[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16397132#comment-16397132 ] ASF GitHub Bot commented on THRIFT-4509: Github user bananer commented on the issue: https://github.com/apache/thrift/pull/1506 @jeking3 I think all the problems mentioned in THRIFT-4509 are resolved now. With the package-lock being included now, there should also be less random build failures. The node and js parts of thrift could still use some cleanup and modernization, but I will leave that for a separate ticket. > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16396996#comment-16396996 ] ASF GitHub Bot commented on THRIFT-4509: Github user jeking3 commented on the issue: https://github.com/apache/thrift/pull/1506 With this merged would you say that THRIFT-4509 is now fixed, or is there more work to do? > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16396992#comment-16396992 ] ASF GitHub Bot commented on THRIFT-4509: Github user asfgit closed the pull request at: https://github.com/apache/thrift/pull/1506 > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Re: [jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
unsubscribe 2018-03-13 10:56 GMT+08:00 ASF GitHub Bot (JIRA): > > [ https://issues.apache.org/jira/browse/THRIFT-4509?page= > com.atlassian.jira.plugin.system.issuetabpanels:comment- > tabpanel=16396456#comment-16396456 ] > > ASF GitHub Bot commented on THRIFT-4509: > > > Github user jeking3 commented on the issue: > > https://github.com/apache/thrift/pull/1506 > > I see, you need to build Java first? > > > > js and nodejs libraries need to be refreshed with current libraries > > --- > > > > Key: THRIFT-4509 > > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > > Project: Thrift > > Issue Type: Improvement > > Components: JavaScript - Library, Node.js - Library > >Affects Versions: 0.11.0 > >Reporter: James E. King, III > >Priority: Critical > > Labels: security > > > > The npm libraries that our js and nodejs depend on are starting to go > end of life. > > As it stands the build is just barely holding together, and as of 5 > hours ago the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial > 16.04 LTS uses node v4.2.6. > > There are other issues: > > {noformat} > > Running "shell:InstallThriftNodeJSDep" (shell) task > > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 > or higher to avoid a RegExp DoS issue > > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 > or higher to avoid a RegExp DoS issue > > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 > or higher to avoid a RegExp DoS issue > > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 > or higher to avoid a RegExp DoS issue > > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > > {noformat} > > Some of these are security issues. > > In addition the js module depends on https://www.npmjs.com/package/ > grunt-external-daemon which requires grunt 0.4.0, which is really old and > may contribute to requiring older versions of things that are posting > deprecations. > > > > -- > This message was sent by Atlassian JIRA > (v7.6.3#76005) >
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16396456#comment-16396456 ] ASF GitHub Bot commented on THRIFT-4509: Github user jeking3 commented on the issue: https://github.com/apache/thrift/pull/1506 I see, you need to build Java first? > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395415#comment-16395415 ] ASF GitHub Bot commented on THRIFT-4509: Github user jeking3 commented on the issue: https://github.com/apache/thrift/pull/1502 In the future you can squash, rebase, and force push to keep the same PR, see: https://thrift.apache.org/docs/HowToContribute > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395411#comment-16395411 ] ASF GitHub Bot commented on THRIFT-4509: Github user bananer closed the pull request at: https://github.com/apache/thrift/pull/1502 > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395410#comment-16395410 ] ASF GitHub Bot commented on THRIFT-4509: Github user bananer commented on the issue: https://github.com/apache/thrift/pull/1502 Rebased as https://github.com/apache/thrift/pull/1506 > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395409#comment-16395409 ] ASF GitHub Bot commented on THRIFT-4509: GitHub user bananer opened a pull request: https://github.com/apache/thrift/pull/1506 THRIFT-4509: grunt update (rebased) * switch from grunt-external-daemon and grunt-shell to grunt-shell-spawn * update grunt to 1.0.2 * always use local copy of jquery and qunit * commit the package-lock files for npm keep versions stable You can merge this pull request into a Git repository by running: $ git pull https://github.com/bananer/thrift THRIFT-4509-update-grunt-2 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/thrift/pull/1506.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1506 commit c20a670280cdc1e92c3342d21fb548d5595dc851 Author: Philip FrankDate: 2018-03-07T19:49:25Z THRIFT-4509: * switch from grunt-external-daemon and grunt-shell to grunt-shell-spawn * update grunt to 1.0.2 * always use local copy of jquery and qunit * commit the package-lock files for npm keep versions stable > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395404#comment-16395404 ] ASF GitHub Bot commented on THRIFT-4509: Github user jeking3 commented on the issue: https://github.com/apache/thrift/pull/1502 Okay that sounds good; could you squash and rebase on master to prepare for a merge? > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395261#comment-16395261 ] ASF GitHub Bot commented on THRIFT-4509: Github user bananer commented on the issue: https://github.com/apache/thrift/pull/1502 The package-lock file keeps dependency versions fixed across all installations. According to [the docs](https://docs.npmjs.com/files/package-lock.json), this does not apply when the package is published on npm, where the file should be excluded. To update the dependency packages for our builds, one now has to run `npm update` and commit the changed package-lock.json files. This does not impact users of thrift, so I'm not sure if it has to be noted in the Readme or somewhere else. > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16395169#comment-16395169 ] ASF GitHub Bot commented on THRIFT-4509: Github user jeking3 commented on the issue: https://github.com/apache/thrift/pull/1502 Any special considerations we need to add to the README for js or nodejs if we check in a package-lock.json file? When distributing through npm should this file also be distributed? > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16391513#comment-16391513 ] ASF GitHub Bot commented on THRIFT-4509: Github user asfgit closed the pull request at: https://github.com/apache/thrift/pull/1501 > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16390913#comment-16390913 ] ASF GitHub Bot commented on THRIFT-4509: Github user bananer closed the pull request at: https://github.com/apache/thrift/pull/1500 > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16390118#comment-16390118 ] ASF GitHub Bot commented on THRIFT-4509: Github user jeking3 commented on the issue: https://github.com/apache/thrift/pull/1500 As of yesterday afternoon 4.x is no longer used. Due to the dependencies, and due to the fact that node.js 4.x LTS ends next month, I moved the "oldest" make check job to use nodejs 6.x (ubuntu-xenial) and the current one uses 8.x (ubuntu-artful) - this is the one that runs make check, make cross, ubsan, cppcheck, etc. We still need to modernize the code/test for js and nodejs however. > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16390101#comment-16390101 ] ASF GitHub Bot commented on THRIFT-4509: GitHub user bananer opened a pull request: https://github.com/apache/thrift/pull/1502 THRIFT-4509: update grunt to 1.0.2 switch from grunt-external-daemon and grunt-shell to grunt-shell-spawn and update grunt to 1.0.2 You can merge this pull request into a Git repository by running: $ git pull https://github.com/bananer/thrift THRIFT-4509-update-grunt Alternatively you can review and apply these changes as the patch at: https://github.com/apache/thrift/pull/1502.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1502 commit f4df106c25089a1ba3a39d39a9fd0e620234a74b Author: Philip FrankDate: 2018-03-07T19:49:25Z THRIFT-4509: switch from grunt-external-daemon and grunt-shell to grunt-shell-spawn and update grunt to 1.0.2 > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16389951#comment-16389951 ] ASF GitHub Bot commented on THRIFT-4509: Github user bananer commented on the issue: https://github.com/apache/thrift/pull/1500 @jeking3 where would the build encounter nodejs 4.2.6 then? > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16389810#comment-16389810 ] ASF GitHub Bot commented on THRIFT-4509: GitHub user bananer opened a pull request: https://github.com/apache/thrift/pull/1501 THRIFT-4509: remove nodejs browser test Removes the dependency on outdated npm libraries. This test was previously disabled, and I think it is safe to remove since the communication between browser client and nodejs server is already being tested properly from the JS perspective. You can merge this pull request into a Git repository by running: $ git pull https://github.com/bananer/thrift THRIFT-4509-remove-nodejs-browser-test Alternatively you can review and apply these changes as the patch at: https://github.com/apache/thrift/pull/1501.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1501 commit e1bfa1e42458c8ececd386d532b7f573da717fcc Author: Philip FrankDate: 2018-03-07T17:01:56Z THRIFT-4509: remove nodejs browser test > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16389787#comment-16389787 ] ASF GitHub Bot commented on THRIFT-4509: GitHub user bananer opened a pull request: https://github.com/apache/thrift/pull/1500 THRIFT-4509: use nodejs 8.x from nodesource.com in travis builds You can merge this pull request into a Git repository by running: $ git pull https://github.com/bananer/thrift THRIFT-4509-nodejs-version Alternatively you can review and apply these changes as the patch at: https://github.com/apache/thrift/pull/1500.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1500 commit f13c80f140ad8387a93c9549b94d39e59cfb53eb Author: Philip FrankDate: 2018-03-07T16:54:24Z THRIFT-4509: use nodejs 8.x from nodesource.com in travis builds > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (THRIFT-4509) js and nodejs libraries need to be refreshed with current libraries
[ https://issues.apache.org/jira/browse/THRIFT-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16389781#comment-16389781 ] Philip Frank commented on THRIFT-4509: -- I had a look at the listed problems: The old (4.2.6) version of nodejs in Ubuntu repos is usually mitigated by installing from third party package sources: [https://nodejs.org/en/download/package-manager/] This already happens in the Ubuntu Docker builds, my suggestion is to change the Travis builds to do the same. One can identify what causes a certain npm package to be installed by running "npm ls package-name". *For dependencies of the nodejs package (in package.json):* The outdated "minimatch" and "node-uuid" packages are dependencies of "run-browser", from what I can tell it is only used in a [disabled|https://github.com/apache/thrift/blob/b4f22ff30119ea5cadf9b16e97afdcabefe06696/lib/nodejs/test/testAll.sh#L100] test for the nodejs library. "tough-cookie" is a dependency of "phantomjs-prebuilt", which is up to date in version 2.1.16. Reading the security advisory I don't think there is a vulnerability for thrift users or developers in our case. *For dependencies of the js lib test runner (in lib/js/package.json):* "grunt-external-daemon" (and "grunt-shell") could probably be replaced with "grunt-shell-spawn", which is also a bit dated but claims to work with recent versions of grunt. Outdated "grunt" again depends on an outdated "minimatch". I will see which of those can be resolved quickly and create pull-requests. > js and nodejs libraries need to be refreshed with current libraries > --- > > Key: THRIFT-4509 > URL: https://issues.apache.org/jira/browse/THRIFT-4509 > Project: Thrift > Issue Type: Improvement > Components: JavaScript - Library, Node.js - Library >Affects Versions: 0.11.0 >Reporter: James E. King, III >Priority: Critical > Labels: security > > The npm libraries that our js and nodejs depend on are starting to go end of > life. > As it stands the build is just barely holding together, and as of 5 hours ago > the "ws" package dropped support for node < 4.5.0; Ubuntu Xenial 16.04 LTS > uses node v4.2.6. > There are other issues: > {noformat} > Running "shell:InstallThriftNodeJSDep" (shell) task > WARN engine hawk@6.0.2: wanted: {"node":">=4.5.0"} (current: > {"node":"4.2.6","npm":"3.5.2"}) > npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or > higher to avoid a RegExp DoS issue > npm WARN deprecated node-uuid@1.4.8: Use uuid module instead > npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing > Set-Cookie https://nodesecurity.io/advisories/130 > {noformat} > Some of these are security issues. > In addition the js module depends on > https://www.npmjs.com/package/grunt-external-daemon which requires grunt > 0.4.0, which is really old and may contribute to requiring older versions of > things that are posting deprecations. -- This message was sent by Atlassian JIRA (v7.6.3#76005)