Can Kibana 7.x work with a higher version of node.js due to security fix in Node.js

Hi,
I am using Kibana 7.2.1 which bundled with node.js 10.15.2. But recently, Node.js has been found to have certain security violation (eg. cve-2019-9511): https://nodejs.org/en/blog/release/v10.16.3/

I would like to know if it is ok to use the node.js that has the security issue fixed (10.16.3) with Kibana 7.2.1. I can change the package.json to use the higher version and it seems to run ok. Any idea if this is ok or not?
Thanks,

Hello,

It can be a little hard to know. It's frequently just fine, but occasionally there are breaking changes. I double-checked our last Pull Request that updated node from one minor version to another. Here's a link to the files changed just so you're aware of what should probably be updated. The command updates will be different and there may or may not be updates necessary for these in your case.

Regards,
Aaron

That CVE does not affect the Kibana server since we are not leveraging HTTP/2 at this time.

The issue is not whether it affect Kibana Server or not. Since it is bundled with Kibana, and vulnerabilities scanner will flag it. As Kibana is running ontop of node, so the question is whether that base node.js itself is vulunerable or not.

To answer your original question; the patch bump shouldn't adversely affect Kibana if they are strictly adhering to SEMVER. However, we can not guarantee it without bumping it within Kibana itself.

In regards to the CVE, I am going to have to direct you to contact security@elastic.co per https://www.elastic.co/community/security

ok, thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.