Hi,
to answer your question: no, we're not backporting, the 0.x releases has
been unsupported by upstream for months.
Dropping packages was the plan, but there are/were still some packages that
depend on node, so we let it just sit there.
Unfortunately we're not able to update to a newer version either (and el7
is now stuck on v6 too).
My advice is to use software collections[0] which now provide v6 for el6.
Regards
Zuzka
[0]
https://wiki.centos.org/AdditionalResources/Repositories/SCL
On Mon, Jul 31, 2017 at 11:38 PM, Jeff Hickson <jeff(a)vmfarms.com> wrote:
Hello all,
First, I hope I'm posting this in the right place. I did a good deal of
looking, and here seemed like the best place.
I've done some significant looking through various sources of information,
including asking on IRC, though I wasn't able to find any real direct
answers to my question.
The best I could find was a link to
https://fedoramagazine.org/
node-js-6-x-lts-coming-epel-7/ which stated that for EL7, nodejs-0.10 was
being just changed to 6.x. This doesn't explicitly say anything about EL6
though, which brings me to the actual question.
Since CVE-2017-11499 covers pretty much every version of NodeJS ( source:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ ) I
was wondering if the fix was going to be backported, or if the
NodeJS-0.10 (and 0.12) line was going to be completely dropped, with
removal of the packages from the repo, or something else entirely?
I'm more just hoping to find a more official word on the plans for this. I
can look through Koji and see that it's been untouched since October last
year, and I can look through mailing list posts for the last 12 months, but
I can't really find anything stating the plans for the package.
Cheers,
_______________________________________________
nodejs mailing list -- nodejs(a)lists.fedoraproject.org
To unsubscribe send an email to nodejs-leave(a)lists.fedoraproject.org