Long-term support (LTS) for Node.js 12 and 16 ended in 2023, which means the Node.js development team no longer back-ports critical security fixes to these versions. Running with Node 12 or 16 runtimes could expose your extensibility code to security vulnerabilities. Node 18 extensibility runtime is generally available (GA) across our entire suite of extensibility offerings. This includes Actions, Rules, Hooks, Database Scripts, and Custom Social Connections. We strongly encourage everyone to update to Node 18 as soon as possible to adhere to best code security practices.

General considerations

Migrate Rules and Hooks to Actions

If you are using a discontinued extensibility runtime, we recommend taking the review of your Rules and Hooks implementation as an opportunity for migrating them to (Node 18) Actions. Determine which Rules and Hooks you can migrate to Actions by visiting Actions Limitations. To learn more about migrating your Rules and Hooks to Actions, see Migrate to Actions.

Marketplace integrations

Social Connections Integrations

Use the Management API to identify a complete list of social connections that a Node runtime version change may impact. In particular, all potentially impacted social connections, either explicitly created as a custom social connection or initially added through the Marketplace, have the strategy attribute with a value of either oauth1 or oauth2. You can then paginate through all the existing custom social connections in a given tenant using the GET connections endpoint. For example, the following query options returns the names and identifiers of up to 100 custom social connections: 
/api/v2/connections?strategy=oauth1&strategy=oauth2&include_totals=true&fields=name&per_page=100
The does not allow updating the scripts for custom social connections added through the Marketplace. If a script change is required to be compatible with Node 18, you must use the Management API.

Migration tasks

Create new custom Actions

To create a new custom Action with Node 18 through the Auth0 Dashboard:
  1. Navigate to Auth0 Dashboard > Actions > Library.
  2. Select Create Action > Build from scratch.
  3. In the Runtime* field, select Node 18 (Recommended).
  4. Write your custom Actions in Node 18, test, and deploy when ready.

Upgrade existing custom Actions

You can individually upgrade existing custom Actions built on Node 12 or 16 to Node 18 and revert to the previous version using the older runtime. Upgrade Actions to Node 18 by creating and deploying a new version of the existing implementation with any required changes and set to use Node 18 as the runtime.

Choose Node 18 for other extensibility products

The runtime used for the remaining (non-Actions) extensibility offerings is defined globally at the tenant’s advanced settings level. Changing this setting impacts the following functionality at the same time:
  • rules
  • hooks
  • custom database scripts
  • custom social connection scripts
To change the tenant extensibility runtime setting in the Auth0 Dashboard:
  1. Navigate to Dashboard > Settings > Advanced.
  2. Scroll to the Extensibility section.
  3. For Runtime, select Node 18.
Given that this is a global setting that impacts multiple extensibility features simultaneously, we recommend that you perform this step in your development tenant first, complete testing of all applicable extensibility features, and proceed to your production tenant only when you see no issues in development. Specifically for Custom DB scripts you can follow the steps as explained on this page to individually verify a script against a specific runtime version before proceeding to change the global runtime version.

Known breaking changes

Magic npm modules

The Node 12 extensibility runtime supports using specific npm modules without explicitly requiring them in the extensibility code. Starting with Node 16 runtime, we removed support for this type of usage for the following modules:
  • _
  • async
  • Auth0
  • azure_storage
  • bcrypt
  • crypto
  • couchbase
  • cql
  • ip
  • Knex
  • mongo
  • mysql
  • mysql_pool
  • ObjectID
  • pbkdf2
  • pg
  • postgres
  • Pubnub
  • q
  • querystring
  • sqlserver
  • uuid
  • xml2js
  • xmldom
  • xpath
  • xtend
If you still have extensibility running on Node 12, consider the above when updating the code directly to Node 18. Before using a module, you must ensure that it is explicitly required. In the context of Rules, Custom Database Connections, and Custom Social Connections, you must explicitly require a version of the module that is listed as available for Node 18. In Hooks and Actions, you must add the intended target version as an explicit dependency before requiring the module.

Can I Require module versions removed

We removed support for the specified versions of the modules listed below for the Node 18 runtime from Can I Require. This change impacts the extensibility code associated with Rules, Custom Database Connection Scripts, and Custom Social Connection Scripts.
The fetch user profile script for the following custom social connections (Indeed, monday.com, Snapchat, and Tumblr), available through the Marketplace, used version 0.22.0 of the axios module, which is not available in Node 18. If you at use one of these connections, review and update their scripts as necessary through the Management API.
ModuleVersions
@analytics/google-analytics0.4.0
@auth0/hapi13.5.1, 13.6.0
@auth0/rule-utilities0.1.0
@gitbeaker/node17.0.1
@incognia/api1.0.0
@octokit/rest15.8.2
@sentry/node5.6.2, 5.15.5, 6.2.0
acorn1.2.2
airbrake1.0.2
airgram3.1.1
ajv6.10.1
amazon-dax-client1.2.2
amazon-mws-node1.0.3
analytics0.5.1
analytics-node2.0.1, 3.5.0
applicationinsights0.15.8, 0.18.0, 1.5.0, 1.8.8
async1.0.0, 0.9.0, 2.1.2, 2.6.1
auth02.4.0, 2.1.0, 2.0.0, 0.8.2, 2.6.0, 2.7.0, 2.8.0, 2.9.1, 2.13.0, 2.17.0, 2.17.1, 2.19.0, 2.23.0, 2.27.0, 2.27.1, 2.30.0, 2.31.0, 2.32.0, 2.34.2, 2.35.0, 2.36.1, 2.36.2, 2.39.0, 3.0.1
auth0-authz-rules-api4.0.0
auth0-ext-template-renderers0.4.2
auth0-extension-express-tools1.0.2, 1.1.5, 1.1.6, 2.0.0
auth0-extension-hapi-tools1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0
auth0-extension-tools1.0.0, 1.2.1, 1.3.1, 1.3.2, 1.4.0
auth0-magic3.1.0
auth0-oauth2-express0.0.1, 0.0.3, 1.1.5
auth0-source-control-extension-tools3.0.10, 3.0.9, 3.1.4, 3.4.0, 3.5.1, 4.0.3, 4.0.5, 4.0.6, 4.0.7, 4.1.1, 4.1.2, 4.1.3, 4.1.5, 4.1.7, 4.1.9
aws-sdk2.2.30, 2.1.31, 2.1.13, 2.4.13, 2.5.3, 2.197.0, 2.291.0, 2.458.0, 2.593.0
axios0.15.2, 0.18.0, 0.19.2, 0.21.1, 0.21.3, 0.22.0, 0.27.2
azure0.10.6
azure-storage0.4.4, 0.4.1, 0.9.0
babel5.4.7, 5.1.9
bcrypt4.0.0
bluebird2.9.26, 3.4.6
body-parser1.12.4
boom2.7.2
botbuilder0.9.0
bson0.3.2, 4.4.0
cookie-parser1.3.5
datadog-metrics0.8.2, 0.9.0, 0.9.2, 0.9.3
disposable-email-domains1.0.14, 1.0.15, 1.0.56
dockerode2.1.4, 2.0.3
dotenv0.4.0, 2.0.0
easy-pbkdf20.0.2
ejs2.3.1
engine.io-client1.5.1
express4.12.4, 4.14.0, 4.16.3
express-jwt3.1.0, 5.1.0
faunadb2.11.1, 4.1.1
filter-object2.1.0
firebase7.12.0
firebase-admin4.0.4, 5.0.0, 6.0.0, 8.0.0, 8.12.1
form-data0.2.0
getstream3.4.1
gitlab1.7.0
google-auth-library1.0.0
google-libphonenumber2.0.7, 3.2.8, 3.2.10
googleapis2.1.6, 34.0.0
got3.2.0, 9.2.1, 10.7.0, 11.3.0, 11.5.2
hapi13.5.0
hapi-auth-jwt27.0.1
hapi-swagger7.4.0
hoek2.14.0
http-proxy1.11.1
ibm_db2.6.4
ip0.3.2, 0.0.1
ipaddr.js1.0.1
joi6.10.1
jose3.19.0
jsforce1.6.0
jsonwebtoken5.7.0, 5.0.1, 5.0.0, 7.1.9, 8.5.0
jwks-rsa1.0.0, 1.1.1, 1.6.0
ldapjs1.0.0
lodash3.10.1, 3.9.3, 2.4.1, 4.8.2, 4.17.10, 4.17.19
lru-cache2.6.4
mixpanel0.4.0
mkdirp0.5.1
moment2.10.3, 2.11.2
mongodb2.0.48, 2.0.33, 2.0.27, 2.2.11, 3.1.4, 4.1.0, 3.6.10, 3.5.11
mongoose4.1.6
morgan1.5.3
mysql2.7.0, 2.6.2, 2.0.0-alpha8, 2.15.0
mysql21.5.3
nano6.2.0
neo4j-driver1.7.1
node-fetch2.6.0
node-jose0.9.2
node-rdkafka2.10.1
nodemailer2.5.0
nsp2.4.0
oauth0.9.12
passport-wsfed-saml22.11.4
pg4.5.7, 4.3.0, 4.1.1, 6.1.2, 7.17.1
postmark1.3.1
q1.0.1
qs3.1.0
ramda0.18.0, 0.23.0
range_check0.0.1
raw-body2.1.0
react15.3.2
redis0.12.1
request2.56.0, 2.55.0, 2.27.0, 2.67.0, 2.73.0, 2.75.0, 2.81.0, 2.83.0, 2.88.0
rethinkdb2.1.1, 2.0.0-1, 2.0.0
rollbar0.6.2, 2.12.2
semver4.3.4
sendgrid1.8.0, 3.0.7
sequelize3.1.1
soap0.23.0
socket.io1.3.5
socket.io-client1.3.5
splunk-bunyan-logger0.9.1
ssh20.4.13
stamplay1.0.6, 1.0.5, 1.0.3
stripe3.3.4, 4.14.0, 4.24.0, 7.1.0, 7.4.0, 8.52.0
sumo-logger1.5.5
superagent1.2.0, 3.8.3, 4.1.0
tedious6.6.2, 1.11.0, 0.1.4, 8.3.1, 9.2.1
tough-cookie1.2.0
twilio2.2.1, 3.6.0, 3.57.0
twit1.1.20
uuid2.0.3, 2.0.1, 3.1.0, 3.3.2, 7.0.3, 8.0.0
vso-node-api3.1.1
watson-developer-cloud2.0.1
winston1.0.0, 0.8.1, 3.1.0
xml2js0.4.8, 0.2.8
xmlbuilder2.6.4
xmldom0.1.19, 0.1.13
xpath0.0.5
xtend1.0.3

Secure renegotiation required by default for TLS connections

Node.js 18 requires secure renegotiation (RFC 5746) for TLS connections by default, a consequence of the requirement being introduced in the underlying OpenSSL dependency. If your extensibility code performs external network calls, the target servers must support secure renegotiation, or otherwise, the requests will fail, and you will receive an error similar to: 
Error: write EPROTO C0BAF076:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922:
Given this security-related change, we recommend that you ensure that all target servers are updated to support secure renegotiation. If the servers in question are third-party servers that are not under your control, you can evaluate the possibility of opting into the previous behavior. For example, for the axios library, the following code snippet illustrates how to opt-in to the legacy behavior: 
const axios = require('axios');
const https = require('https');
const crypto = require('crypto');

axios.get(
  'https://[LEGACY_SERVER]', 
  {
    httpsAgent: new https.Agent(
      {
        secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT
      }
    )
  })