Thanks - but problem is that our mandated security policy is to apply the Node upgrade as soon as it goes Stable/LTS… (actually 3 days after).
We leave the Ghost instances running - using dead inodes - but clearly the lag is not good.
If there are any urgent security updates or a power cycle this may cause issues for all Ghost instances - in the worst case, all blogs offline until the pull request is merged and packaged for release.
I’ve noted this internally as a Ghost gotcha - expect Ghost instability for two weeks every October. I’ve asked - but the gods of security insist that Node upgrades take precedence over Ghost stability.
Yeah :) - We’re a bit paranoid about keeping Node and associated up-to-date given the dependency explosion. Node 18 has been in active use since April, we use it for a number of in-house apps, and this is also partly about making sure that unmaintained modules are identified soonest.
Once, many years ago (>20), forensics showed that we were about 15 minutes late in applying a patch on a late Monday morning. An active exploit defaced one of our non-critical static sites.
Never forget, never delay is now one of our maxims.
I have no qualms with this It’s just that generally new LTS versions of node won’t be any more secure than older LTS versions - so it’s more critical to be on the latest minor/patch than major (unless I’m missing something ).