openssl non-critical updates have been announced as coming May 28th

[sam-github]

See: https://mta.openssl.org/pipermail/openssl-users/2019-May/010518.html

No CVEs are addressed. These are not security updates, so don't need to be handled as a security release.

• 6.x: EOL, doesn't need updating
• 11.x: EOL 4 days after expected release date, doesn't need updating
• 8.x: will need update to 1.0.2s
• 10.x, 12.x, and master: will need update to 1.1.1c

@nodejs/security @nodejs/security-release

[mhdawson]

Do we think we can just roll them into the next planned release for each of the lines?

[richardlau]

May 28th is the current revised date for 10.16.0. As it's non-critical I'd suggest releasing in the next planned 10.x release in mid-June.

[mhdawson]

Do we think we can just roll them into the next planned release for each of the lines?

[sam-github]

@mhdawson Yes, I think we can.

I opened this as a heads up, I'll have to open PRs directly onto the staging branches, since openssl updates don't merge backwards well.

Also, if someone wants an 11.x update, this would be the place to make the case for it.

[sam-github]

nodejs/node#29445 is coming, this doesn't have to stay open.