At the end of October 2016, the Node project stopped official support of version 0.10. At the end of 2016, the project will also stop supporting v0.12. The primary trigger was that the OpenSSL project no longer supports the OpenSSL versions included in Node v0.10 and 0.12. As a result, there will be no more security fixes for OpenSSL in these release lines.
How is LoopBack dealing with these changes?
The situation changed in October, when many LoopBack dependencies started to drop support for old Node versions (versions 0.10 and 0.12). This presented two options:
- Drop support for old Node versions, so that we can keep using the latest version of our dependencies. This is important in order to receive bug and security fixes.
- Keep support for old Node versions and lock down dependency versions to the latest version that still supports these Node versions. Because most npm modules don’t maintain older versions, we would then stop receiving security fixes.
When formulated this way, it’s clear that we have to follow the ecosystem and drop support for old Node versions.
What’s the plan?
First of all, we believe that dropping support for a Node version is a breaking (backwards-incompatible) change that should be released as a semver-major version.
However, because LoopBack 3.0 (the new major version) was still a pre-release version, we decided to make an exception and include the change of supported Node version. This affects the following npm packages:
For all other LoopBack-related packages that IBM/StrongLoop maintain (for example connectors or loopback-boot), we are going to release a new major version, usually 3.0.0 (unless 3.0.0 is already taken; then it will be the next available major version.)
As always, we continue to support Node v0.10 and v0.12 in existing versions (most notably firstname.lastname@example.org) on a best effort basis. Actively, we’ll avoid adding code that does not work on these versions; typically back-porting ES6 constructs from newer LoopBack versions. Having said that, we are not going to lock dependencies. If you are planning to use a Node version that is not covered by the LTS plan, use “npm shrinkwrap” to lock down the dependency versions in your project.
- Run npm outdated –depth 0 in your project to find outdated dependencies and update them to the latest version.
- Read more about Node’s LTS plans in https://github.com/nodejs/LTS
- Learn about the new features coming to LoopBack 3.0 in our Release Candidate announcement.
More than anything, use the LoopBack 3.0 release candidate on npmjs.org and report any issues. LoopBack 3.0 is almost ready for prime-time!