Issue
This document covers additional questions about the Node.js Constant Hashable Seeds vulnerability announced on July 11, 2017.
Resolution
How do I determine which apps are vulnerable?
You should have received an email that contains a list of applications that are vulnerable according to our records. Please search your email for "[ACTION REQUIRED] Follow-up: Node.js security update on Heroku".
Most Node.js apps are vulnerable. To check which apps are Node.js apps, you can check your Heroku Dashboard. You will need to separately view any teams or organizations of which you are a member.
To check the version in use for a particular app, run:
$ heroku run node -v -a APPNAME
What versions do not contain the vulnerability?
The following versions of Node.js have been patched and are available on Heroku.
4.8.4
6.11.1
7.10.1
8.1.4
Are 0.10.x, 0.12.x and 5.x version vulnerable?
Any version aside from the versions above are vulnerable.
0.10.x and 0.12.x are vulnerable, however, no patch exists for these versions. The Node.js press release notes this as follows:
The 0.10.x and 0.12.x release lines are also vulnerable to the Constant Hashtable Seeds vulnerability. We recommend that users of these release lines upgrade to one of the supported LTS release lines.
5.x is an unsupported developer version, and does not fall into LTS release line, and thus is not covered by the CVE. However, we believe this version is also vulnerable, so it is best to upgrade to an LTS release.
How do I patch my app?
-
Review your
package.jsonfile. You need to assure yourenginessection specifies a version that is not vulnerable: 4.8.4, 6.11.1, 7.10.1, or 8.1.4. If you do not specify a version, 6.11.1 will be used automatically. Please see Specifying a Node.js version for details. -
Push a new commit to your app, which will cause a deploy.
$ heroku git:clone -a APPNAME $ cd APPNAME # review your package.json and edit if necessary (see above) $ git add package.json $ git commit --allow-empty -m "Upgrade Node.js version" $ git push heroku master
What is the vulnerability?
The Node.js team announced a high severity remote Denial of Service (DoS) vulnerability in Node.js.
Are apps in other languages that use node during the build process affected?
Only applications that use node for their main runtime can be vulnerable to a Denial of Service attack. To be safe, we have updated all buildpacks to use the new version going forward.
Apps that directly use the node buildpack will need to update their version of Node.js via the package.json file.
Upgrading fails due to some dependencies. How can I upgrade?
If you do not use a lockfile, Node.js dependencies do not pin to specific versions, and so the version of dependencies your app uses may have changed since your last deploy. Alternatively, the versions you have pinned may not be compatible with the newer version of Node.js you are using.
Unfortunately, there is no easy solution to this problem. You will need to update your application and its dependencies as needed.
Are third-party buildpacks affected?
Any buildpack that uses a Node.js binary is affected. For this reason, we recommend using our official buildpacks whenever possible. Please contact the maintainer of the third-party buildpacks to request that they are updated to use new versions of Node.js (or fork the buildpack and send a pull request!).
What about Meteor.js?
The Meteor team recently updated Meteor to address the security issues.
They recommend following these instructions to update Meteor to 1.5.1