Ghost-cli fails to upgrade under Node 18 (stable)?

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'ghost-cli@1.23.1',
npm WARN EBADENGINE   required: { node: '^12.22.1 || ^14.17.0 || ^16.13.0' },
npm WARN EBADENGINE   current: { node: 'v18.12.0', npm: '8.19.2' }
npm WARN EBADENGINE }

Any news on when ghost-cli will support latest Node stable release?

FYI - v18, was released in April, and Node stable was switched to v18 on 25th Oct.

looks like it’s in the pipeline…

See here for supported versions.

There’s no guarantee, but it usually takes 1-2 weeks for the latest LTS version to be supported.

1 Like

Thanks - but problem is that our mandated security policy is to apply the Node upgrade as soon as it goes Stable/LTS… (actually 3 days after).

We leave the Ghost instances running - using dead inodes - but clearly the lag is not good.

If there are any urgent security updates or a power cycle this may cause issues for all Ghost instances - in the worst case, all blogs offline until the pull request is merged and packaged for release.

I’ve noted this internally as a Ghost gotcha - expect Ghost instability for two weeks every October. I’ve asked - but the gods of security insist that Node upgrades take precedence over Ghost stability. :cry:

That’s an… interesting security posture :upside_down_face:

2 Likes

Yeah :) - We’re a bit paranoid about keeping Node and associated up-to-date given the dependency explosion. Node 18 has been in active use since April, we use it for a number of in-house apps, and this is also partly about making sure that unmaintained modules are identified soonest.

Once, many years ago (>20), forensics showed that we were about 15 minutes late in applying a patch on a late Monday morning. An active exploit defaced one of our non-critical static sites.

Never forget, never delay is now one of our maxims.

I have no qualms with this :smile: It’s just that generally new LTS versions of node won’t be any more secure than older LTS versions - so it’s more critical to be on the latest minor/patch than major (unless I’m missing something :stuck_out_tongue:).

Been 3 weeks now. In the past Ghost added the LTS versions inside a week at max from the looks of it.

Yay - I see that Ghost added support for Node 18 sometime in early January.

Timely given this mornings CVE notice on Node security releases going out now.