Bug 263590 - www/node: update www/node (vulnerabilities)
Summary: www/node: update www/node (vulnerabilities)
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bradley T. Hughes
Depends on:
Reported: 2022-04-26 15:54 UTC by John Hein
Modified: 2022-05-23 10:27 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (bhughes)


Note You need to log in before you can comment on or make changes to this bug.
Description John Hein 2022-04-26 15:54:28 UTC
node17 has documented (vuxml) vulnerabilities < 17.3.1.  The current version in www/node is 17.0.1.  I don't know what this should be updated to.  I think I would try 17.3.1 first, but I don't have a particularly good reason for that.  But the "latest" is 18.0.0 (after progressive releases in the last few months that look like they were marching toward 18.0.0 - 17.4.0, 17.5.0, ..., 17.9,0).
Comment 1 John Hein 2022-05-13 23:39:32 UTC
p.s. If you are here because www/node was installed in order to build firefox, try installing www/node16 instead.  That's the "stable" version of node at this time, and it seems to build www/firefox-esr just fine.
Comment 2 Prisma 2022-05-15 11:18:42 UTC
It seems the maintainer is not active anymore on the Node ports. Till Oct 2021 he regularly updated every node tree. But then no more.
I tried to compile newer versions on my own, but that always fails. I'm not skilled enough for that deeper technical internals.
What will be the future of FreeBSD and Node.JS? Is there a procedure to get a new maintainer care about Node.JS if the current one remains being inactive?