The security release process covers the steps required to plan/implement a security release. This document is copied into the description of the Next Security Release and used to track progress on the release. It contains TEXT LIKE THIS which will be replaced during the release process with the information described.
For each security release, a security steward will take ownership for coordinating the steps outlined in this process. Security stewards are nominated through an issue in the TSC repository and approved through the regular TSC consensus process. Once approved, they are given access to all of the resources needed to carry out the steps listed in the process as outlined in security steward on/off boarding.
The current security stewards are documented in the main Node.js README.md.
| Company | Person | Release Date |
|---|---|---|
| NearForm | Matteo | 2021-Oct-12 |
| Datadog | Bryan | 2022-Jan-10 |
| RH and IBM | Joe | |
| NearForm | Matteo | |
| Datadog | Vladimir | |
| RH and IBM | Michael |
[ ] Open an issue titled Next Security Release, and put this checklist in the description.
[ ] Get agreement on the list of vulnerabilities to be addressed:
[ ] PR release announcements in private:
Thank you to <name> for reporting this vulnerability.
[ ] Get agreement on the planned date for the release: RELEASE DATE
[ ] Get release team volunteers for all affected lines:
[ ] Verify that GitHub Actions are working as normal: https://www.githubstatus.com/.
[ ] Check that all vulnerabilities are ready for release integration:
make test[ ] Pre-release announcement to nodejs.org blog: LINK TO BLOG (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to nodejs/nodejs.org)
If the security release will only contain an OpenSSL update consider adding the following to the pre-release announcement:
Since this security release will only include updates for OpenSSL, if you're using a Node.js version which is part of a distribution which uses a system installed OpenSSL, this Node.js security update might not concern you. You may instead need to update your system OpenSSL libraries, please check the security announcements for the distribution.
[ ] Pre-release announcement email: LINK TO EMAIL
Node.js security updates for all active release lines, Month YearThe Node.js project will release new versions of all supported release lines on or shortly after Day of week, Month Day of Month, Year For more information see: https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
(Get access from existing manager: Matteo Collina, Rodd Vagg, Michael Dawson, Bryan English, Vladimir de Turckheim)
[ ] CC oss-security@lists.openwall.com on pre-release
The google groups UI does not support adding a CC, until we figure out a better way, forward the email you receive to oss-security@lists.openwall.com as a CC.
[ ] Create a new issue in nodejs/tweet
Security release pre-alert: We will release new versions of <add versions> release lines on or shortly after Day Month Date, Year in order to address: - # high severity issues - # moderate severity issues https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
[ ] Request releaser(s) to start integrating the PRs to be released.
[ ] Notify docker-node of upcoming security release date: LINK
Heads up of Node.js security releases Day Month Year As per the Node.js security release process this is the FYI that there is going to be a security release Day Month Year
[ ] Notify build-wg of upcoming security release date by opening an issue in nodejs/build to request WG members are available to fix any CI issues.
Heads up of Node.js security releases Day Month Year As per security release process this is a heads up that there will be security releases Day Month Year and we'll need people from build to lock/unlock ci and to support and build issues we see.
[ ] Lock CI
[ ] The releaser(s) run the release process to completion.
[ ] Unlock CI
[ ] Post-release announcement to Nodejs.org blog: LINK TO BLOG POST
[ ] Post-release announcement in reply email: LINK TO EMAIL
oss-security@lists.openwall.comNode.js security updates for all active release lines, Month YearThe Node.js project has now released new versions of all supported release lines. For more information see: https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
[ ] Create a new issue in nodejs/tweet
Security release: New security releases are now available for versions <add versions> of Node.js. https://nodejs.org/en/blog/vulnerability/month-year-security-releases/
[ ] Comment in docker-node issue that release is ready for integration. The docker-node team will build and release docker image updates.
[ ] For every H1 report resolved:
[ ] PR machine-readable JSON descriptions of the vulnerabilities to the core vulnerability DB. LINK TO PR
#.json file, one can copy an existing json file, and increment the latest created file number and use that as the name of the new file to be added. For example, 79.json.[ ] Close this issue
[ ] Make sure the PRs for the vulnerabilities are closed.