Upgrade node and dependencies
The GUI has been using an old version of Node. The current LTS seems to be 20 - nvm
gives me that, their page also shows that one.
The GUI is using an older LTS, v14.21.3, that fixed two CVE's. I don't know what's the release cadence for older LTS versions, but it might be safer to use a newer version. Also in case other tools use a newer Node version and if we ever need to deploy both in the same VM/container (hopefully the containers will be separated like EDITO/SURF, so a low risk).
This also prevents users from using newer version. I tried the GUI with v18 and it failed with
$ npm start
> autosubmitgui@1.0.0 start
> react-scripts start
node:internal/modules/cjs/loader:573
throw e;
^
Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Package subpath './lib/tokenize' is not defined by "exports" in /home/kinow/Development/javascript/workspace/autosubmitreact/node_modules/postcss-safe-parser/node_modules/postcss/package.json
at new NodeError (node:internal/errors:405:5)
at exportsNotFound (node:internal/modules/esm/resolve:362:10)
at packageExportsResolve (node:internal/modules/esm/resolve:698:9)
at resolveExports (node:internal/modules/cjs/loader:567:36)
at Module._findPath (node:internal/modules/cjs/loader:636:31)
at Module._resolveFilename (node:internal/modules/cjs/loader:1063:27)
at Module._load (node:internal/modules/cjs/loader:922:27)
at Module.require (node:internal/modules/cjs/loader:1143:19)
at require (node:internal/modules/cjs/helpers:119:18)
at Object.<anonymous> (/home/kinow/Development/javascript/workspace/autosubmitreact/node_modules/postcss-safe-parser/lib/safe-parser.js:1:17) {
code: 'ERR_PACKAGE_PATH_NOT_EXPORTED'
}
Node.js v18.18.0
So if LangTech, EDITO, etc., has the requirement to use, for example, the latest LTS v20 (driven by security/ops requirements) that would prevent them from using our GUI.
Not high priority as v14 got an update in February, but good to have that in our radar.
Installing the GUI dependencies I also get a message about security issues.
kinow@ranma:~/Development/javascript/workspace/autosubmitreact$ npm install
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
up to date, audited 2364 packages in 28s
206 packages are looking for funding
run `npm fund` for details
124 vulnerabilities (1 low, 81 moderate, 31 high, 11 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
So maybe it'd be worth to check dependencies, maybe with npx ncu
or something else.