[
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16389781#comment-16389781
]
Philip Frank commented on THRIFT-4509:
--------------------------------------
I had a look at the listed problems:
The old (4.2.6) version of nodejs in Ubuntu repos is usually mitigated by
installing from third party package sources:
[https://nodejs.org/en/download/package-manager/]
This already happens in the Ubuntu Docker builds, my suggestion is to change
the Travis builds to do the same.
One can identify what causes a certain npm package to be installed by running
"npm ls package-name".
*For dependencies of the nodejs package (in package.json):*
The outdated "minimatch" and "node-uuid" packages are dependencies of
"run-browser", from what I can tell it is only used in a
[disabled|https://github.com/apache/thrift/blob/b4f22ff30119ea5cadf9b16e97afdcabefe06696/lib/nodejs/test/testAll.sh#L100]
test for the nodejs library.
"tough-cookie" is a dependency of "phantomjs-prebuilt", which is up to date in
version 2.1.16. Reading the security advisory I don't think there is a
vulnerability for thrift users or developers in our case.
*For dependencies of the js lib test runner (in lib/js/package.json):*
"grunt-external-daemon" (and "grunt-shell") could probably be replaced with
"grunt-shell-spawn", which is also a bit dated but claims to work with recent
versions of grunt.
Outdated "grunt" again depends on an outdated "minimatch".
I will see which of those can be resolved quickly and create pull-requests.
> js and nodejs libraries need to be refreshed with current libraries
> -------------------------------------------------------------------
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
> Issue Type: Improvement
> Components: JavaScript - Library, Node.js - Library
> Affects Versions: 0.11.0
> Reporter: James E. King, III
> Priority: Critical
> Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current:
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt
> 0.4.0, which is really old and may contribute to requiring older versions of
> things that are posting deprecations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
