[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

Wed, 07 Mar 2018 11:54:25 -0800 

    [ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16390101#comment-16390101
 ] 

ASF GitHub Bot commented on THRIFT-4509:
----------------------------------------

GitHub user bananer opened a pull request:

    https://github.com/apache/thrift/pull/1502

    THRIFT-4509: update grunt to 1.0.2

    switch from grunt-external-daemon and grunt-shell to grunt-shell-spawn and 
update grunt to 1.0.2

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/bananer/thrift THRIFT-4509-update-grunt

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/thrift/pull/1502.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1502
    
----
commit f4df106c25089a1ba3a39d39a9fd0e620234a74b
Author: Philip Frank <ich@...>
Date:   2018-03-07T19:49:25Z

    THRIFT-4509: switch from grunt-external-daemon and grunt-shell to 
grunt-shell-spawn and update grunt to 1.0.2

----


> js and nodejs libraries need to be refreshed with current libraries
> -------------------------------------------------------------------
>
>                 Key: THRIFT-4509
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4509
>             Project: Thrift
>          Issue Type: Improvement
>          Components: JavaScript - Library, Node.js - Library
>    Affects Versions: 0.11.0
>            Reporter: James E. King, III
>            Priority: Critical
>              Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine [email protected]: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated [email protected]: Use uuid module instead
> npm WARN deprecated [email protected]: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to