Skip to content
GitLab
Closed
Issue created by Bruno de Paula Kinoshita@bdepaulaOwner

Upgrade node and dependencies

The GUI has been using an old version of Node. The current LTS seems to be 20 - nvm gives me that, their page also shows that one.

image

The GUI is using an older LTS, v14.21.3, that fixed two CVE's. I don't know what's the release cadence for older LTS versions, but it might be safer to use a newer version. Also in case other tools use a newer Node version and if we ever need to deploy both in the same VM/container (hopefully the containers will be separated like EDITO/SURF, so a low risk).

This also prevents users from using newer version. I tried the GUI with v18 and it failed with

$ npm start

> autosubmitgui@1.0.0 start
> react-scripts start

node:internal/modules/cjs/loader:573
      throw e;
      ^

Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Package subpath './lib/tokenize' is not defined by "exports" in /home/kinow/Development/javascript/workspace/autosubmitreact/node_modules/postcss-safe-parser/node_modules/postcss/package.json
    at new NodeError (node:internal/errors:405:5)
    at exportsNotFound (node:internal/modules/esm/resolve:362:10)
    at packageExportsResolve (node:internal/modules/esm/resolve:698:9)
    at resolveExports (node:internal/modules/cjs/loader:567:36)
    at Module._findPath (node:internal/modules/cjs/loader:636:31)
    at Module._resolveFilename (node:internal/modules/cjs/loader:1063:27)
    at Module._load (node:internal/modules/cjs/loader:922:27)
    at Module.require (node:internal/modules/cjs/loader:1143:19)
    at require (node:internal/modules/cjs/helpers:119:18)
    at Object.<anonymous> (/home/kinow/Development/javascript/workspace/autosubmitreact/node_modules/postcss-safe-parser/lib/safe-parser.js:1:17) {
  code: 'ERR_PACKAGE_PATH_NOT_EXPORTED'
}

Node.js v18.18.0

So if LangTech, EDITO, etc., has the requirement to use, for example, the latest LTS v20 (driven by security/ops requirements) that would prevent them from using our GUI.

Not high priority as v14 got an update in February, but good to have that in our radar.

Installing the GUI dependencies I also get a message about security issues.

kinow@ranma:~/Development/javascript/workspace/autosubmitreact$ npm install
npm WARN old lockfile 
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile 
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile 

up to date, audited 2364 packages in 28s

206 packages are looking for funding
  run `npm fund` for details

124 vulnerabilities (1 low, 81 moderate, 31 high, 11 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

So maybe it'd be worth to check dependencies, maybe with npx ncu or something else.

Edited by Bruno de Paula Kinoshita