Security: `lts/*` installs old LTS versions up to 1 month+ after release
Update: Delays are undefined, possibly up to 1 month or even longer, due to slow updates in actions/runner-images 😨
Description:
Using the lts/* alias with actions/setup-node installed Node.js v22.13.0 as of 25 Jan 2025, an old version. Node.js v22.13.1 has been out since 21 Jan 2025.
⚠️ Security: Node.js v22.13.1 contains security updates and as such, this can be considered a security problem
- uses: actions/setup-node@v4 with: node-version: 'lts/*' check-latest: true
Workflow logs:
Run actions/setup-node@v4
with:
node-version: lts/*
always-auth: false
check-latest: false
token: ***
...
Attempt to resolve LTS alias from manifest...
Found in cache @ /opt/hostedtoolcache/node/22.13.0/x64
Environment details
node: v22.13.0
npm: 10.9.2
yarn: 1.22.22
Longer update delays of over 5 days can be seen in #940
Action version:
actions/setup-node@v4
Platform:
- Ubuntu
- macOS
- Windows
Runner type:
- Hosted
- Self-hosted
Tools version:
Node.js lts/*
node: v22.13.0
npm: 10.9.2
yarn: 1.22.22
Repro steps:
Use the configuration above and observe the output above
Expected behavior:
Node.js latest LTS (20.11.0) is installed
Actual behavior:
Node.js older LTS (20.10.0) is installed
History:
Originally reported in #940, but closed without resolution, with @aparnajyothi-y saying that it should be handled on the runner side:
@aparnajyothi-y in comment 2247503445: cache eviction should not be handled on the runner side
In speaking with the runner images team, @hemanthmanga mentioned it should not be handled on the runner side:
@hemanthmanga in comment 2263151956: As the runner images team, we believe cache eviction should be handled through tasks, not the runner itself