cube icon indicating copy to clipboard operation
cube copied to clipboard

Published 20 hours ago • verified publisher icon cube-js

Upgrade Cube to NodeJS 20

Open spljs opened this issue 3 months ago • 5 comments

Problem Hello, is it possible to upgrade to nodeJS 20 ?

Additional context

I've tried to run cube using nodeJS 20 and it runs well. But there might be some tests i've missed , i would like to know your opinion about that

spljs avatar Apr 08 '24 08:04 spljs

Hi @spljs 👋

Could you please provide more context on why you'd like this upgrade? Since you're running Cube in Docker (are you?), does the Node version make much difference?

igorlukanin avatar Apr 08 '24 10:04 igorlukanin

Yes I'm running Cube in Docker . The reason behind this is that Node.js v20.3/v20.4 included the libuv updates that supported cgroups v2. And so we need to have cgroups v2 support for security reasons

spljs avatar Apr 08 '24 11:04 spljs

@spljs Oh, this is very interesting! Could you please provide a little bit more context on how you apply cgroups?

As for a potential upgrade to v20, let me add @ovr to the conversation.

igorlukanin avatar Apr 08 '24 11:04 igorlukanin

Initially cgroup is a Linux kernel process, focus on system resources allocation. And croupsv2 is an evolution offering a simplified API, an improved resource management system (unified hierarchy, more granular control) and an enhanced security, inc. for containers.

And so, cgroupsv2 is being progressively deployed since mid 2023 on cloud providers environments, including Kubernetes, that we use for our PaaS environments. Thus we want to upgrade in order to prevent outage with any languages, frameworks & libraries that are not compatible.

spljs avatar Apr 08 '24 11:04 spljs

@igorlukanin We have a similar ask. Here's some context for you:

As part of our security and compliance requirements, we do not use versions of nodejs that have reached EOL. Node 16 went EOL in Oct 2023 & node 18 is already in maintenance mode. We have a number of CI systems & processes that check for and enforce our minimum node versions (currently 18, but about to be 20). Having cube lag behind on 16 is a problem, because it makes integrating cube into our engineering processes more challenging. In addition, even though cube is running in a container, node 16 may have active vulnerabilities that have been patched in newer versions, and the nodejs ecosystem generally does not provide support for security fixes, etc. after EOL. I would also add that it is near impossible for anyone to guarantee that they are not affected by vulnerabilities. Docker containers can be vulnerable as well.

We are SOC2 compliant, and I can see that cube is as well. Using unsupported versions of runtimes is generally considered a gap, and should be treated as not being actively compliant, in my opinion.

I, of course, understand that there are many moving pieces and it's not easy to be 100% compliant in all cases, but node 16 is becoming very outdated given that node 22 is targeted to become active this month.

https://nodejs.org/en/about/previous-releases

jineshshah36 avatar Apr 11 '24 18:04 jineshshah36