Add a warning on EOL versions

[RafaelGSS]

I was talking with @marco-ippolito and we were discussing having ways for people to know when they are using an insecure version of Node.js. Instead of having a flag (https://github.com/nodejs/security-wg/issues/852), what if we release a patch version after one or two months of EOL alerting users they are using an EOL version?

I mean, if they pin the version and don't get the last release, they won't see the warning, but I assume it will affect most users. We could try to do it to non-LTS versions first, and then we expand the coverage to all EOL versions (starting this year, of course).

cc: @nodejs/security-wg @nodejs/tsc

[mhdawson]

@RafaelGSS as you mentioned if they pin they won't get a warning.

If instead we published as CVE indicating the release was EOL they would get if they are running CVE scans. I suspect this would be a more reliable way of having it be recognized as a risk.

[marco-ippolito]

The CVE could be for weakness CWE-1104 or CWE-1329 which would make sense

[RafaelGSS]

I think we could do both, issue a single CVE alerting EOL (after a sec release) and create a patch release with a warning?

[mhdawson]

I think doing both makes sense to me, provide we have a volunteer to do the patch release (as I think that's more work that doing the CVE).

[mhdawson]

In terms of the CVE's I think I prefer CWE-1104 as it is possible to update Node.js, you just need to move to a later Major so CWE-1329 does not seem like as good a fit to me.