Skip to content

Limit Node.js version resolved when a wide range is used #1498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Limit Node.js version resolved when a wide range is used #1498

wants to merge 11 commits into from
+404 −32

Conversation

@colincasey
Copy link
Contributor

@colincasey colincasey commented Oct 29, 2025
edited
Loading

Updates the Node.js version resolver with the following features:

  • detect when a wide version range is in use
  • limit the resolved version to the latest LTS unless a higher version is explicitly requested
  • output the resolved data as JSON so that it's easier to understand

This allows the buildpack to output:

  • a warning if a wide version range is used
  • a warning if the LTS version limit had to be enforced

W-20075501

@colincasey
Limit Node.js version range on resolve
930011c 
Updates the Node.js version resolver with the following features:
- detect when a wide version range is in use
- limit the resolved version to the latest LTS unless a higher version is explicitly requested
- output the resolved data as JSON so that it's easier to understand
@colincasey
Run tests whenever the resolve binary is built
c86da14 
This is a sanity check since rebuilding the binary after making changes is a manual process. This will ensure that the binary can't be updated if there are failing tests.
@colincasey
Update Node.js version resolver binary
624b225
@colincasey
Update install process to emit warnings about resolve status
6700d62 
The install process is updated to:
- read the new JSON output from the Node.js version resolver binary
- emit a warning if a wide version range is used
- emit a warning if the LTS version limit had to be enforced
@colincasey
Update CHANGELOG.md
7e0ae1c
@colincasey colincasey self-assigned this Oct 29, 2025
@colincasey colincasey requested a review from a team as a code owner October 29, 2025 19:36
schneems
schneems approved these changes Nov 20, 2025
View reviewed changes
Copy link
Contributor

@schneems schneems left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made some suggestions, see comments.

lib/binaries.sh
if [[ "$uses_wide_range" == "true" ]]; then
echo "! The requested Node.js version is using a wide range ($requested_version) that can resolve to a major version"
echo " you may not expect. Limiting the requested range to a major range like \`24.x\` is recommended."
echo " https://devcenter.heroku.com/articles/nodejs-support#specifying-a-node-js-version"
Copy link
Contributor

@schneems schneems Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devcenter suggestion: The link says what to do:

Because Node does regular security releases on all supported major versions, we recommend specifying a major range to get security updates automatically, for example, 22.x.

But it never says what not to do. I reccomend we add a counter recommendation something like "We recommend against using wide version ranges such as >= 22 and instead recommend sticking to a version that cannot resolve to a higher major version such as 22.x

resolve-version/src/main.rs

#[test]
fn resolve_version_when_wide_range_is_used_and_explicitly_requesting_range_beyond_lts() {
let wide_requirement = Requirement::from_str(">=25.x").unwrap();
Copy link
Contributor

@schneems schneems Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional suggestion: When you change the constant to make the LTS version 24, all of these will start failing.

My suggestion would be:

  • Inject the maximum version into the function instead of using a constant, possibly using a bon builder to make it the default. Then the tests can stay static even if the default changes or
  • Generate the number "25" based on the constant (or hardcode a new constant) and use format! in these tests.

lib/binaries.sh

if [[ "$uses_wide_range" == "true" ]]; then
echo "! The requested Node.js version is using a wide range ($requested_version) that can resolve to a major version"
echo " you may not expect. Limiting the requested range to a major range like \`24.x\` is recommended."
Copy link
Contributor

@schneems schneems Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional suggestion: Instead of hard-coding 24.x you can return that value from rust so when you update the value in your main.rs it's updated here as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@schneems schneems schneems approved these changes

Assignees

@colincasey colincasey

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@colincasey @schneems