PSA: using node.script in Max 8.5 and Live 11 should be avoided, especially for networked applications

Jeff Griffiths's icon

As discussed in another post, Max 8.5 ( the version embedded into Ableton Live 11 ) bundles nodejs 16.6, which has been unsupported and has not had any security updates since September 2023. If you intend to build applications in m4l that use node.script, you should be aware of two key issues that affect your ability to support Ableton Live 11 going forward:

1/ node ships with openssl, and the version 1.1.1 of openssl that ships with node 16.6 is no longer supported since Sept 2023. At the time I assume Max 8.6 development was the focus of the team so they decided not to update the embedded version of node in Max 8.5. If you use node inside Ableton for networked applications, your applications have known security vulnerabilities.

2/ when nodejs 16.6 was deprecated in Sept 2023, the npm ecosystem moved quickly to drop support for this version, quickly rendering many useful packages as incompatible with Live 11. You will quite often get errors like this:

npm ERR! code EBADENGINE
npm ERR! engine Unsupported engine
npm ERR! engine Not compatible with your version of node/npm: @sveltejs/kit@2.5.17
npm ERR! notsup Not compatible with your version of node/npm: @sveltejs/kit@2.5.17
npm ERR! notsup Required: {"node":">=18.13"}
npm ERR! notsup Actual:   {"npm":"7.20.3","node":"v16.6.2"}

I contacted cycling '74 support directly and they clarified that they have no plans to update the node version in Max 8.5. They suggested I upgrade to Live 12 to benefit from Max 8.6 and node 20, which I will probably do, because my project is focused on directly embedding web servers and apps inside max for live. If you are working on similar projects, you should probably only support Max 8.6 going forward. This also means dropping support for Ableton Live 11 users, which I had hoped to avoid.

I am concerned that c74 didn't move to update Max 8.5 in Sept 2023 though - at the time Max 8.5 and Live 11 did not have newer versions available and they continued to ship and sell Max and Live with a deprecated version of node with known security issues. They were notified immediately of the issue but waited instead for the release of Live 12 and Max 8.6. Nodejs 20 will continue to be supported until 2026, fyi.

Some links: