[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-13 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16397132#comment-16397132
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user bananer commented on the issue:

https://github.com/apache/thrift/pull/1506
  
@jeking3 I think all the problems mentioned in THRIFT-4509 are resolved 
now. With the package-lock being included now, there should also be less random 
build failures. The node and js parts of thrift could still use some cleanup 
and modernization, but I will leave that for a separate ticket.


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-13 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16396996#comment-16396996
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user jeking3 commented on the issue:

https://github.com/apache/thrift/pull/1506
  
With this merged would you say that THRIFT-4509 is now fixed, or is there 
more work to do?


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-13 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16396992#comment-16396992
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user asfgit closed the pull request at:

https://github.com/apache/thrift/pull/1506


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: [jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-12 Thread Yang Yue 
unsubscribe

2018-03-13 10:56 GMT+08:00 ASF GitHub Bot (JIRA) :

>
> [ https://issues.apache.org/jira/browse/THRIFT-4509?page=
> com.atlassian.jira.plugin.system.issuetabpanels:comment-
> tabpanel=16396456#comment-16396456 ]
>
> ASF GitHub Bot commented on THRIFT-4509:
> 
>
> Github user jeking3 commented on the issue:
>
> https://github.com/apache/thrift/pull/1506
>
> I see, you need to build Java first?
>
>
> > js and nodejs libraries need to be refreshed with current libraries
> > ---
> >
> > Key: THRIFT-4509
> > URL: https://issues.apache.org/jira/browse/THRIFT-4509
> > Project: Thrift
> >  Issue Type: Improvement
> >  Components: JavaScript - Library, Node.js - Library
> >Affects Versions: 0.11.0
> >Reporter: James E. King, III
> >Priority: Critical
> >  Labels: security
> >
> > The npm libraries that our js and nodejs depend on are starting to go
> end of life.
> > As it stands the build is just barely holding together, and as of 5
> hours ago the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial
> 16.04 LTS uses node v4.2.6.
> > There are other issues:
> > {noformat}
> > Running "shell:InstallThriftNodeJSDep" (shell) task
> > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current:
> {"node":"4.2.6","npm":"3.5.2"})
> > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2
> or higher to avoid a RegExp DoS issue
> > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2
> or higher to avoid a RegExp DoS issue
> > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2
> or higher to avoid a RegExp DoS issue
> > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2
> or higher to avoid a RegExp DoS issue
> > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing
> Set-Cookie https://nodesecurity.io/advisories/130
> > {noformat}
> > Some of these are security issues.
> > In addition the js module depends on https://www.npmjs.com/package/
> grunt-external-daemon which requires grunt 0.4.0, which is really old and
> may contribute to requiring older versions of things that are posting
> deprecations.
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v7.6.3#76005)
>

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-12 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16396456#comment-16396456
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user jeking3 commented on the issue:

https://github.com/apache/thrift/pull/1506
  
I see, you need to build Java first?


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-12 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395415#comment-16395415
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user jeking3 commented on the issue:

https://github.com/apache/thrift/pull/1502
  
In the future you can squash, rebase, and force push to keep the same PR, 
see:
https://thrift.apache.org/docs/HowToContribute


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-12 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395411#comment-16395411
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user bananer closed the pull request at:

https://github.com/apache/thrift/pull/1502


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-12 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395410#comment-16395410
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user bananer commented on the issue:

https://github.com/apache/thrift/pull/1502
  
Rebased as https://github.com/apache/thrift/pull/1506


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-12 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395409#comment-16395409
 ] 

ASF GitHub Bot commented on THRIFT-4509:


GitHub user bananer opened a pull request:

https://github.com/apache/thrift/pull/1506

THRIFT-4509: grunt update (rebased)

* switch from grunt-external-daemon and grunt-shell to grunt-shell-spawn
* update grunt to 1.0.2
* always use local copy of jquery and qunit
* commit the package-lock files for npm keep versions stable

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/bananer/thrift THRIFT-4509-update-grunt-2

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/thrift/pull/1506.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1506


commit c20a670280cdc1e92c3342d21fb548d5595dc851
Author: Philip Frank 
Date:   2018-03-07T19:49:25Z

THRIFT-4509:
* switch from grunt-external-daemon and grunt-shell to grunt-shell-spawn
* update grunt to 1.0.2
* always use local copy of jquery and qunit
* commit the package-lock files for npm keep versions stable




> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-12 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395404#comment-16395404
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user jeking3 commented on the issue:

https://github.com/apache/thrift/pull/1502
  
Okay that sounds good; could you squash and rebase on master to prepare for 
a merge?


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-12 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395261#comment-16395261
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user bananer commented on the issue:

https://github.com/apache/thrift/pull/1502
  
The package-lock file keeps dependency versions fixed across all 
installations. According to [the 
docs](https://docs.npmjs.com/files/package-lock.json), this does not apply when 
the package is published on npm, where the file should be excluded.

To update the dependency packages for our builds, one now has to run `npm 
update` and commit the changed package-lock.json files. This does not impact 
users of thrift, so I'm not sure if it has to be noted in the Readme or 
somewhere else.


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-12 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395169#comment-16395169
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user jeking3 commented on the issue:

https://github.com/apache/thrift/pull/1502
  
Any special considerations we need to add to the README for js or nodejs if 
we check in a package-lock.json file?  When distributing through npm should 
this file also be distributed?


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-08 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16391513#comment-16391513
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user asfgit closed the pull request at:

https://github.com/apache/thrift/pull/1501


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-08 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16390913#comment-16390913
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user bananer closed the pull request at:

https://github.com/apache/thrift/pull/1500


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-07 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16390118#comment-16390118
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user jeking3 commented on the issue:

https://github.com/apache/thrift/pull/1500
  
As of yesterday afternoon 4.x is no longer used.

Due to the dependencies, and due to the fact that node.js 4.x LTS ends next 
month, I moved the "oldest" make check job to use nodejs 6.x (ubuntu-xenial) 
and the current one uses 8.x (ubuntu-artful) - this is the one that runs make 
check, make cross, ubsan, cppcheck, etc.

We still need to modernize the code/test for js and nodejs however.


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-07 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16390101#comment-16390101
 ] 

ASF GitHub Bot commented on THRIFT-4509:


GitHub user bananer opened a pull request:

https://github.com/apache/thrift/pull/1502

THRIFT-4509: update grunt to 1.0.2

switch from grunt-external-daemon and grunt-shell to grunt-shell-spawn and 
update grunt to 1.0.2

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/bananer/thrift THRIFT-4509-update-grunt

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/thrift/pull/1502.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1502


commit f4df106c25089a1ba3a39d39a9fd0e620234a74b
Author: Philip Frank 
Date:   2018-03-07T19:49:25Z

THRIFT-4509: switch from grunt-external-daemon and grunt-shell to 
grunt-shell-spawn and update grunt to 1.0.2




> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-07 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16389951#comment-16389951
 ] 

ASF GitHub Bot commented on THRIFT-4509:


Github user bananer commented on the issue:

https://github.com/apache/thrift/pull/1500
  
@jeking3 where would the build encounter nodejs 4.2.6 then?


> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-07 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16389810#comment-16389810
 ] 

ASF GitHub Bot commented on THRIFT-4509:


GitHub user bananer opened a pull request:

https://github.com/apache/thrift/pull/1501

THRIFT-4509: remove nodejs browser test

Removes the dependency on outdated npm libraries.

This test was previously disabled, and I think it is safe to remove since 
the communication between browser client and nodejs server is already being 
tested properly from the JS perspective.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/bananer/thrift 
THRIFT-4509-remove-nodejs-browser-test

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/thrift/pull/1501.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1501


commit e1bfa1e42458c8ececd386d532b7f573da717fcc
Author: Philip Frank 
Date:   2018-03-07T17:01:56Z

THRIFT-4509: remove nodejs browser test




> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-07 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16389787#comment-16389787
 ] 

ASF GitHub Bot commented on THRIFT-4509:


GitHub user bananer opened a pull request:

https://github.com/apache/thrift/pull/1500

THRIFT-4509: use nodejs 8.x from nodesource.com in travis builds



You can merge this pull request into a Git repository by running:

$ git pull https://github.com/bananer/thrift THRIFT-4509-nodejs-version

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/thrift/pull/1500.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1500


commit f13c80f140ad8387a93c9549b94d39e59cfb53eb
Author: Philip Frank 
Date:   2018-03-07T16:54:24Z

THRIFT-4509: use nodejs 8.x from nodesource.com in travis builds




> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries

2018-03-07 Thread Philip Frank (JIRA) 

[ 
https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16389781#comment-16389781
 ] 

Philip Frank commented on THRIFT-4509:
--

I had a look at the listed problems:

The old (4.2.6) version of nodejs in Ubuntu repos is usually mitigated by 
installing from third party package sources: 
[https://nodejs.org/en/download/package-manager/]

This already happens in the Ubuntu Docker builds, my suggestion is to change 
the Travis builds to do the same.


One can identify what causes a certain npm package to be installed by running 
"npm ls package-name".

*For dependencies of the nodejs package (in package.json):*

The outdated "minimatch" and "node-uuid" packages are dependencies of 
"run-browser", from what I can tell it is only used in a 
[disabled|https://github.com/apache/thrift/blob/b4f22ff30119ea5cadf9b16e97afdcabefe06696/lib/nodejs/test/testAll.sh#L100]
 test for the nodejs library.

"tough-cookie" is a dependency of "phantomjs-prebuilt", which is up to date in 
version 2.1.16. Reading the security advisory I don't think there is a 
vulnerability for thrift users or developers in our case.

*For dependencies of the js lib test runner (in lib/js/package.json):*

"grunt-external-daemon" (and "grunt-shell") could probably be replaced with 
"grunt-shell-spawn", which is also a bit dated but claims to work with recent 
versions of grunt.

Outdated "grunt" again depends on an outdated "minimatch".


I will see which of those can be resolved quickly and create pull-requests.

> js and nodejs libraries need to be refreshed with current libraries
> ---
>
> Key: THRIFT-4509
> URL: https://issues.apache.org/jira/browse/THRIFT-4509
> Project: Thrift
>  Issue Type: Improvement
>  Components: JavaScript - Library, Node.js - Library
>Affects Versions: 0.11.0
>Reporter: James E. King, III
>Priority: Critical
>  Labels: security
>
> The npm libraries that our js and nodejs depend on are starting to go end of 
> life.
> As it stands the build is just barely holding together, and as of 5 hours ago 
> the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS 
> uses node v4.2.6.
> There are other issues:
> {noformat}
> Running "shell:InstallThriftNodeJSDep" (shell) task
> WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: 
> {"node":"4.2.6","npm":"3.5.2"})
> npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or 
> higher to avoid a RegExp DoS issue
> npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
> npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing 
> Set-Cookie https://nodesecurity.io/advisories/130
> {noformat}
> Some of these are security issues.
> In addition the js module depends on 
> https://www.npmjs.com/package/grunt-external-daemon which requires grunt 
> 0.4.0, which is really old and may contribute to requiring older versions of 
> things that are posting deprecations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)