isaacs/0001-Add-note-about-using-EOL-release-versions.patch

## 0001-Add-note-about-using-EOL-release-versions.patch
From 9a03c3e2d958202a0d1b9477a25406b5bd904a30 Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Mon, 8 Jul 2024 10:44:26 -0700
Subject: [PATCH] Add note about using EOL release versions

As much as we can recommend against this, people are still going to do it
sometimes. We may as well help users reduce the risk and also give package
authors something to point to when the predictable breakage occurs.
---
 apps/site/pages/en/about/previous-releases.mdx | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/apps/site/pages/en/about/previous-releases.mdx b/apps/site/pages/en/about/previous-releases.mdx
index 3e0014c6..7e621696 100644
--- a/apps/site/pages/en/about/previous-releases.mdx
+++ b/apps/site/pages/en/about/previous-releases.mdx
@@ -10,6 +10,15 @@ After six months, odd-numbered releases (9, 11, etc.) become unsupported, and ev
 _LTS_ release status is "long-term support", which typically guarantees that critical bugs will be fixed for a total of 30 months.
 Production applications should only use _Active LTS_ or _Maintenance LTS_ releases.

+## Costs and Caveats of Using Unsupported Releases
+
+In some cases, it may not be possible to upgrade a legacy application to use a supported Node.js version. While this is not recommended due to the lack of security updates, at a bare minimum the following precautions must be taken when using an <abbr title="End of Life">EOL</abbr> release:
+
+- Pin or vendor all external dependencies. That is, instead of depending on `"some-package": "^1.2.3"`, depend on `"some-package": "1.2.3"`, without the `~` or `^` character. Or, copy the dependency locally into your project, or check the `node_modules` folder into source control.
+- Carefully evaluate any dependency updates, as they may not be compatible with EOL platform versions, even within `patch` version updates, as the community gradually drops the EOL version from their CI testing environments.
+- Do not rely on being able to run the latest version of a script using `npx`, `pnpmx`, or similar.
+- Take extra care to ensure that your application is not exposed to untrusted user input, as this can expose you to known security exploits which _will not be fixed_ on EOL versions.
+
 ## Release Schedule

 ![Releases](https://raw.githubusercontent.com/nodejs/Release/main/schedule.svg?sanitize=true)
--
2.39.3 (Apple Git-146)
	From 9a03c3e2d958202a0d1b9477a25406b5bd904a30 Mon Sep 17 00:00:00 2001
	From: isaacs <i@izs.me>
	Date: Mon, 8 Jul 2024 10:44:26 -0700
	Subject: [PATCH] Add note about using EOL release versions

	As much as we can recommend against this, people are still going to do it
	sometimes. We may as well help users reduce the risk and also give package
	authors something to point to when the predictable breakage occurs.
	---
	apps/site/pages/en/about/previous-releases.mdx \| 9 +++++++++
	1 file changed, 9 insertions(+)

	diff --git a/apps/site/pages/en/about/previous-releases.mdx b/apps/site/pages/en/about/previous-releases.mdx
	index 3e0014c6..7e621696 100644
	--- a/apps/site/pages/en/about/previous-releases.mdx
	+++ b/apps/site/pages/en/about/previous-releases.mdx
	@@ -10,6 +10,15 @@ After six months, odd-numbered releases (9, 11, etc.) become unsupported, and ev
	_LTS_ release status is "long-term support", which typically guarantees that critical bugs will be fixed for a total of 30 months.
	Production applications should only use _Active LTS_ or _Maintenance LTS_ releases.

	+## Costs and Caveats of Using Unsupported Releases
	+
	+In some cases, it may not be possible to upgrade a legacy application to use a supported Node.js version. While this is not recommended due to the lack of security updates, at a bare minimum the following precautions must be taken when using an <abbr title="End of Life">EOL</abbr> release:
	+
	+- Pin or vendor all external dependencies. That is, instead of depending on `"some-package": "^1.2.3"`, depend on `"some-package": "1.2.3"`, without the `~` or `^` character. Or, copy the dependency locally into your project, or check the `node_modules` folder into source control.
	+- Carefully evaluate any dependency updates, as they may not be compatible with EOL platform versions, even within `patch` version updates, as the community gradually drops the EOL version from their CI testing environments.
	+- Do not rely on being able to run the latest version of a script using `npx`, `pnpmx`, or similar.
	+- Take extra care to ensure that your application is not exposed to untrusted user input, as this can expose you to known security exploits which _will not be fixed_ on EOL versions.
	+
	## Release Schedule

	![Releases](https://raw.githubusercontent.com/nodejs/Release/main/schedule.svg?sanitize=true)
	--
	2.39.3 (Apple Git-146)