[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16395409#comment-16395409 ]
ASF GitHub Bot commented on THRIFT-4509: ---------------------------------------- GitHub user bananer opened a pull request: https://github.com/apache/thrift/pull/1506 THRIFT-4509: grunt update (rebased) * switch from grunt-external-daemon and grunt-shell to grunt-shell-spawn * update grunt to 1.0.2 * always use local copy of jquery and qunit * commit the package-lock files for npm keep versions stable You can merge this pull request into a Git repository by running: $ git pull https://github.com/bananer/thrift THRIFT-4509-update-grunt-2 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/thrift/pull/1506.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1506 ---- commit c20a670280cdc1e92c3342d21fb548d5595dc851 Author: Philip Frank <ich@...> Date: 2018-03-07T19:49:25Z THRIFT-4509: * switch from grunt-external-daemon and grunt-shell to grunt-shell-spawn * update grunt to 1.0.2 * always use local copy of jquery and qunit * commit the package-lock files for npm keep versions stable ---- > js and nodejs libraries need to be refreshed with current libraries > ------------------------------------------------------------------- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library > Affects Versions: 0.11.0 > Reporter: James E. King, III > Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)