build icon indicating copy to clipboard operation
build copied to clipboard
verified publisher icon nodejs

[NEXT-SECURITY-RELEASE] Heads up on upcoming Node.js security release 2025/12/15

Open marco-ippolito opened this issue 4 weeks ago • 4 comments

As per security release workflow, creating issue to give the build team a heads up.

marco-ippolito avatar Dec 08 '25 17:12 marco-ippolito

@marco-ippolito From when do you need the CI locked down from?

richardlau avatar Dec 08 '25 19:12 richardlau

~I think Wednesday, since are releasing on Monday and its 4 lines~

Given we might have to delay due to a pending fix, I'd say Thursday 11th

marco-ippolito avatar Dec 08 '25 19:12 marco-ippolito

Okay, I'll the CI lock down from tomorrow.

richardlau avatar Dec 10 '25 12:12 richardlau

CI is now locked down.

richardlau avatar Dec 11 '25 13:12 richardlau

The security release has been delayed until 7 January 2026.

There has been an ask if we can partially relax the controls on the public Jenkins CI in the meantime to allow CI on non-security related PRs.

Specifically, the ask/proposal was:

  • Allow TSC members to start CI runs.
  • Allow the github-bot to start CI runs.

To recap, we lock down the CI primarily to avoid any potential leakage of the security patches based on the CI runs.

For the first point, TSC members currently do not have permission to start CI during a CI lockdown to avoid tying up the CI and give priority to the people preparing the security release. TSC members already have full access to the Hackerone reports and the private repo hosting the proposed patches, so there is no additional leakage risk here.

For the github-bot, usually it is considered a collaborator (it is a member). Access to the bot account is @nodejs/build-infra, who should already have full access to Jenkins. So I think it should be okay to give the bot permission to start CI runs.

If the above is done, then for the next few weeks CI can be run:

  • by the request-ci label in GitHub
  • by a TSC member

Since general read access would still be restricted, it would be up to TSC members to relay any information from the CI runs (i.e. failures).

@nodejs/build If I don't hear any objections/concerns with the plan I'll go ahead either Thursday or Friday.

richardlau avatar Dec 17 '25 18:12 richardlau

Just an observer's perspective, but might it be better to keep the request-ci workflow disabled, and have manual runs only?

I'm just thinking that releasing a couple of dozen PRs into the CI pipeline simultaneously (almost all of which are inevitably going to need resuming for flakes at least once) is going to put a lot of burden on TSC members, particularly given the time of year. If kept manual-only, then any members who wish to volunteer themselves to "take ownership" of a particular PR's CI run can do so, without wasting runner time on jobs that no-one ends up following up and need to be fully re-run at a later date.

Renegade334 avatar Dec 19 '25 03:12 Renegade334