Skip to content

Limit Node.js version resolved when a wide range is used #1498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
colincasey merged 18 commits into from
Dec 9, 2025
Merged

Limit Node.js version resolved when a wide range is used #1498

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
930011c
Limit Node.js version range on resolve
colincasey Oct 29, 2025
c86da14
Run tests whenever the resolve binary is built
colincasey Oct 29, 2025
624b225
Update Node.js version resolver binary
colincasey Oct 29, 2025
6700d62
Update install process to emit warnings about resolve status
colincasey Oct 29, 2025
7e0ae1c
Update CHANGELOG.md
colincasey Oct 29, 2025
12daa00
Update CHANGELOG.md
colincasey Oct 29, 2025
1700647
Fix tests
colincasey Oct 29, 2025
ad42f19
Merge branch 'main' into limit_node_version_range
colincasey Oct 30, 2025
c1b6179
Fix clippy error
colincasey Nov 24, 2025
d332178
Rename `requested_artifact` to `resolved_artifact`
colincasey Nov 24, 2025
761d7ce
Improve output when multiple warnings are issued.
colincasey Nov 24, 2025
c2fe90d
Pass in current LTS major version from bash into Rust resolver
colincasey Nov 25, 2025
8d970e5
Merge branch 'main' into limit_node_version_range
colincasey Nov 25, 2025
0a6a6be
Specify environment override for LTS version limiting
colincasey Nov 25, 2025
a27194f
Fix tests failing due to error handler routine
colincasey Nov 25, 2025
51d602b
Reformat error message
colincasey Nov 25, 2025
680dd5d
Merge branch 'main' into limit_node_version_range
colincasey Dec 9, 2025
d7da213
Ensure the resolver has been rebuilt with latest code + dependencies
colincasey Dec 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

## [Unreleased]

- Update Node.js version resolver binary to emit warnings about wide version ranges and enforce the LTS upper bound. ([#1498](https://github.com/heroku/heroku-buildpack-nodejs/pull/1498))
- Added Node.js 25.1.0 (linux-amd64)
- Added Node.js 24.11.0 (linux-amd64)
- Added Node.js 22.21.1 (linux-amd64)
Expand Down
50 changes: 33 additions & 17 deletions lib/binaries.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,51 +47,67 @@ install_yarn() {
}

install_nodejs() {
local version="${1:-}"
local requested_version="${1:-}"
local dir="${2:?}"
local code resolve_result

if [[ -z "$version" ]]; then
version="22.x"
if [[ -z "$requested_version" ]]; then
requested_version="22.x"
fi

if [[ -n "$NODE_BINARY_URL" ]]; then
url="$NODE_BINARY_URL"
echo "Downloading and installing node from $url"
download_url="$NODE_BINARY_URL"
echo "Downloading and installing node from $download_url"
else
echo "Resolving node version $version..."
resolve_result=$(resolve node "$version" || echo "failed")

read -r number url checksum_name digest < <(echo "$resolve_result")
echo "Resolving node version $requested_version..."
resolve_result=$(resolve node "$requested_version" || echo "failed")

if [[ "$resolve_result" == "failed" ]]; then
fail_bin_install node "$version"
fail_bin_install node "$requested_version"
fi

version=$(echo "$resolve_result" | jq -r .version)
download_url=$(echo "$resolve_result" | jq -r .url)
checksum_type=$(echo "$resolve_result" | jq -r .checksum_type)
checksum_value=$(echo "$resolve_result" | jq -r .checksum_value)
uses_wide_range=$(echo "$resolve_result" | jq .uses_wide_range)
lts_upper_bound_enforced=$(echo "$resolve_result" | jq .lts_upper_bound_enforced)

if [[ "$uses_wide_range" == "true" ]]; then
echo "! The requested Node.js version is using a wide range ($requested_version) that can resolve to a major version"
echo " you may not expect. Limiting the requested range to a major range like \`24.x\` is recommended."
echo " https://devcenter.heroku.com/articles/nodejs-support#specifying-a-node-js-version"
fi

if [[ "$lts_upper_bound_enforced" == "true" ]]; then
echo "! The resolved Node.js version has been limited to the Active LTS of the requested range ($requested_version)."
echo " https://devcenter.heroku.com/articles/nodejs-support#supported-node-js-versions"
fi

echo "Downloading and installing node $number..."
echo "Downloading and installing node $version..."

if [[ "$number" == "22.5.0" ]]; then
if [[ "$version" == "22.5.0" ]]; then
warn_about_node_version_22_5_0
fi
fi

output_file="/tmp/node.tar.gz"
code=$(curl "$url" -L --silent --fail --retry 5 --retry-max-time 15 --retry-connrefused --connect-timeout 5 -o "$output_file" --write-out "%{http_code}")
code=$(curl "$download_url" -L --silent --fail --retry 5 --retry-max-time 15 --retry-connrefused --connect-timeout 5 -o "$output_file" --write-out "%{http_code}")

if [ "$code" != "200" ]; then
echo "Unable to download node: $code" && false
fi

if [[ -z "$NODE_BINARY_URL" ]]; then
case "$checksum_name" in
case "$checksum_type" in
"sha256")
echo "Validating checksum"
if ! echo "$digest $output_file" | sha256sum --check --status; then
echo "Checksum validation failed for Node.js $number - $checksum_name:$digest" && false
if ! echo "$checksum_value $output_file" | sha256sum --check --status; then
echo "Checksum validation failed for Node.js $version - $checksum_type:$checksum_value" && false
fi
;;
*)
echo "Unsupported checksum for Node.js $number - $checksum_name:$digest" && false
echo "Unsupported checksum for Node.js $version - $checksum_type:$checksum_value" && false
;;
esac
fi
Expand Down
Binary file modified lib/vendor/resolve-version-linux
View file
Open in desktop
Binary file not shown.
1 change: 1 addition & 0 deletions makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ build-resolvers: build-resolver-linux
mkdir -p .build

build-resolver-linux: .build
@cargo test --manifest-path ./resolve-version/Cargo.toml
CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER="$(shell which x86_64-unknown-linux-musl-gcc)" \
CC_X86_64_UNKNOWN_LINUX_MUSL="$(shell which x86_64-unknown-linux-musl-gcc)" \
cargo build --manifest-path ./resolve-version/Cargo.toml --target x86_64-unknown-linux-musl --profile release
Expand Down
26 changes: 26 additions & 0 deletions resolve-version/Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions resolve-version/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,6 @@ libherokubuildpack = { version = "=0.29.1", default-features = false, features =
"inventory-sha2",
] }
node-semver = "2"
serde_json = "1"
sha2 = "0.10.9"
toml = "0.9"
Loading