DPC: Vulnerability scanner reports Node.js and MongoDB version out of support
Summary: Vulnerability scanner reports that DPC server is running Node.js or MongoDB version that are out of support.
Symptoms
The scanner shows that Node.js, installed on DPC is out of support.
The scanner shows that MongoDB, installed on DPC is out of support.
Cause
This is the result of a vulnerability scanner being run on the DPC server.
Resolution
Product Management and engineering have provided the following information about this issue.
MongDB:
"MongoDB 4.2.x will remain at its current version within our architecture. While MongoDB is out of vendor compatibility/compliance, our multilayered security architecture prevents external attacks: MongoDB is not directly accessible from external networks, protected by firewall rules, and only accessible internally through authenticated application layers. This isolation eliminates direct attack vectors, making the system secure despite EOL status. We continue to provide break/fix support and security patching where applicable and possible."
Node.js:
"We acknowledge Node.js 16.x (v16.20.2) reached End-of-Life. However, our deployment architecture eliminates attack surfaces: Node.js is bundled within the application (not system-wide), production serves only prebuilt static files, Node.js runtime is never exposed to network requests, and the npm package manager is absent in production. This means attackers cannot directly target or exploit Node.js vulnerabilities, making the deployment secure despite EOL status."