According to https://nodejs.org/en/about/previous-releases, v20.x is supported until next year. How about we stabilize 20.19.1 and adjust the glsa? Thanks
Unfortunately this is not possible since all nodejs versions have the same slot, and the GLSA system does not support subslots or compound version identifiers (e.g. ( =nodejs-20* >nodejs-20.1 )) to make this work better. :-( Perhaps sam or ajak know about a workaround for this but I don't think we can do better with the current system.
We can try do as we did before in https://security.gentoo.org/glsa/202405-29 but I don't think that will really help glsa-check. It may help some external consumers of tools..
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3b60128583dc9a401386f97b6f98c90fc96838e6 commit 3b60128583dc9a401386f97b6f98c90fc96838e6 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2025-05-17 09:18:17 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2025-05-17 09:18:17 +0000 Add version information for older slots This is a cosmetic change only. Bug: https://bugs.gentoo.org/955981 Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202505-11.xml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
(In reply to Sam James from comment #2) > We can try do as we did before in https://security.gentoo.org/glsa/202405-29 > but I don't think that will really help glsa-check. It may help some > external consumers of tools.. I've added the information for the older slots, but this really is a cosmetic change only. Any tool that falls for this in reporting vulnerable versions should be fixed :-/ I've reopened the bug as well, in case people are interested in tackling this more structurally. One thing I've noticed is that our GLSA XML format is not versioned. Not sure what a best practice is for XML but this might be a good first step if we want to change how versions are represented.
