runner-images icon indicating copy to clipboard operation
runner-images copied to clipboard
verified publisher icon actions

Update Node to 18.20.4 in windows-2022 image

Open xinyi-joffre opened this issue 1 year ago • 2 comments

Tool name

Node

Tool license

N/A

Add or update?

  • [ ] Add
  • [X] Update

Desired version

18.20.4

Approximate size

No response

Brief description of tool

Is there an ETA for when node will be upgraded to 18.20.4 in the windows-2022 image?

We are getting alerts of vulnerabilities in 18.20.3 that were patched back in July 8 by node https://github.com/nodejs/node/releases/tag/v18.20.4. Thank you!

URL for tool's homepage

No response

Provide a basic test case to validate the tool's functionality.

No response

Platforms where you need the tool

  • [X] Azure DevOps
  • [ ] GitHub Actions

Runner images where you need the tool

  • [ ] Ubuntu 20.04
  • [ ] Ubuntu 22.04
  • [ ] Ubuntu 24.04
  • [ ] macOS 12
  • [ ] macOS 13
  • [ ] macOS 13 Arm64
  • [ ] macOS 14
  • [ ] macOS 14 Arm64
  • [ ] Windows Server 2019
  • [X] Windows Server 2022

Can this tool be installed during the build?

No response

Tool installation time in runtime

No response

Are you willing to submit a PR?

No response

xinyi-joffre avatar Sep 11 '24 18:09 xinyi-joffre

@xinyi-joffre Thank you for bringing this issue to us. We are looking into this issue and will update you on this issue after investigating.

RaviAkshintala avatar Sep 11 '24 20:09 RaviAkshintala

Hi @xinyi-joffre

  1. The Choco packages do not have a version 18.20.4; the latest version in that series is 18.20.3, which is followed directly by 19.0.0. Kindly refer the link.
  2. In the README file, 18.20.3 is listed for Windows images because the 18 series is the default, indicating that 18.20.3 is the most recent version within that series.

RaviAkshintala avatar Sep 24 '24 11:09 RaviAkshintala

Hi, there is version 18.20.5 now available via chocolatey, released on November 14. Also, I would say if chocolately doesn't serve the latest version of the software, that doesn't mean the software doesn't exist. We should not be putting our tools down. Other installation methods should be explored, otherwise we risk vulnerabilities being present in the image e.g. in this case CVE-2024-36138.

angaaruriakhil avatar Nov 18 '24 16:11 angaaruriakhil

Hello @xinyi-joffre, I believe this issue is no longer relevant as the image has an updated version. We have rewritten the installation script and are no longer dependent on chocolatey.

If you have any other questions feel free to reach us.

Alexey-Ayupov avatar Dec 04 '24 14:12 Alexey-Ayupov