Bug: arm(hf/64) docker-slave containers are using old nodejs versions via a deprecated install script #24516
Description
Is it platform specific
generic
Importance or Severity
Critical
Description of the bug
In the Dockerfiles for the sonic-slave containers (stretch - bookworm, removed in trixie) nodejs is installed (or attempted to be installed for Bookworm) by a third party APT repo, configured by a curl | bash script. This only is used for non-AMD64 builds, but I don't know why.
{% if CONFIGURED_ARCH != "amd64" -%}
# Install node.js for azure pipeline
RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
RUN apt-get install -y nodejs
# Tell azure pipeline to use node.js in the docker
LABEL "com.azure.dev.pipelines.agent.handler.node.path"="/usr/bin/node"
{% endif -%}
Originally added here:
0b0da87
For bookworm, the script version was updated to NodeJS 14, however, even that is deprecated. Bookworm also has nodeJS 18 already in its repos, so we don't need to try to install an older version.
RUN curl -sL https://deb.nodesource.com/setup_14.x | bash -
This script has been deprecated by its maintainer, which results in showing these warnings and delaying the container build by 20 + 60 seconds:
================================================================================
DEPRECATION WARNING
Node.js 14.x is no longer actively supported!
You will not receive security or critical stability updates for this version.
You should migrate to a supported version of Node.js as soon as possible.
Use the installation script that corresponds to the version of Node.js you
wish to install. e.g.
* https://deb.nodesource.com/setup_16.x — Node.js 16 "Gallium"
* https://deb.nodesource.com/setup_18.x — Node.js 18 LTS "Hydrogen" (recommended)
* https://deb.nodesource.com/setup_19.x — Node.js 19 "Nineteen"
* https://deb.nodesource.com/setup_20.x — Node.js 20 "Iron" (current)
Please see https://github.com/nodejs/Release for details about which
version may be appropriate for you.
The NodeSource Node.js distributions repository contains
information both about supported versions of Node.js and supported Linux
distributions. To learn more about usage, see the repository:
https://github.com/nodesource/distributions
================================================================================
================================================================================
Continuing in 20 seconds ...
================================================================================
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
================================================================================
SCRIPT DEPRECATION WARNING
This script, located at https://deb.nodesource.com/setup_X, used to
install Node.js is deprecated now and will eventually be made inactive.
Please visit the NodeSource distributions Github and follow the
instructions to migrate your repo.
https://github.com/nodesource/distributions
The NodeSource Node.js Linux distributions GitHub repository contains
information about which versions of Node.js and which Linux distributions
are supported and how to install it.
https://github.com/nodesource/distributions
SCRIPT DEPRECATION WARNING
================================================================================
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
================================================================================
TO AVOID THIS WAIT MIGRATE THE SCRIPT
Continuing in 60 seconds (press Ctrl-C to abort) ...
Note that even after we use this script on Bookworm, it only provides older package versions than the Debian repos, so we end up with the same version we would have had without this script.
Steps to Reproduce
make configure PLATFORM= PLATFORM_ARCH=arm64
Actual Behavior and Expected Behavior
We shouldn't be attempting to use node 14, it's been eol for 5 years, since April 2020.
We probably also shouldn't be using a random third party script to curl | bash install 3rd party repos for node, there's a software supply chain issue, plus the fact that this build step completely breaks reproducible builds.
We should just install node from the debian sources available for modern releases, or remove this installation completely.
Relevant log output
Output of show version, show techsupport
Attach files (if any)
No response