build-image icon indicating copy to clipboard operation
build-image copied to clipboard

Published 20 hours ago verified publisher icon netlify

Warn against specifying minor/patch version numbers in custom Node.js versions.

Open ehmicky opened this issue 3 years ago • 1 comments

Background

Sites can specify a custom Node.js version by using a .nvmrc file, .node_version file or NODE_VERSION environment variable.

Problem

Specifying the minor/patch version number for Node.js is a bad pattern since:

  • It prevents sites from receiving security fixes
  • Node.js respects semantic versioning faithfully, i.e. never introduces breaking changes in minor/patch releases

According to the following list of the Node.js versions used in the last 7 days, per build, this would impact 18% of builds.

Solution

We should print a log message in the build logs when this happens. The log message should warn but have no colors.

We should only do so when the site uses a custom Node.js version, as opposed to using the default Node.js version. The default Node.js is currently 12.18.0 but could differ depending on when the repository was linked, so we should not use the Node.js version value to determine whether the Node.js version has been customized.

ehmicky avatar Mar 01 '22 15:03 ehmicky

First part at https://github.com/netlify/build-image/pull/757

ehmicky avatar Mar 08 '22 16:03 ehmicky