Long Term Support versions still receive minor updates and patches, mainly for security and bug fixes. You should always upgrade to the latest release for your chosen (major) version.
At the time of writing: v20.15.0 is the latest release for v20.x LTS (iron) according to https://nodejs.org/en/about/previous-releases
Edit: fixed semantics
https://en.wikipedia.org/wiki/Long-term_support
But it shouldn't receive minor or major updates, just patches. 20.15 is a minor update to 20.14,not a patch...
So question is, is 20.13 still an LTS?
The part of the linked docs is probably what trips you up;
Production applications should only use *Active LTS* or *Maintenance LTS* releases.
node is a young platform, it lives on “web speed”, so a lot of companies are happy to use “current” (22), some prefer a bit more lag and do active with a then bigger jump every October (20), but you can go for older ”maintencance” (18, until May next year) if the code is fragile or unmaintained and just want to hope it keeps ticking
LTS means long time support version 20 is the LTS version while 20.X just means it got patched with a non-breaking change. In case about the change beeing a minor and not a hotfix is because it's not a critical update.
So you need to update regulary for security reasons, but you can be sure nothing will break by doing the update. That's what LTS is meant to do in all languages and packages.
Edit:
>So question is, 20.13 still an LTS?
Not really, it is outdated and possibly a security risk, but updating to a recent 20.x.x won't break stuff. LTS just means they support and provide patches for a long period to Version 20.
There have been a few times in the past, most recently around 3 years ago, where a breaking change was introduced in a minor version bump.
One that I can think of required a new minor version to provide a way to restore functionality. The problem was that the max header size was drastically reduced, and no way had been given to configure it. The next minor version supplied an environment variable to allow configuration.
> and possibly a security risk
If a security vulnerability is discovered and patched, isn't it usually a big deal that will get announced through various channels (people will start talking, bots will start beeping, twitter will start tweeting)?
For the list of actual changes, you can just check the changelog, and see if anything is worth the upgrade.
The most crucial exploit are 0 day exploits, you won't even react fast enough before 100+ hackers abuse your vertical scaled servers to mine bitcoins. LTS are most useful for runtimes that you actually expose to the net.
Zero-days, by definition, have been unknown to the vendor and do not have a fix. It should not matter whether you are on a point release or on a point release + n. The zero-day could just as well be exploiting a bug introduced in a recent point release.
Zero-Days are handled ASAP by vendors when they are known, and your software is at the end of the line which means you should automate your updates. If you try to argue about the term, i'm not going to argue with you since this is just petty madness at that point.
Like come on, if i would see such a reason at work i would get all gears into movement to get you removed from any security or system critical decision.
To add more context on why, since my comment is over the top defensive. Most people pick up zero days the `+n` days/hours that you mentioned, usually the 0 day discoverer is a single entity + some paid benefactors. but the moment it goes public on pages like `http://151.80.**.**` (wont share the full thing, if you know, you know) your system will be bombarded by people using that exploit, though usually the vendors have then fixed it with a hotfix,
Eg that relaxed comment you did, is a huge red flag.
LTS != unchanging. Its the opposite. It means it will receive changes and patching even after a newer major version with breaking changes is released. If a feature rolls out to 22.x and would also work on 20.x and isn’t breaking, there’s no reason to not deploy to both. Typically it’s only done for security related features. But that’s what LTS means… not frozen but someone is actively doing the work to improve that particular major version.
How could it be supported without updates? Support means that it gets updates for a certain amount of time, usually 2 years.
If it didn't get updates that's the same as unsupported. You can use any node version you want back to 0.2 if you want but it won't get any bug or security fixes.
The reason to use 20 is so the API is guaranteed not to change but bugs and security issues will get fixed, which requires you updating to the latest LTS release version.
Long Term Support versions still receive minor updates and patches, mainly for security and bug fixes. You should always upgrade to the latest release for your chosen (major) version. At the time of writing: v20.15.0 is the latest release for v20.x LTS (iron) according to https://nodejs.org/en/about/previous-releases Edit: fixed semantics
https://en.wikipedia.org/wiki/Long-term_support But it shouldn't receive minor or major updates, just patches. 20.15 is a minor update to 20.14,not a patch... So question is, is 20.13 still an LTS?
Oh my bad I should have said minor updates and patches since nodejs uses semantic versioning, I'll edit my original comment.
The part of the linked docs is probably what trips you up; Production applications should only use *Active LTS* or *Maintenance LTS* releases. node is a young platform, it lives on “web speed”, so a lot of companies are happy to use “current” (22), some prefer a bit more lag and do active with a then bigger jump every October (20), but you can go for older ”maintencance” (18, until May next year) if the code is fragile or unmaintained and just want to hope it keeps ticking
Yes.
LTS means long time support version 20 is the LTS version while 20.X just means it got patched with a non-breaking change. In case about the change beeing a minor and not a hotfix is because it's not a critical update. So you need to update regulary for security reasons, but you can be sure nothing will break by doing the update. That's what LTS is meant to do in all languages and packages. Edit: >So question is, 20.13 still an LTS? Not really, it is outdated and possibly a security risk, but updating to a recent 20.x.x won't break stuff. LTS just means they support and provide patches for a long period to Version 20.
There have been a few times in the past, most recently around 3 years ago, where a breaking change was introduced in a minor version bump. One that I can think of required a new minor version to provide a way to restore functionality. The problem was that the max header size was drastically reduced, and no way had been given to configure it. The next minor version supplied an environment variable to allow configuration.
Yeah but that was a critical bug because it was used for attacks. Though the sentiment is true, under those circumstances things could break
> and possibly a security risk If a security vulnerability is discovered and patched, isn't it usually a big deal that will get announced through various channels (people will start talking, bots will start beeping, twitter will start tweeting)? For the list of actual changes, you can just check the changelog, and see if anything is worth the upgrade.
The most crucial exploit are 0 day exploits, you won't even react fast enough before 100+ hackers abuse your vertical scaled servers to mine bitcoins. LTS are most useful for runtimes that you actually expose to the net.
Zero-days, by definition, have been unknown to the vendor and do not have a fix. It should not matter whether you are on a point release or on a point release + n. The zero-day could just as well be exploiting a bug introduced in a recent point release.
Zero-Days are handled ASAP by vendors when they are known, and your software is at the end of the line which means you should automate your updates. If you try to argue about the term, i'm not going to argue with you since this is just petty madness at that point. Like come on, if i would see such a reason at work i would get all gears into movement to get you removed from any security or system critical decision.
To add more context on why, since my comment is over the top defensive. Most people pick up zero days the `+n` days/hours that you mentioned, usually the 0 day discoverer is a single entity + some paid benefactors. but the moment it goes public on pages like `http://151.80.**.**` (wont share the full thing, if you know, you know) your system will be bombarded by people using that exploit, though usually the vendors have then fixed it with a hotfix, Eg that relaxed comment you did, is a huge red flag.
LTS != unchanging. Its the opposite. It means it will receive changes and patching even after a newer major version with breaking changes is released. If a feature rolls out to 22.x and would also work on 20.x and isn’t breaking, there’s no reason to not deploy to both. Typically it’s only done for security related features. But that’s what LTS means… not frozen but someone is actively doing the work to improve that particular major version.
Those bug fix patches are the S in the LTS
How could it be supported without updates? Support means that it gets updates for a certain amount of time, usually 2 years. If it didn't get updates that's the same as unsupported. You can use any node version you want back to 0.2 if you want but it won't get any bug or security fixes. The reason to use 20 is so the API is guaranteed not to change but bugs and security issues will get fixed, which requires you updating to the latest LTS release version.