Need support for Node.js 20

[XiaofuHuang]

Node.js 20 will be designated as the active LTS version as of October 24, 2023. The SDK has a dependency on @azure/msal-node, which appears to be outdated. Running the npm install commandresults in warnings due to its incompatibility with Node.js 20.

[frbayart]

@ramfattah Any news to support the current nodejs LTS

[oFlo193o]

Also waiting for Node.js 20 Support...

[seanhsmith]

+1 We were hoping to update our project to node 20 but were limited to node 18 due to this dependency.

[oFlo193o]

Any news on this one @microsoftopensource / or maybe @ceciliaavila?

[elovin]

Apparently there are no breaking changes between @azure/msal-node v1 and v2 aside from the dropped nodejs < 16 support in v2.

So until the dependency is being updated you could just overwrite the dependency globally in package.json

[...]

        "overrides": {
        "@azure/msal-node": "2.6.0"
    },
    "dependencies": {
        "@azure/msal-node": "2.6.0",

[...]

[alexnault]

Are there plans to upgrade to @azure/msal-node v2 and as a result support Node 20?

[tracyboehrer]

@alexnault Yes. But there is a complication. While it's out of support, we still have a healthy number of customers on Node 16. Not good manners to just drop it without a heads up. For the next few releases, the release notes will include a notice about updating to Node 18+. Does elovins suggestion work for you?

[alexnault]

@tracyboehrer Great to hear that Node 20 support is on the horizon!

I understand that dropping support for Node 16 is a breaking change. To me, this should warrant a major version upgrade (botbuilder@5.0.0) over a notice, like @azure/msal-node did.

Meanwhile, we added overrides to our package.json as @elovin suggested and it does work:

"overrides": {
  "@azure/msal-node": "^2.6.1"
}

Cheers!

[mogadanez]

is error @azure/msal-node@1.18.4 really not support node 20? maybe just remove this constraint and allow node 20 in @azure/msal-node@1.18.5 ?

The engine "node" is incompatible with this module. Expected version "10 || 12 || 14 || 16 || 18".

[eitanlevinzon-astrix]

Hey, what's the status of this? Waiting for this to be implemented for https://github.com/OfficeDev/TeamsFx/issues/10849

[davepoon]

Could you please give us an update on this matter?

[Bomret]

We received an email today that Azure Functions will drop node <18 next year and projects need. to update to keep receiving security updates and costumer service. Just a heads up for you 😉

Excerpt from the Microsoft email:

Support for Node.js 18 ends on 30 April 2025—upgrade your apps to Node.js 20 

You’re receiving this email because you have one or more Node.js 18 app(s) on Azure Functions.

On 30 April 2025, Node.js 18 will end. Your apps that are hosted on Azure Functions will continue to run, but security updates will no longer be available, and we’ll no longer provide customer service for Node.js 18. Learn more about Azure Functions stack version support.

[tracyboehrer]

Thanks all. This is high priority for us, but we are blocked by another dependency. Working it.

[dominykas]

Outdated dependencies in botbuilder are starting to rack up vulnerabilities, e.g. https://security.snyk.io/vuln/SNYK-JS-AZUREIDENTITY-7246760, https://security.snyk.io/vuln/SNYK-JS-AZUREMSALNODE-7246761 - @azure/identity is two major versions behind, and then there's axios@0.x.

Given that some of these are inside Microsoft, perhaps there could be a way to backport some of the fixes to the older versions, to keep things maintained?

As much as the breaking changes are not necessarily viable for certain customers who are on old versions of Node.js (which is unmaintained for 9 months, mind you), increasing the vulnerability footprint is a problem for other customers, and I'm not sure which one is more important (and dangerous).

[dominykas]

One more vulnerable outdated dependency under botframework-streaming: https://security.snyk.io/vuln/SNYK-JS-WS-7266574