Skip to content

Separate out a more detailed release policy document #2462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
shadowspawn wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Separate out a more detailed release policy document #2462

shadowspawn wants to merge 1 commit into from
+22 −9

Conversation

@shadowspawn
Copy link
Collaborator

@shadowspawn shadowspawn commented Dec 5, 2025

Problem

In particular:

  • mixing security policy and releases policy
  • no explicit EOL date for old versions

See #2455 for detailed background.

Solution

Create a new Release Policy document with detail about release versioning, cadence, version status, and EOL dates.

ChangeLog

  • add new Release Policy documentation

@shadowspawn
Copy link
Collaborator Author

shadowspawn commented Dec 6, 2025
edited
Loading

I had another look at the package-support.json schema. It does allow versions with expiry dates, but I don't see a way to specify that doing security-only updates for a version.

https://github.com/nodejs/package-maintenance/blob/main/docs/PACKAGE-SUPPORT.md

The package-support.json file does not appear to have been adopted much, although it is not the only way of specifying the support info. This search gets 32 hits, two of which are for embedded versions of Commander!

https://github.com/search?q=path%3Apackage-support.json&type=code

I am tempted to delete the file! The new document covers similar material in a human readable way, so more accessible (since not widespread tooling supporting package-support.json).

@shadowspawn shadowspawn marked this pull request as ready for review December 6, 2025 22:57
@shadowspawn
Copy link
Collaborator Author

shadowspawn commented Dec 7, 2025

This PR proposes bumping up the support for old releases from 6 months to 12 months to give users who want to stay on a supported version more time to upgrade. The commitment means more versions to backport for a CVE.

Comparing current situation with our past policies, as of today.

Proposed, 1 year. Two old versions. Oldest Node.js is 18 for 12.x (and 13.x).

Version First Release Release Note Status End of life
14.x 2025-05-18 14.0.0 current
13.x 2024-12-30 13.0.0 maintenance 2026-05-18
12.x 2024-02-03 12.0.0 maintenance 2025-12-30

Current version and previous (#2150, #1004). One old version. Oldest Node.js is 18.

Version First Release Release Note Status End of life
14.x 2025-05-18 14.0.0 current
13.x 2024-12-30 13.0.0 maintenance ?

Six month support (#1114). Zero old versions.

Version First Release Release Note Status End of life
14.x 2025-05-18 14.0.0 current
13.x 2024-12-30 13.0.0 maintenance 2025-11-18 passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shadowspawn