Hello community,

The analysis environment for Sonar products requires a compatible version of Node.js.
We recommend using the latest LTS version, which is currently Node.js v20.

This announcement concerns you if you use older versions of the runtime in your analysis environment.

TLDR: Please upgrade your analysis environment to the latest Node.js LTS as your analysis might stop working otherwise.

Node.js v14: no longer supported

Node.js v14 has been out of support by the OpenJS Foundation since April 2022.
We had a deprecation warning since September 2022, over a year ago.

Originally, we planned to remove support by April 2023. However, we postponed it due to some users still depending on it.

Now that the usage has dropped, JavaScript, TypeScript, and CSS analysis will stop working with Node.js v14. This will be effective as early as this week in SonarCloud and in the next versions of SonarQube and SonarLint.

Node.js v16: support will stop early next year

Node.js v16 is no longer supported by the OpenJS Foundation since September 2023.
It has been deprecated in our products since August 2023 and we will stop supporting it no earlier than mid-January 2024.

SonarQube 10.4 will be the last version to support Node.js v16.

Explicit analysis failure

In the past, the analysis would not fail in the case of Node.js being misconfigured or being an unsupported version. Only a warning log would be emitted.

We have changed this, the analysis will now fail when not configured correctly.

We realize in the short term this will be an inconvenience for some users. However, in the long term, this will ensure that partially failed analysis and analysis misconfigurations don’t go unnoticed for a long time.

@gab I think this decision on Node.js v16 needs to be reversed. It appears Node 16 support was removed sometime around April 2.

Node.js v18 does not appear to be supported on Amazon Linux 2. See Node.js 18 on Amazon Linux 2 | AWS re:Post
My jenkins servers are currently running on Amazon Linux 2. Amazon Linux 2 is supported through June 2025 right now.
Removing support for node 16 prevents my jobs from being able to run the Sonar scan.

Hi @skipwalker,

I’m sorry to hear that.

I think AWS announced in November 2023 that Node.js 20.x is available in Amazon Linux 2023.

Would this be an option for you?

NOTE: Node.js v16 has not been supported by the OpenJS Foundation since September 2023. This means it is not receiving security patches and using it in production puts you at risk. Keep in mind the version of OpenSSL used by that version of Node.js is also no longer supported, which should be worrisome for any application in production.

@gab We are on Amazon Linux 2 not Amazon Linux 2023. They are not the same. It is non-trivial to switch out the operating system of our Jenkins servers.

Like many others I imagine, we don’t use NodeJS for server runtime, so the OpenSSL issue is not relevant. Our use of NodeJS is entirely browser side, or as part of the SonarCloud scan on our local workstations and jenkins servers.

This has made SonarCloud unusable for us. We will have to cancel our subscription if we can’t use the service.

I don’t understand the decision to remove support from NodeJS 16. We need to be able to evaluate whether the EOL of NodeJS 16 represents an actual risk to us. I don’t need SonarCloud to make that decision for us. You all have taken that possibility out of our hands, and actual made us more unsafe because we can’t run code scans as part of our build and review processes.

hi @skipwalker,

if you can’t move out of Amazon Linux 2, perhaps you could use docker and install any Node needed there?

Sorry for the inconvenience, however in order to provide best possible analysis, we have to update the runtime from time-to-time. We are trying our best to not be disruptive, however we can’t entirely avoid it. Also, we’ve been printing deprecation warning well in advance to allow anyone to prepare.

currently we are seeing (silent) warnings for node-14/sonar
will this eventually cease to run and break pipeline builds?
or continue to warn silently, without producing sonar coverage, until we upgrade node to 16 or 18 ?

hi @getemerson-ri and welcome to the community,

I guess you are using an older SQ version? Node.JS 14 and 16 are no longer supported on the latest versions. On older SQ versions, analysis will continue to work until you decide to upgrade your SQ instance.