Am going through the manual installation and implementation of the Ignite Web Console. This is Part 1 of a series of notes that I’m making….
Throughout this set of items (questions and notes), I’m referencing the “Build and Deploy“ document (BDD) https://apacheignite-tools.readme.io/docs/build-and-deploy ===== Items ===== Item 1: In the prerequisites section of BDD, we are instructed to run npm from $IGNITE_HOME. Is this the ignite home of the exploded source tree, or the ignite home of the unzipped/extracted binary (released) instances ( - for example, I downloaded a binary and unzipped it/exploded the tar/gz). Currently, I’m running npm from the exploded source tree and NOT my exploded binary – which is what my env variable $IGNITE_HOME points to. Item 2: The machine that I need to deploy the web console into is sitting behind a very grandiose firewall/av setup. Using GIT/Maven/NPM to pull in dependencies for a build on that machine is not supportable. I am able to build somewhere else …. Want to package the outcome and deploy it to the super secure machine. Maybe create a docker container…. Is there a docker container with web console already configured? If not, and if I’m allowed, how do I contribute a docker container of this setup? I think I can sell to my management that more eyeballs on a crafted docker container – generic without any of our proprietary work – would be good over all. We would all benefit. Item 3: While running the npm installer for the backend (prerequisites of BDD), I noticed desupport notices from: * Mockgoose * Simple-bufferstream * Babel * Minimatch * Circular-json * Cryptiles * Boom * Hoek * I will include the npm output below as Detail 1 -> 3 (notation: 1 refers to the first detail – 1, and 3 refers to this item of concern) Item 4: Npm audit revealed a couple of critical warnings (among others). So that I can address my security team accurately (considering this IS an open source project) Are the sources of the warnings (listed in Detail 2 -> 4) on an immediate roadmap to be corrected in the next release of Ignite. Can I fix in my install by running “npm audit fix” ? I’m not a nodejs guy, so I don’t know if the “fix” could be backported to the source and then given back to ignite community. I will run npm fix, just don’t know if I can give outcome back. Item 5: Ran the audit fix for backend of BDD. See 3 -> 5 for the outcome on the screen. Item 6: While running the npm installer for the frontend (prerequisites of BDD), I noticed desupport and problem notices from: * samsam * text-encoding * circular-json * browserslist * node-uuid * hoek * cryptiles * boom * socks * mailcomposer * buildmail * uws I will include the npm output below as Detail 4 -> 6 Item 7: Again - Npm audit revealed a couple of critical warnings (among others). So that I can address my security team accurately (considering this IS an open source project) Are the sources of the warnings (listed in Detail 5 -> 7) on an immediate roadmap to be corrected in the next release of Ignite. Can I fix in my install by running “npm audit fix” ? I’m not a nodejs guy, so I don’t know if the “fix” could be backported to the source and then given back to ignite community. I will run npm fix, just don’t know if I can give outcome back. Item 8: Ran the audit fix for backend of BDD. See 6 -> 8 for the outcome on the screen. ======= Details ======= Detail 1-> 3 c:\cygwin64\home\scote\ignite\modules\web-console\backend>npm install --no-optional npm WARN deprecated mockgoose@6.0.8: Mockgoose is no longer actively maintained, consider using mongodb-memory-server npm WARN deprecated scmp@1.0.2: scmp v2 uses improved core crypto comparison since Node v6.6.0 npm WARN deprecated simple-bufferstream@1.0.0: no longer maintained npm WARN deprecated babel-preset-latest@6.24.1: We're super 😸 excited that you're trying to use ES2017+ syntax, but instead of making more yearly presets 😭 , Babel now has a better preset that we recommend you use instead: npm install babel-preset-env --save-dev. preset-env without options will compile ES2015+ down to ES5 just like using all the presets together and thus is more future proof. It also allows you to target specific browsers so that Babel can do less work and you can ship native ES2015+ to user 😎 ! We are also in the process of releasing v7, so please give http://babeljs.io/blog/2017/09/12/planning-for-7.0 a read and help test it out in beta! Thanks so much for using Babel 🙏, please give us a follow on Twitter @babeljs for news on Babel, join slack.babeljs.io for discussion/development and help support the project at opencollective.com/babel npm WARN deprecated babel-preset-es2017@6.24.1: 🙌 Thanks for using Babel: we recommend using babel-preset-env now: please read babeljs.io/env to update! npm WARN deprecated babel-preset-es2016@6.24.1: 🙌 Thanks for using Babel: we recommend using babel-preset-env now: please read babeljs.io/env to update! npm WARN deprecated babel-preset-es2015@6.24.1: 🙌 Thanks for using Babel: we recommend using babel-preset-env now: please read babeljs.io/env to update! npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor. npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue npm WARN deprecated cryptiles@2.0.5: This version is no longer maintained. Please upgrade to the latest version. npm WARN deprecated boom@2.10.1: This version is no longer maintained. Please upgrade to the latest version. npm WARN deprecated hoek@2.16.3: This version is no longer maintained. Please upgrade to the latest version. > spawn-sync@1.0.15 postinstall > c:\cygwin64\home\scote\ignite\modules\web-console\backend\node_modules\spawn-sync > node postinstall > mongodb-prebuilt@5.0.8 postinstall > c:\cygwin64\home\scote\ignite\modules\web-console\backend\node_modules\mockgoose\node_modules\mongodb-prebuilt > node install.js done inside extract, run complete 145.1mb) Done installing MongoDB npm notice created a lockfile as package-lock.json. You should commit this file. added 886 packages from 765 contributors and audited 5716 packages in 45.958s found 39 vulnerabilities (24 low, 7 moderate, 6 high, 2 critical) run `npm audit fix` to fix them, or `npm audit` for details Detail 2 -> 4 c:\cygwin64\home\scote\ignite\modules\web-console\backend>npm audit === npm audit security report === # Run npm install express@4.16.4 to resolve 8 vulnerabilities Low Regular Expression Denial of Service Package debug Dependency of express Path express > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of express Path express > send > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of express Path express > serve-static > send > debug More info https://nodesecurity.io/advisories/534 High Regular Expression Denial of Service Package fresh Dependency of express Path express > fresh More info https://nodesecurity.io/advisories/526 High Regular Expression Denial of Service Package fresh Dependency of express Path express > send > fresh More info https://nodesecurity.io/advisories/526 High Regular Expression Denial of Service Package fresh Dependency of express Path express > serve-static > send > fresh More info https://nodesecurity.io/advisories/526 Moderate Regular Expression Denial of Service Package mime Dependency of express Path express > send > mime More info https://nodesecurity.io/advisories/535 Moderate Regular Expression Denial of Service Package mime Dependency of express Path express > serve-static > send > mime More info https://nodesecurity.io/advisories/535 # Run npm install pkg@4.3.7 to resolve 4 vulnerabilities Moderate Prototype pollution Package hoek Dependency of pkg Path pkg > pkg-fetch > request > hawk > boom > hoek More info https://nodesecurity.io/advisories/566 Moderate Prototype pollution Package hoek Dependency of pkg Path pkg > pkg-fetch > request > hawk > cryptiles > boom > hoek More info https://nodesecurity.io/advisories/566 Moderate Prototype pollution Package hoek Dependency of pkg Path pkg > pkg-fetch > request > hawk > hoek More info https://nodesecurity.io/advisories/566 Moderate Prototype pollution Package hoek Dependency of pkg Path pkg > pkg-fetch > request > hawk > sntp > hoek More info https://nodesecurity.io/advisories/566 # Run npm install --save-dev mockgoose@8.0.1 to resolve 6 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change Low Regular Expression Denial of Service Package debug Dependency of mockgoose [dev] Path mockgoose > debug More info https://nodesecurity.io/advisories/534 High Denial of Service Package https-proxy-agent Dependency of mockgoose [dev] Path mockgoose > mongodb-prebuilt > https-proxy-agent More info https://nodesecurity.io/advisories/593 Low Regular Expression Denial of Service Package debug Dependency of mockgoose Path mockgoose > mongodb-prebuilt > https-proxy-agent > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of mockgoose Path mockgoose > portfinder > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of mockgoose [dev] Path mockgoose > mongodb-prebuilt > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of mockgoose [dev] Path mockgoose > mongodb-prebuilt > mongodb-download > debug More info https://nodesecurity.io/advisories/534 # Run npm install --save-dev mocha@5.2.0 to resolve 2 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change Low Regular Expression Denial of Service Package debug Dependency of mocha [dev] Path mocha > debug More info https://nodesecurity.io/advisories/534 Critical Command Injection Package growl Dependency of mocha [dev] Path mocha > growl More info https://nodesecurity.io/advisories/146 # Run npm install morgan@1.9.1 to resolve 2 vulnerabilities Low Regular Expression Denial of Service Package debug Dependency of morgan Path morgan > debug More info https://nodesecurity.io/advisories/534 Moderate Code Injection Package morgan Dependency of morgan Path morgan More info https://nodesecurity.io/advisories/736 # Run npm install mongodb-prebuilt@6.4.0 to resolve 2 vulnerabilities Low Regular Expression Denial of Service Package debug Dependency of mongodb-prebuilt Path mongodb-prebuilt > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of mongodb-prebuilt Path mongodb-prebuilt > mongodb-download > debug More info https://nodesecurity.io/advisories/534 # Run npm install body-parser@1.18.3 to resolve 1 vulnerability Low Regular Expression Denial of Service Package debug Dependency of body-parser Path body-parser > debug More info https://nodesecurity.io/advisories/534 # Run npm install express-session@1.15.6 to resolve 1 vulnerability Low Regular Expression Denial of Service Package debug Dependency of express-session Path express-session > debug More info https://nodesecurity.io/advisories/534 # Run npm install mongoose@5.4.5 to resolve 1 vulnerability SEMVER WARNING: Recommended action is a potentially breaking change Low Regular Expression Denial of Service Package debug Dependency of mongoose Path mongoose > mquery > debug More info https://nodesecurity.io/advisories/534 # Run npm update debug --depth 9 to resolve 6 vulnerabilities Low Regular Expression Denial of Service Package debug Dependency of migrate-mongoose Path migrate-mongoose > babel-cli > chokidar > readdirp > micromatch > braces > snapdragon > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of migrate-mongoose Path migrate-mongoose > babel-cli > chokidar > readdirp > micromatch > extglob > expand-brackets > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of migrate-mongoose Path migrate-mongoose > babel-cli > chokidar > readdirp > micromatch > extglob > expand-brackets > snapdragon > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of migrate-mongoose Path migrate-mongoose > babel-cli > chokidar > readdirp > micromatch > extglob > snapdragon > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of migrate-mongoose Path migrate-mongoose > babel-cli > chokidar > readdirp > micromatch > nanomatch > snapdragon > debug More info https://nodesecurity.io/advisories/534 Low Regular Expression Denial of Service Package debug Dependency of migrate-mongoose Path migrate-mongoose > babel-cli > chokidar > readdirp > micromatch > snapdragon > debug More info https://nodesecurity.io/advisories/534 # Run npm update mocha --depth 2 to resolve 2 vulnerabilities Low Regular Expression Denial of Service Package debug Dependency of mocha-teamcity-reporter [dev] Path mocha-teamcity-reporter > mocha > debug More info https://nodesecurity.io/advisories/534 Critical Command Injection Package growl Dependency of mocha-teamcity-reporter [dev] Path mocha-teamcity-reporter > mocha > growl More info https://nodesecurity.io/advisories/146 # Run npm update mongoose --depth 2 to resolve 1 vulnerability Low Regular Expression Denial of Service Package debug Dependency of migrate-mongoose Path migrate-mongoose > mongoose > mquery > debug More info https://nodesecurity.io/advisories/534 Manual Review Some vulnerabilities require your attention to resolve Visit https://go.npm.me/audit-guide for additional guidance High Regular Expression Denial of Service Package minimatch Patched in >=3.0.2 Dependency of fire-up Path fire-up > simple-glob > glob > minimatch More info https://nodesecurity.io/advisories/118 High Regular Expression Denial of Service Package minimatch Patched in >=3.0.2 Dependency of fire-up Path fire-up > simple-glob > minimatch More info https://nodesecurity.io/advisories/118 Low Prototype Pollution Package lodash Patched in >=4.17.5 Dependency of fire-up Path fire-up > simple-glob > lodash More info https://nodesecurity.io/advisories/577 found 39 vulnerabilities (24 low, 7 moderate, 6 high, 2 critical) in 5716 scanned packages run `npm audit fix` to fix 27 of them. 9 vulnerabilities require semver-major dependency updates. 3 vulnerabilities require manual review. See the full report for details. Detail 3 -> 5 c:\cygwin64\home\scote\ignite\modules\web-console\backend>npm audit fix npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.7 (node_modules\fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.7: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}) + morgan@1.9.1 + body-parser@1.18.3 + mongodb-prebuilt@6.4.0 + pkg@4.3.7 + express@4.16.4 + express-session@1.15.6 added 107 packages from 521 contributors, removed 61 packages, updated 42 packages and moved 2 packages in 18.742s fixed 27 of 39 vulnerabilities in 5716 scanned packages 3 vulnerabilities required manual review and could not be updated 3 package updates for 9 vulns involved breaking changes (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually) Detail 4 -> 6 c:\cygwin64\home\scote\ignite\modules\web-console\frontend>npm install --no-optional npm WARN deprecated samsam@1.3.0: This package has been deprecated in favour of @sinonjs/samsam npm WARN deprecated text-encoding@0.6.4: no longer maintained npm WARN deprecated formatio@1.2.0: This package is unmaintained. Use @sinonjs/formatio instead npm WARN deprecated circular-json@0.5.9: CircularJSON is in maintenance only, flatted is its successor. npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor. npm WARN deprecated browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools. npm WARN deprecated nodemailer@2.7.2: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/ npm WARN deprecated node-uuid@1.4.8: Use uuid module instead npm WARN deprecated hoek@2.16.3: This version is no longer maintained. Please upgrade to the latest version. npm WARN deprecated cryptiles@2.0.5: This version is no longer maintained. Please upgrade to the latest version. npm WARN deprecated boom@2.10.1: This version is no longer maintained. Please upgrade to the latest version. npm WARN deprecated socks@1.1.9: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0 npm WARN deprecated mailcomposer@4.0.1: This project is unmaintained npm WARN deprecated buildmail@4.0.1: This project is unmaintained npm WARN deprecated uws@9.14.0: stop using this version > uws@9.14.0 install > c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\uws > node-gyp rebuild > build_log.txt 2>&1 || exit 0 > @uirouter/visualizer@4.0.2 install > c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\@uirouter\visualizer > node ./migrate/migratewarn.js > node-sass@4.10.0 install > c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\node-sass > node scripts/install.js Downloading binary from https://github.com/sass/node-sass/releases/download/v4.10.0/win32-x64-67_binding.node Download complete .] - : Binary saved to c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\node-sass\vendor\win32-x64-67\binding.node Caching binary to C:\Users\scote\AppData\Roaming\npm-cache\node-sass\4.10.0\win32-x64-67_binding.node > node-sass@4.10.0 postinstall > c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\node-sass > node scripts/build.js Binary found at c:\cygwin64\home\scote\ignite\modules\web-console\frontend\node_modules\node-sass\vendor\win32-x64-67\binding.node Testing binary Binary is fine npm notice created a lockfile as package-lock.json. You should commit this file. npm WARN acorn-dynamic-import@4.0.0 requires a peer of acorn@^6.0.0 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.7 (node_modules\fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.7: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}) added 1726 packages from 1909 contributors and audited 18424 packages in 58.495s found 11 vulnerabilities (3 low, 5 moderate, 1 high, 2 critical) run `npm audit fix` to fix them, or `npm audit` for details Detail 5 -> 7 c:\cygwin64\home\scote\ignite\modules\web-console\frontend>npm audit === npm audit security report === # Run npm install --save-dev mocha@5.2.0 to resolve 2 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change Low Regular Expression Denial of Service Package debug Dependency of mocha [dev] Path mocha > debug More info https://nodesecurity.io/advisories/534 Critical Command Injection Package growl Dependency of mocha [dev] Path mocha > growl More info https://nodesecurity.io/advisories/146 # Run npm install --save-dev karma@3.1.4 to resolve 6 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change Moderate Memory Exposure Package tunnel-agent Dependency of karma [dev] Path karma > log4js > loggly > request > tunnel-agent More info https://nodesecurity.io/advisories/598 Moderate Prototype pollution Package hoek Dependency of karma [dev] Path karma > log4js > loggly > request > hawk > boom > hoek More info https://nodesecurity.io/advisories/566 Moderate Prototype pollution Package hoek Dependency of karma [dev] Path karma > log4js > loggly > request > hawk > cryptiles > boom > hoek More info https://nodesecurity.io/advisories/566 Moderate Prototype pollution Package hoek Dependency of karma [dev] Path karma > log4js > loggly > request > hawk > hoek More info https://nodesecurity.io/advisories/566 Moderate Prototype pollution Package hoek Dependency of karma [dev] Path karma > log4js > loggly > request > hawk > sntp > hoek More info https://nodesecurity.io/advisories/566 Low Regular Expression Denial of Service Package timespan Dependency of karma [dev] Path karma > log4js > loggly > timespan More info https://nodesecurity.io/advisories/533 # Run npm install --save-dev webpack-dev-server@3.1.14 to resolve 1 vulnerability High Missing Origin Validation Package webpack-dev-server Dependency of webpack-dev-server [dev] Path webpack-dev-server More info https://nodesecurity.io/advisories/725 # Run npm update mocha --depth 2 to resolve 2 vulnerabilities Low Regular Expression Denial of Service Package debug Dependency of mocha-teamcity-reporter [dev] Path mocha-teamcity-reporter > mocha > debug More info https://nodesecurity.io/advisories/534 Critical Command Injection Package growl Dependency of mocha-teamcity-reporter [dev] Path mocha-teamcity-reporter > mocha > growl More info https://nodesecurity.io/advisories/146 found 11 vulnerabilities (3 low, 5 moderate, 1 high, 2 critical) in 18424 scanned packages run `npm audit fix` to fix 3 of them. 8 vulnerabilities require semver-major dependency updates. Detail 6 -> 4 c:\cygwin64\home\scote\ignite\modules\web-console\frontend>npm audit fix npm WARN acorn-dynamic-import@4.0.0 requires a peer of acorn@^6.0.0 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.7 (node_modules\fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.7: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}) + webpack-dev-server@3.1.14 added 8 packages from 433 contributors, removed 18 packages, updated 10 packages and moved 1 package in 13.165s fixed 3 of 11 vulnerabilities in 18424 scanned packages 2 package updates for 8 vulns involved breaking changes (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually) Detail 7 -> Detail 7 ->
