Skip to content

Separate out a more detailed release policy document#2462

Merged
shadowspawn merged 3 commits intotj:developfrom
shadowspawn:policy-refresh
Jan 3, 2026
Merged

Separate out a more detailed release policy document#2462
shadowspawn merged 3 commits intotj:developfrom
shadowspawn:policy-refresh

Conversation

@shadowspawn
Copy link
Copy Markdown
Collaborator

@shadowspawn shadowspawn commented Dec 5, 2025

Problem

In particular:

  • mixing security policy and releases policy
  • no explicit EOL date for old versions

See #2455 for detailed background.

Solution

Create a new Release Policy document with detail about release versioning, cadence, version status, and EOL dates.

ChangeLog

  • add new Release Policy documentation

@shadowspawn
Copy link
Copy Markdown
Collaborator Author

shadowspawn commented Dec 6, 2025
edited
Loading

I had another look at the package-support.json schema. It does allow versions with expiry dates, but I don't see a way to specify that doing security-only updates for a version.

https://github.com/nodejs/package-maintenance/blob/main/docs/PACKAGE-SUPPORT.md

The package-support.json file does not appear to have been adopted much, although it is not the only way of specifying the support info. Lots of the hits are for Commander!

https://github.com/search?q=path%3Apackage-support.json&type=code

I am tempted to delete the file! The new document covers similar material in a human readable way, so more accessible (since not widespread tooling supporting package-support.json).

@shadowspawn shadowspawn marked this pull request as ready for review December 6, 2025 22:57
@shadowspawn
Copy link
Copy Markdown
Collaborator Author

shadowspawn commented Dec 7, 2025
edited
Loading

This PR proposes bumping up the support for old releases from 6 months to 12 months to give users who want to stay on a supported version more time to upgrade. The commitment may mean more versions to backport for a CVE.

Comparing current situation with our past policies, as of today.

Proposed, 1 year. Two old versions. Oldest Node.js is 18 for 12.x (and 13.x).

Version First Release Release Note Status End of life
14.x 2025-05-18 14.0.0 current
13.x 2024-12-30 13.0.0 maintenance 2026-05-18
12.x 2024-02-03 12.0.0 maintenance 2025-12-30

Current version and previous (#2150, #1004). One old version. Oldest Node.js is 18.

Version First Release Release Note Status End of life
14.x 2025-05-18 14.0.0 current
13.x 2024-12-30 13.0.0 maintenance ?

Six month support (#1114). Zero old versions.

Version First Release Release Note Status End of life
14.x 2025-05-18 14.0.0 current
13.x 2024-12-30 13.0.0 maintenance 2025-11-18 passed

@shadowspawn
Copy link
Copy Markdown
Collaborator Author

shadowspawn commented Jan 1, 2026

Release polices of some popular packages:

abetomo
abetomo approved these changes Jan 2, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@abetomo abetomo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much!

@shadowspawn shadowspawn merged commit 7357dda into tj:develop Jan 3, 2026
11 checks passed
@shadowspawn shadowspawn deleted the policy-refresh branch January 3, 2026 20:46
@shadowspawn shadowspawn added the pending release Merged into a branch for a future release, but not released yet label Jan 3, 2026
@shadowspawn shadowspawn removed the pending release Merged into a branch for a future release, but not released yet label Jan 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abetomo abetomo abetomo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shadowspawn @abetomo