-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: swap isomorphic-fetch for node-fetch for security issue #96
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe there is no fundamental reason to use any special cross-platform fetch
implementation here, this can actually just use a standard node-fetch
(or in future the new built-in node fetch module)... unless fetch-retry
does not work with a latest node-fetch (v2) for some reason. But this comment says v2 should work fine: jonbern/fetch-retry#64 (comment)
isomorphic-fetch
came in in this commit #12 when updating dependencies... previously fetch-retry
came with isomorphic-fetch
but in newer versions one had to explicitly depend on it.
IMO node-fetch
is a better dependency to have, so I would suggest to try out node-fetch
instead of moving to another library cross-fetch
that at least I have no experience with.
@alexkli ok, I will update with node-fetch. I didn't delve into why |
@alexkli PR updated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @shazron. Code change LGTM. However, the CI build is failing in all nodejs versions (here is node 14). I can't find the actual error at quick glance...
@alexkli all tests pass except this
|
Hmm, it looks unrelated, but it worked in the last PR #92 that got merged. This error happens in the posttest script which you can run using The test logic is in here: https://github.com/apache/openwhisk-wskdebug/tree/master/test/install It spins up a container and tries to install wskdebug from scratch in there and see that it runs. As part of that it checks for the ngrok installation check we have in wskdebug: https://github.com/apache/openwhisk-wskdebug/blob/master/test/install/Dockerfile#L34-L35 You could run this locally and change that line to just |
The error message I get when making that change and running
As you can see the error message has changed from what is expected. I double checked I don't have ngrok installed globally before running it. I'll check in the change so the CI can run. |
I'll debug why it doesn't go to openwhisk-wskdebug/src/agentmgr.js Line 94 in 1ec715d
|
@alexkli it's pretty clear now that there is a bug in the existing code, and nothing related to this PR. This line: openwhisk-wskdebug/src/agentmgr.js Line 23 in 1ec715d
openwhisk-wskdebug/src/agentmgr.js Line 93 in 1ec715d
There should be a
|
Solved it! npm@7 is default in the latest node-lts, and by default will install peer dependencies. I added the flag |
…rror message" This reverts commit bcae6b5.
node-lts (node-16) by default includes npm@7 which installs peer dependencies by default. Adding this flag will not install peer dependencies.
@shazron Thanks for digging deeper on this!
That is a problem. ngrok must NOT be installed by default as it conflicts with the Apache licensing of openwhisk. That's why it was made a peer dependency - so that it does not get installed by default and that a developer must actively choose to install it themselves. While still working with the nodejs code and linters (that otherwise complain on missing require() dependencies). Now if npm 7 has changed the peer behavior, we need to find a different way where a simple Any smart ideas on how to achieve that? cc @rabbah Sorry that you run into this with your change. |
And also this was a reason: #22 Not sure if that has improved as well. |
Looks like it can be turned off in
However, that only works when you are doing
... at least according to my testing. Not sure what the workaround is here, besides requiring before install:
I prepared a PR where you can see that the ngrok test still fails: #97 |
@shazron There is a peerDependenciesMeta with an |
removed --legacy-peer-deps from Dockerfile. Needs to be rebased with master after #97 is merged (it was approved) |
# Conflicts: # package-lock.json
See #95