Skip to content

[BUG]: EOL/Obsolete Software: Node.js 16.x Detected #5214

New issue
New issue
Open
Open
[BUG]: EOL/Obsolete Software: Node.js 16.x Detected#5214
Labels
Area: Agentbugtriage
@gidad

Description

@gidad
gidad
opened on May 19, 2025

What happened?

Related Issue

#4324

Description

Our security scanners have detected an obsolete Node.js version (16.20.2) in the Azure Pipelines agent installation.

Current Installation Path:

/opt/azagent_services/externals/node16/bin/node 16.20.2

Security Concern:
Node.js 16.x reached end-of-life on September 11, 2023, and is no longer receiving security updates or patches. This poses a potential security risk in our CI/CD infrastructure.

Investigation:
I've noticed that Node.js 16 is still present in the latest stable versions of the agent:

Questions

  1. Is there a planned timeline for removing Node.js 16 from the agent?
  2. Are there any recommended workarounds or patches that can be implemented to remove this obsolete version, particularly in automated deployments (via Terraform)?

Any guidance on mitigating this security concern would be greatly appreciated.

Versions

Azure DevOps version 3.243.1 / Debian 12

Environment type (Please select at least one enviroment where you face this issue)

  • Self-Hosted
  • Microsoft Hosted
  • VMSS Pool
  • Container

Azure DevOps Server type

Azure DevOps Server (Please specify exact version in the textbox below)

Azure DevOps Server Version (if applicable)

Azure DevOps Server 2022.1

Operation system

Debian 12

Version controll system

No response

Relevant log output

Metadata
Metadata
Assignees
No one assigned
    Labels
    Area: Agentbugtriage
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions