Hello,
In the UI I am seeing libnode-dev and libnode108 listed under Security Upgradable Packages, but when I run apt update && apt upgrade they are kept back.
Is this normal, or something I need to worry about?
Thanks!
2 Likes
Same here ! Any solution ?
This is due to a Sangoma policy to hold all node packages on a FreePBX 17 installation.
In my view, this is a wrong policy, and I’ve disabled it on my customized FreePBX installation script.
After a standard FreePBX 17 installation, if you execute the `apt-mark showhold` you should see a big list of packages, that includes one named `nodejs` and several named `node-*`.
To allow security updates on these packages you should execute, as root, `apt-mark unhold` on those packages. The following 2 commands should perform this for you:
sudo apt-mark unhold nodejs
apt-mark showhold | grep '^node-' | xargs -r sudo apt-mark unhold
Please be aware that `freepbx17` & `sangoma-pbx17` packages should not be touched on this process, as these packages are, by design, not upgradable.
Thank you for the info!
Have you encountered any issues in your testing with latest node packages ?
I have not encountered any issue. I use all the security updates on node packages in my production system, which is running FreePBX 17 & Asterisk 20, since November 2024.
Debian strict policy on updates that are made on a stable release is a guarantee that nothing will break if you make them. I use Debian for more than 20 years and never had an issue with a faulty security update.
Debian can guarantee the OS level. They cannot guarantee any 3rd party application that breaks because you updated a node package to a version they didn’t support.
Debian NEVER makes packages updates on it’s stable repo in a way that breaks an API of some package.
The only way I can see breakage occurs is for a 3rd party application to use some non-standard or undocumented feature on an API.
Can you officially remove the hold off of the nodejs package? I have more than fifty PBXes, and it would be nice to have more confidence that I won’t have to do longer staged testing and to prepare to restore from backups if something goes wrong.
Probably soon, yes. Looking over this forum topic along with other related issues in GitHub, there does not seem to be any objection at this time. Also if you run the shell installer today you’d get the updates, so this looks like more of an artifact/holdover from some earlier development when the underlying libraries may have been more of a moving target.
Related, checking the output of:
apt-cache policy node-* | grep Packages | sort -u
…lists standard repos:
500 http://deb.debian.org/debian bookworm/main amd64 Packages
500 http://ftp.debian.org/debian bookworm/main amd64 Packages
500 http://security.debian.org/debian-security bookworm-security/main amd64 Packages
So, if others can test on their own using the following commands, then it would help guide the decision to modify this line in the shell installer:
sudo apt-mark unhold nodejs
sudo apt-mark unhold node-*
sudo apt-mark showhold ; # should now list only freepbx17 and sangoma-pbx17
sudo apt update
sudo apt upgrade
…then perform your normal QA on your test system(s) before attempting in production. 
1 Like
We’ve done twelve now with no ill effects.