[
https://issues.apache.org/jira/browse/YARN-11873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18024449#comment-18024449
]
Steve Loughran commented on YARN-11873:
---------------------------------------
Noticed this on yetus
+ 1 to a lockfile; we do not want unrepeatable builds .
I think we are better off doing an upgrade of modules, not force pinning
The updates are probably due to the npm attacks last month
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
I don't think we were exposed, but having a build which just pulls in "the
latest" is dangerous from a replicability perspective as much as a security one
> hadoop-yarn-applications-catalog-webapp fails to build due to incompatible
> module
> ---------------------------------------------------------------------------------
>
> Key: YARN-11873
> URL: https://issues.apache.org/jira/browse/YARN-11873
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
> Affects Versions: 3.5.0, 3.4.2
> Reporter: Michael Smith
> Priority: Critical
>
> {{hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp}}
> fails to build today with
> {code}
> [INFO] error [email protected]: The engine "node" is incompatible with this module.
> Expected version ">=18". Got "12.22.1"
> [INFO] error Found incompatible module.
> {code}
> After some experimenting - upgrading node to 22.20.0, which allows a
> successful {{yarn install}} - I've identified this as caused by
> # we used to pull in [email protected] > winston@^3.0.0 (3.17.0) >
> @dabh/diagnostics@^2.0.2 (2.0.3) > [email protected] (1.1.4) > color@^3.1.3
> (3.2.1) which works with node 12
> # we now pull in [email protected] > winston@^3.0.0 (3.18.2) >
> @dabh/diagnostics@@^2.0.7 (2.0.7) > @so-ric/colorspace@^1.1.6 (1.1.6) >
> color@^5.0.2 (5.0.2) which requires node 18+
> Winston 3.18 and @dabh/diagnostics 2.0.5+ were published yesterday, which
> seems to have triggered all this. It seems to have primarily been done to
> update to newer versions without known vulnerabilities.
> I'd suggest updating the node version. I'd also suggest adding a yarn.lock,
> same as yarn-ui, to avoid surprises like this.
> An alternative is to add {{"@dabh/diagnostics": "2.0.3"}} to resolutions, but
> that seems like a short-term fix.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
