why is Node 10 the next version to upgrade to? I can't seem to make sense of this.

[ghost]

MS explains this here: https://docs.microsoft.com/en-us/azure/devops/release-notes/2020/pipelines/sprint-177-update

"Update from what was originally published: Due to an incompatibility with Red Hat Enterprise Linux 6 and Node 14, we've suspended work on Node 14 and will first focus on getting to Node 10."

[jackson15j]

Hi @attila-szabo1-epam the target date for Node 6->Node 10 migration is March 31st 2022 at the moment.

Doesn't this conflict with the move to remove Node 10 off all Azure DevOps Agents on: 15th November 2021: https://github.com/actions/virtual-environments/issues/4356 ?

[badsyntax]

@attila-szabo1-epam Thanks for the link. That blog post is over a year old now. IMO i would see that issue as critical as it's not acceptable to use unmaintained non-lts versions.

[anatolybolshakov]

@attila-szabo1-epam @jackson15j @badsyntax unfortunately it takes some to migrate whole infrastructure to Node 6 - since there is a lot of in-the-box tasks depending on Node 6. There is also a lot of custom tasks depending on Node 6, and it could take some time for maintainers to complete migration. Node version used for tasks execution is shipped separately with agent - so it does not depend on version installed on a hosted image.

[badsyntax]

@anatolybolshakov i understand, but it seems like this wasn't planned correctly. (but i'm just a casual observer and not aware of all the details.) thanks for the info.

[RJB3007]

I'm also getting this warning...

[warning]This task uses Node 6 execution handler, which will be deprecated soon. If you are the developer of the task - please consider the migration guideline to Node 10 handler - https://aka.ms/migrateTaskNode10. If you are the user - feel free to reach out to the owners of this task to proceed on migration.

What do i do to fix this?

[ghost]

Ignore it until they upgrade the task , then the warning msg will be gone.

[RJB3007]

My NuGet task only consists of this in my YAML CI build... steps:

• task: NuGetCommand@2 inputs: command: 'restore' feedsToUse: select vstsFeed: 'b161411d-e976-445e-a736-8ef0a0397756/be77ebae-d25b-4745-b142-3a1259d4ea93' includeNuGetOrg: true restoreSolution: '*/.sln'

[ghost]

This task has old dependency as well, part of the upgrade is azure lib: https://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/NuGetCommandV2/package.json

"dependencies": { "azure-pipelines-task-lib": "2.8.0",

If you read this : https://aka.ms/migrateTaskNode10

• Upgrade azure-pipelines-task-lib to ^3.1.7 in package.json dependencies.

[hbuckle]

This does mean all our pipelines are being spammed with warnings we can't do anything about, making it hard to see genuine warnings - it would be great to get these tasks updated sooner rather than later.

[seangwright]

I had this warning for NuGetToolInstaller@0, which I've updated to NuGetToolInstaller@1, but I also have this warning for NuGetCommand@2, which doesn't appear to have a newer version.

I use the .NET CLI for all my modern .NET pipelines, but I still have .NET 4.x build pipelines that are in active use.

Hopefully NuGetCommand@2 gets upgraded soon.

[asears]

Getting this warning on the CopyFiles activity.

==============================================================================
Task         : Copy files
Description  : Copy files from a source folder to a target folder using patterns matching file paths (not folder paths)
Version      : 2.190.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/copy-files
==============================================================================
##[warning]This task uses Node 6 execution handler, which will be deprecated soon. If you are the developer of the task - please consider the migration guideline to Node 10 handler - https://aka.ms/migrateTaskNode10. If you are the user - feel free to reach out to the owners of this task to proceed on migration.

[pinkfloydx33]

There's got to be something that can be done -- or perhaps Azure DevOps can stop spamming the warnings. I realize the deprecation is a big deal but with so many built in tasks using the old handler, all my pipelines are just riddled with warnings. I understand what it's about, but others viewing the results think there's legitimately something wrong with our stuff. Plus the spam just makes it difficult to see anything. Maybe ADO can only warn about non-built in tasks and/or ones that aren't using the latest version. Would sure cut down a ton of mostly meaningless spam.

[CZEMacLeod]

@seangwright I seem to be getting this warning with NuGetToolInstaller@1 as well as NuGetCommand@2

[silvanaweb]

Agree, it is pretty annoying:

[robhalevt]

Is there a way to filter out warnings that start with "This task uses Node 6..."?

[doormalena]

Because of this change, we suddenly have 80+ pipelines with some of them over 20 of these warnings. It's affecting our quality process to fix real warnings. This is just noise.

Can this be reported on a higher level (aggregated) instead with the causing task and it's vendor?

[jshall]

@seangwright I seem to be getting this warning with NuGetToolInstaller@1 as well as NuGetCommand@2

I am also getting this warning for VSTest@2.

It is very confusing to get this message from the use of Microsoft delivered tasks that have no apparent connection to Node in a project with no connection to Node.

[seangwright]

@CZEMacLeod @jshall Yah, I am too - at first I thought the remaining warnings in my pipelines were from other tasks, but there's so much noise now that I missed VSTest@2 is still presenting warnings 🤦‍♂️🤦‍♂️🤦‍♂️.

Thankfully our .NET CLI tasks aren't producing warnings, but we can't just switch to that from the VS tasks for classic ASP.NET applications that we produce builds of on a daily basis 😑.

[sebappale]

@seangwright I seem to be getting this warning with NuGetToolInstaller@1 as well as NuGetCommand@2

I am also getting this warning for VSTest@2.

It is very confusing to get this message from the use of Microsoft delivered tasks that have no apparent connection to Node in a project with no connection to Node.

Yes. It feels very strange that Microsoft tasks wasn't fixed before the warning was going to go live, when ppl at Microsoft absolutely should know this change is coming.

Hi @attila-szabo1-epam the target date for Node 6->Node 10 migration is March 31st 2022 at the moment.

Why cant you just state this in the warning message instead of the generic "deprecated soon", we started panicking and searching for alternate TASKS just to have a backup plan when/if our pipelines start breaking... Now we at least know we have 4 months to tackle this.

Also as someone else said, now all our pipelines are cluttered with these warnings, we need a way to disable them!

[srikant-sahoo-maersk]

Can someone tell me how to fix this?

I am using React app in azure-pipelines and getting these warnings on copyfiles and npmAuthenticate and I could not find from where this issue is coming from. Should I change some things in the .yml file? Or do I need to change something in package.json🙄?

Or if this issue is something else which will resolve automatically after march 2022 then please tell.

[doormalena]

Can someone tell me how to fix this?

I am using React app in azure-pipelines and getting these warnings on copyfiles and npmAuthenticate and I could not find from where this issue is coming from. Should I change some things in the .yml file? Or do I need to change something in package.json🙄?

Or if this issue is something else which will resolve automatically after march 2022 then please tell.

You need to upgrade the tasks used in your (yaml) pipeline to a newer version. However, for almost all tasks (as of which most we use are Microsoft standard tasks) there isn't a newer version available that fixes the issue at this point.

[xantari]

Just ran into this warning message as well and was wondering what I was supposed to do. Looks like nothing, we need to wait for MS to upgrade the tasks.

[ML-Emyode]

For those looking for a way to remove the warnings, there is a section about that on the migrateNode10 page: https://github.com/microsoft/azure-pipelines-tasks/blob/master/docs/migrateNode10.md#how-to-disable-warnings-for-node-6-deprecation

To avoid noise in pipeline logs - you can disable Node 6 deprecation warnings by setting up DISABLE_NODE6_DEPRECATION_WARNING agent knob in one of 2 ways:

Set up DISABLE_NODE6_DEPRECATION_WARNING pipeline variable as true
For self-hosted agents - set up environment variable DISABLE_NODE6_DEPRECATION_WARNING as true

[DHowett]

"Waiting for response" by whom exactly?

[ByteDev]

For those looking for a way to remove the warnings, there is a section about that on the migrateNode10 page: https://github.com/microsoft/azure-pipelines-tasks/blob/master/docs/migrateNode10.md#how-to-disable-warnings-for-node-6-deprecation

To avoid noise in pipeline logs - you can disable Node 6 deprecation warnings by setting up DISABLE_NODE6_DEPRECATION_WARNING agent knob in one of 2 ways:

Set up DISABLE_NODE6_DEPRECATION_WARNING pipeline variable as true
For self-hosted agents - set up environment variable DISABLE_NODE6_DEPRECATION_WARNING as true

Maybe I'm doing the wrong thing but I added the following to my azure-pipelines.yml:

variables:
  DISABLE_NODE6_DEPRECATION_WARNING: 'true'

and I'm still getting the warnings...

Does this not work or am I supposed to put this flag somewhere else? Thanks

[CZEMacLeod]

@ML-Emyode @ByteDev I added the environment variable DISABLE_NODE6_DEPRECATION_WARNING to my build server with the value of true and still get the warnings. (I use a docker version of the vs buildtools and agent running on a windows container) It shows up in the Agent Capabilities screen in Azure DevOps so I would assume that it is detected and working as it should.

[ghost]

Added like the 2nd way to test in my pipeline too , to see it works or not.

In yaml I would add it like this:
variables:

• name: DISABLE_NODE6_DEPRECATION_WARNING value: 'true'

or to here:

[ddran-averydennison]

@attila-szabo1-epam Is it works?

[pinkfloydx33]

It looks like the knob was only added into the agent code yesterday: https://github.com/microsoft/azure-pipelines-agent/commit/f384b2b194b333c99dcd51a7d7ec73115a703675

There's not been a new version of the agent released yet (last release 16 days ago). So it looks like we just need to wait for a new version.

Any idea when that will be?

[ghost]

Nope, warnings still appeared, seems changes does not merged yet to ignore these warnings.

[anatolybolshakov]

Hi everyone, we've merged a fix with an agent knob in PR - to be able to disable warnings - this will be available with the next agent release.

[lvanvugt]

this will be available with the next agent release.

What is the normal time frame for this?

[StingyJack]

@anatolybolshakov - A knob to disable the warnings is not the right solution here. Its an unreasonable burden to ask us to add it to all of our pipelines (my current org has well over 1aK pipelines) just to cut down on a thing we should not be seeing anyway.

We are all complaining about them showing up for MSFT created tasks. Eventually we expect you to do the needful and update your tasks, but since you are well aware that they need to be updated, and there is nothing that we the users can do but complain about this warning and deal with its noise, it would make more sense for you to not warn us by default for every MSFT created task.

[DHowett]

Yes, the core issue is that the currently documented major version and the recommended task for many workloads (such as NuGetCommand@2) is using a deprecated Node runtime.

If customers suppress the warning, what's going to happen is that:

1. They will not notice when the deprecation is complete
2. Their pipelines will spontaneously start failing for tasks Microsoft documented and assured that they could use
3. They will likely move to another CI technology, because if they have to rewrite their pipelines to not use deprecated commands, they might as well choose one that is better-documented and where changes to it are better-communicated.

[CZEMacLeod]

@attila-szabo1-epam I'm really not sure that closing this issue is the right thing here. Both @StingyJack and @DHowett 's comments are very valid. The issue really should be open until all the Microsoft supplied tasks no longer generate a warning. The use of the suppression setting is a burden to consumers, and will result in them (us) not being aware of third-party or internally built tasks which might also have the issue and not knowing to do something about it.

[ghost]

This issue was raised with a question which was answered. Issue closed, if you need a place to cry have your own.

[asears]

Can this issue be reopened or a follow on issue linked? The last comment was unprofessional, hateful and trolling, and agree with @CZEMacLeod and others here.

Comments on the variable fix

The proposed fix is a debugging workaround for the underlying issue that every pipeline in the world using Microsoft-authored tasks, eg. "CopyFiles", "npmAuthenticate" or "Nugetcommand" is getting this warning with no means to fix the underlying issue.

Everyone who wants to ignore it to get a green status pipeline will have to implement the variable workaround, then watch for new versions of extensions to appear, then fix the versions, then remove the variable workaround. Running a pipeline to test the workaround might not be an option in some cases. Everyone monitoring their failing/warning tasks is getting this error and alerts around it.

The warning message was great in terms of visibility to surface the underlying fact that NodeJS extensions are deprecated. That message is now out there. Changes required to implement this change across pipelines and documentation are so much greater than the value of this message running in every single pipeline run on every single affected task.

This variable fix is a temporary feature flag which should be removed when the upgrade is complete. So this work would need to be done twice, for every pipeline?

Proposed interim patch

The warning spamming the logs should be turned off immediately with minimal or no user intervention, as we can see from above sentiment. Don't warn on each run for something that can't be fixed. At least for MS-hosted agent pipelines and extensions.

If the warning can't be turned off, give teams an automated way of opting out.

Provide interim workarounds for each Microsoft-managed extension if there are concerns about older versions of NodeJS in extensions.

Microsoft Docs and sample code need to be updated with the upgraded versions when they are available.

Let users migrate to upgraded versions.

Proposed mitigation ideas

• One option for a fix should be that the Azure Devops interface exposes some message and provides ability to quiet the warning across pipelines for the complete project or organization for a certain timeframe. There is no need to show a warning on each pipeline run for something that cannot be fixed by the end-user and no value to ask the end user to follow up with pipeline extension authors. The authors of extensions should receive a warning in their respective git repos, perhaps with some regular report about how many consumers are affected. Devops Administrators and/or Build Administrators should receive the warning and a list of affected pipelines and tasks in the portal.

• How about actions to upgrade these tasks in the background? The end-user shouldn't have to intervene for a Microsoft-managed Devops extension task upgrade. If there's a problem with the upgrade, there should be some option to pin a different version. I would expect a warning if there's a problem. Going forward with security updates should be automatic?

• Another option to fix could be a dependabot-style PR option to upgrade the task when it's fixed. But again that involves a lot of change tickets and noise. Why not do this security upgrade with minimal intervention?

Call to Action

A warning pipeline is not a green pipeline, and teams should have control of their pipelines to make them green. A Security Advisor & Alerting tool might be a better method to address security issues like this. Different teams could be working on the pipelines and security initiatives, making the ability to implement these debugging variables problematic.

Communicate security messages with urgency, clarity, and with possibilities for actionable mitigation plans.

[asears]

See https://github.com/microsoft/azure-pipelines-tasks/issues/15508 for an open task with WIP info on CopyFiles@2 and PipAuthenticate, and AppCenterDistribute to continue this discussion, as the question above was answered.

It looks pretty straightforward to comment out the warning in the PR which started this, or to automatically enable the debug variable by default. How about doing that instead of holiday log spam, and then letting us know when it's fixed with a pleasant emoji warning in our pipelines to greet us in the new year? It's ok to admit when you are wrong for the right reasons... security vs. convenience and all that.

For those that want to opt into canary warnings about internal Microsoft tasks, that might be a good use of the debug feature flag variable.

[anatolybolshakov]

Hi everyone, just as a quick update - due to issues with increased amount of warnings we are working on disabling of Node 6 warning message for in-the-box tasks and leave warnings only for a custom tasks. We are planning to roll out relevant agent update in the next two days - will keep you posted in the issue.

For Node 6 - we are not going to deprecate previous execution handler until all the relevant supported in-the-box tasks will be migrated to the new Node execution handler, please don't worry about it. The main goal of this warning message is to notify custom extensions owners about upcoming agent update - I agreed that this is a fair point not to display them for the pipeline owners.

[bryceitoc9]

Hi,

Just making sure, do you know how users who are exclusively on legacy Node6 agents will be affected if we upgrade our extension to Node10 exclusively and the user updates the extension from the marketplace? Our team's extension has a few users who fit into this category; I've got a few questions:

• What would happen to users in this scenario: would the jobs break entirely?
  • If it breaks entirely, would the only path forward for them be to uninstall the VSIX and manually install a new VSIX with autoupdates disabled?
• Would Microsoft be able to prevent these customers from updating in the first place?

[github-actions[bot]]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

[StingyJack]

Will someone please turn off this stupid bot? It and ones like it are a community cancer.

[github-actions[bot]]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

[DHowett]

Stalebot, cut it out. This is not a way to run an opensource community.

[github-actions[bot]]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

[CZEMacLeod]

@anatolybolshakov Have the internal tasks been migrated to Node10 yet and is there a date for disabling the old handlers?

[github-actions[bot]]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days