Azure-pipelines-agent: Agent's use of NodeJS 6, is a newer LTS feasible?
Agent Version and Platform
Version of your agent? 2.171.1
OS of the machine running the agent? Linux (Ubuntu 18.04)
Azure DevOps Type and Version
dev.azure.com (formerly visualstudio.com) or on-premises TFS/Azure DevOps Server? dev.azure.com
If dev.azure.com, what is your organization name? https://dev.azure.com/castlightfinancial
What's not working?
The Pipelines Agent setup process installs a version of NodeJS that's no longer in support (6.17.1), is it possible to use the later version (~10) also installed and remove the EOL version?
I'm referring to the node binaries in <agent_install_directory>/externals/node/bin/node.
EDIT: Updated question/request to include @tboehme 's suggestion in their comment.
easkay-castlight
All 11 comments
Even more, would it be possible to remove the NodeJS version 6.x (or replace with a newer version), as this is now flagged as a potential vulnerability due to use of no longer maintained software by our enterprise vulnerability scan service.
tboehme
on 3 Aug 2020
Looks like duplicate of #2967
MatkovIvan
on 6 Aug 2020
@MatkovIvan In a way yes, however #2967 is pushing specifically for a new version without any reference to removal of NodeJS 6.X, whereas this issue here is specifically about removing NodeJS 6.x. I hope that clarifies the differences between the issues.
easkay-castlight
on 6 Aug 2020
This would be really helpful for on-premise enterprise installations. Our installation has been flagged by the IT security team citing security issues today. Is is it okay to remove the node 6.*?
jithurjacob
on 1 Sep 2020
quick workaround
the agent stop working if node 6.x is removed but it can be replaced by node 10.x
My workaround
rm -rf /opt/azureAgent/externals/node
ln -s /opt/azureAgent/externals/node10 /opt/azureAgent/externals/node
still under testing but working so far
sebaminguez
on 19 Nov 2020
It seems like an easy fix, but it should be done by Microsoft (instead of us operators tinkering about to solve it). So, please Microsoft, could you solve this? Because our security department is breathing down our necks.
edwin-hendriks
on 26 Nov 2020
@sebaminguez I'm glad it's working for you. We considered something similar but have not yet given it a try.
@edwin-hendriks we've been in touch with the product team via MS support, who are working on the problem but they've advised that it is far from an easy task. We may well be looking at more than a few months for the issue to be finally resolved.
easkay-castlight
on 26 Nov 2020
Hi everyone, we are working on this migration currently, but it could take some time to verify that it's working fine since there's a large impact - we will let you know once it's completed. Thank you for you patience!
anatolybolshakov
on 7 Dec 2020
Hi everyone, we are working on this migration currently, but it could take some time to verify that it's working fine since there's a large impact - we will let you know once it's completed. Thank you for you patience!
@anatolybolshakov Any updates? With the whole SolarWinds thing I think security in CI/CD is more important than ever now.
LUC18fknU7P
on 8 Jan 2021
@tero-dev currently most of the pipeline in-the-box tasks are migrated to Node 10, but there are several tasks which still use node 6.
anatolybolshakov
on 24 Feb 2021
@tero-dev currently most of the pipeline in-the-box tasks are migrated to Node 10, but there are several tasks which still use node 6.
@anatolybolshakov Thanks for the update. Node 10 will be EOL on 2021-4-30 do you have a process ready for migrating before that date to a newer version?
LUC18fknU7P
on 24 Feb 2021
Related issues
bzuu
路
4Comments
rusergeev
路
4Comments
CodeCasterNL
路
4Comments
fernisoites
路
4Comments
tomasaschan
路
4Comments
Most helpful comment
Even more, would it be possible to remove the NodeJS version 6.x (or replace with a newer version), as this is now flagged as a potential vulnerability due to use of no longer maintained software by our enterprise vulnerability scan service.