# .nvmrc Specifies Outdated Node.js Version

- ID: nodejs-outdated-nvmrc-version
- Severity: MEDIUM
- CWE: CWE-1104 (CWE-1104)
- Languages: JavaScript
- Frameworks: nodejs

## Description

Detects .nvmrc files specifying outdated or end-of-life (EOL) Node.js versions.

The .nvmrc file is used by Node Version Manager (nvm) to automatically switch
to the correct Node.js version for a project. When this file specifies an
outdated version, developers may be running insecure or incompatible Node.js
versions in their development environments.

Node.js version lifecycle (as of 2025):
- Node 14.x: EOL April 2023
- Node 16.x: EOL September 2023
- Node 18.x: EOL April 2025
- Node 20.x: Maintenance LTS (until April 2026)
- Node 22.x: Active LTS (until April 2027)
- Node 23.x: Current (non-LTS)

This causes:
- Security vulnerabilities from missing patches
- Inconsistent behavior between development and production
- Compatibility issues with modern npm packages

NOTE: This rule uses static version patterns. Review and update when new
even-numbered LTS versions are released (typically October each year).
Next update needed: October 2025 for Node.js 24 LTS.

## Detection Message

.nvmrc specifies {issue_type}

## Remediation

Update .nvmrc to a supported Node.js LTS version (20.x or 22.x).

## Documentation

[object Object]

## Related Rules

- **Docker Base Image Security** [MEDIUM]: 
- **Use npm ci for Reproducible Builds** [LOW]: 
- **Dockerfile Uses Outdated Node.js Version** [MEDIUM]: 
- **Node.js Version Mismatch Between Configuration Files** [MEDIUM]: