May I ask a possible dumb question (and no personal offence)
From a user standpoint what is the point of updating a perfectly running NR even when some. background libs have "dropped support" in the near future? Are security concerns the only reason? Will I be exclude of potential very useful new features if NR V5 or 6.. if it can no longer run on, say... 5 year old hardware?
NR is this fine piece of software which is perfect for an old Pi3 (or similar) laying around in my shop. Instead of trashing an old Android tablet its can be perfect as a NR Dashboard monitor.
For security: I assume most users deploy their smart home system as LAN only. So security mostly depends on my local LAN setup. If I really need external access any reasonable VNP tunnel will do..
As said, no offence, I just want to understand better the rationale behind this "urge" to update all the time. I know I always have the option just to stick with my setup forever.
In regards to security, even where a Node-RED web isn't being shared externally, there are plenty of other potential ways a device could be compromised - assuming that the device does have some connection to the Internet (as nearly all devices will).
There are currently 100's of millions of compromised IoT and other devices unwittingly taking part in various attacks.
Bug fixes are another aspect as these typically only arrive with new versions.
And the final aspect is ease of maintenance. If you leave upgrades for a long time, when you finally have to do one, a big jump is typically much harder than a series of smaller upgrades. Much more likely to break things.
The counter argumentā¦. Which while indeed potentially more risky as Julian points outā¦ is if it aināt broke and you accept the risk, then yes leave well enough aloneā¦ ( but always have a backupā¦)
The other downside of not upgrading is that newer versions may include some nice new feature that gets popular on the forum, and you wonāt be able to ājoin inā as much, but again a lot of that is down to your wants and needs, or the amount of support your system may require - as 9 out of 10 times the first question youāll be asked in reply to a question you pose will be āwhat version are you running?ā
Indeed I have multiple systems (various hardware) running at home of various ages. One is running code for 5 years ago, just becauseā¦. I have got to the point where I just want to see when/if it ever fails rather than anything else, some are 1-2 versions back and some are using latest unreleased dev versions,
Sure! But my point was this is mostly an issue for my personal firewall, router etc. If there is a security issue with node.js an attacker first must be able to reach my installation?
I got the latest(!) NR version running with an 4 years old Dashboard version in order to drive my 8 year iPad Display Now its obsolete but I like the approach here that you can combine different SW packages to suit your specific needs.
And of course I would never blame a developer for a flaw when using 5 year old versions
And that is how a lot of people get attacked. Anything that is connected to something and eventually to the Internet may have flaws. There are a LOT of routers with unresolved flaws in their firmware for example.
Listen, I'm not saying that it is likely that you would be compromised, simply pointing out that the more outdated your software - and don't forget, if you aren't updating node.js and node-red, you probably aren't updating your OS either - the bigger your risk.
While it may not be likely for you as an individual to get a compromised device, as I say, there are 100's of millions of infected devices. These are force multipliers for both criminals and nation states who have been in a cyber war with anyone they don't like for years now. The more infected devices, the bigger the world-wide risk. The more outdated software around, the bigger the world-wide risk.
The bottom line being that there are many routes to having devices compromised and outside of specialist security professionals, these can be very hard to pin down.
Leaving security aside for a moment, I'm confident in saying that in all the years of using Node-RED (I've been a user since the early days), I've only ever once had an issue from upgrading either node.js or Node-RED on my "live" home automation servers.
I have, of course, had to make a few changes when it comes to major upgrades of some contributed nodes or other node.js libraries I use. Mostly due to changes in 3rd-party API's though to be honest, which would have stopped working anyway.
Small regular upgrades are, in my personal experience, both of node.js/node-red and a wealth of professional experience with computers and systems of all kinds, much easier to deal with than big jumps.
The initial information printed by the script could be enhanced.
Instead of
This script checks the version of node.js installed is 16 or greater. It will try to
install node 22 if none is found. It can optionally install node 18, 20 or 24 LTS for you.
If necessary it will then remove the old core of Node-RED, before then installing the latest
version. You can also optionally specify the version required.
How about something like this, immediately before Are you really sure you want to do this [y/N] ?, taking into account any command line parameters given?
For a new installation:
This will update node.js from <current version> to <new version>
And install Node-red <new version>
For a reinstall:
This will update node.js from <current version> to <new version>
And Node-red from <current version> to <new version>
Your settings.js file is non-standard and will not be overwritten.
Your settings.js file is missing some recent keys. Do you want to replace it with the default?
Now its obsolete but I like the approach here that you can combine different SW packages to suit your specific needs.
Anything that is connected to something and eventually to the Internet may have flaws. There are a LOT of routers with unresolved flaws in their firmware for example.