Propose a higher minimum Node.js version for all the packages (CI related)

[carpasse]

Hi everyone,

As part of the OSSF scorecard initiative of the security working group, we've been actively working on fixing our CI pipelines and migrating them from Travis to GitHub Actions where necessary. However, last week, we encountered a technical obstacle while trying to run tests for range-parser on Node.js version 0.6.

Here are the key challenges we faced:

1. Lack of Ubuntu 18 Support: GitHub no longer provides runners for Ubuntu versions lower than 20. This became evident in the failing action.

2. Missing Public Key for Repository Signing: Ubuntu 20 no longer includes the public key needed to sign the repositories containing necessary libraries. This issue was highlighted in the failing action.

3. Dependency on Python 2: Even after manually including the public keys and installing required libraries, the tests couldn't run due to the need for Python 2, which is no longer provided as an official apt-get dependency. Installing Python 2 was deemed too cumbersome for the minimal gains, as illustrated in the failed action.

Given these technical constraints and after discussion, we decided to drop support for Node.js 0.6 from our CI pipeline.

Objectives of this Issue:

1. Communicate Challenges and Decision: The primary aim is to inform about the challenges I faced when attempting to run tests on such an outdated version of Node.js. Provide transparency regarding the decision taken and give supporters the opportunity to raise concerns or offer support.

2. Discuss Dropping Support for 0.x Versions: I would also like to discuss the feasibility of dropping support for all 0.x versions in our CI pipeline. Considering the issues encountered with 0.6, it's likely similar challenges will arise with other old versions in the coming months. Since dropping 0.6 in our CI pipeline essentially means dropping support for it, raising the need to make the next release a Major.

3. Discuss Dropping Support all pre-4.x versions: If we are doing a major release, should we consider the possibility of dropping all pre-4.x versions and start support at Node.js 4.x.

Your feedback on these points would be greatly appreciated.

Thank you!

[UlisesGascon]

I am +1 to Dropping Support for 0.x for technical reasons 👍

Also, I am okay with supporting Dropping Support for all pre-4.x versions if we reach a good agreement.

(cc: @expressjs/express-tc )

[inigomarquinez]

After fixing the CI of several packages in the organization, I also agree with @carpasse as he perfectly explains the problems of having to support those legacy versions.

[wesleytodd]

I think this aligns with the general idea for the main express package as well. But to be clear, this requires a major version bump for ALL of these packages. We cannot drop CI for more than a short period of time for one off reasons without major revving. We need to major a lot of them anyway, so I don't think this is a blocker.

Additionally, I tried to start this convo here #210 so not sure if we want to consolidate the discussion there and close this? Then we can circle back in the individual repos with the plan?

[carpasse]

Not sure when they will enforce the change but there is a blog post from GitHub advising to migrate to node 20 on Github actions.
https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/

We've are already seen the warnings on the ci pipelines of the repos

[ljharb]

Note that that doesn't preclude testing of any node version; I use ljharb/actions/node/install with nvm to test down to node 0.8 on 500+ projects. It just means you can't use an action that runs in node < 20 anymore, but you can still install (even with setup-node) an older version.