Learn more >
by Sam Roberts Published March 5, 2019
Node.js 11.x has been updated to OpenSSL 1.1.1a from 1.1.0 (read more), and an update in Node.js 10.x is expected soon. Why did we move forward with this change? It was important to pull in OpenSSL 1.1.1. because without an update of OpenSSL in Node.js 10.x, it would be difficult to stick to the standard long-term support (LTS) lifecycle with 30 months of support.
This blog post discusses the unusual situation we are in with respect to conflicting OpenSSL and Node.js LTS policies, and how we plan to resolve it.
Node.js depends on some major projects, such as V8 and OpenSSL. These projects have their own maintenance and release schedules, particularly with respect to LTS support. The Node.js project can’t take on support for all its dependencies. This means we need to depend on the support provided by the communities building those dependencies. In turn, this sets some limits on what we can do.
The OpenSSL policy states that:
OpenSSL 1.0.2 is supported longer than OpenSSL 1.1.0 because it was designated an LTS release, and got 5 years of support.
The Node.js policy states that:
The versions of OpenSSL in the LTS branches are currently:
You can see that the end-of-life date for Node.js 8.x is unusual. It would normally have been end-of-life on 2020-04-31, but we had to cut that short because OpenSSL 1.0.2 will not be supported that long. We only cut it short by four months, so we hope it has a limited impact on the community.
You can also see that Node.js 10.x is supposed to be end-of-life on 2021-04-31, but it uses OpenSSL 1.1.0 which is end-of-life on 2019-09-11. This is a year and a half earlier than we want, much more serious than the situation with Node.js 8.x.
Don’t worry; we have a plan.
While it isn’t listed above, OpenSSL 1.1.1 is expected to be designated an LTS release before the end of 2019, which will mean it will get 5 years of support. It is also both API and ABI compatible with OpenSSL 1.1.0. Our plan is to upgrade Node.js 10.x from OpenSSL 1.1.0 to 1.1.1. The expected release date for this is the 2019-04 semver-minor update to Node.js 10.x.
We wouldn’t normally make such a major update to an important dependency like OpenSSL during an LTS period, but we don’t have much choice in this case. It’s the best option for both our consumers and the Node.js project itself.
OpenSSL 1.1.1 was updated in Node.js 11.9.0, well into the 11.x lifetime, and we have so far had no reports of issues. This makes us confident that the update in 10.x will also go mostly unnoticed.
The LTS policy isn’t the only reason that OpenSSL 1.1.1 is strategically important. There are a number of other reasons, including:
Getting OpenSSL 1.1.1 landed was a lot of work, but it was quite interesting and was a good way to ramp up on the integration of OpenSSL in Node.js. I’m looking forward to helping out more on the OpenSSL front in the Node.js project going forward.
Learn about Codewind, a solution that provides extensions to popular IDEs, so you can use the workflow and IDE you…
Appsody is an open source project which provides a set of tools and capabilities, enabling you to build applications which…
Get the Code »
Artificial intelligenceCloud Foundry+
Back to top