Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
0.10.0
Description
ws@0.4.32 is really old and presents issues for users using modern versions of Node (see https://github.com/apache/thrift/pull/672#issuecomment-276678791). Its should be updated.
In the third pull request, here are the dependencies:
node-int64 ~0.4.0
q ~1.5.0
ws >= 2.2.3 which implies node >= 4.1.0 (https://github.com/websockets/ws/tree/2.2.3)
On the ubuntu-xenial image which uses node v8.4.0 and npm 5.3.0, and on the centos-7.3 image which uses node v6.11.1 and npm 3.10.10 you end up with the following packages:
root@ddb384ee75a5:/thrift/src/lib/nodejs# npm list --depth 0 thrift@1.0.0-dev /thrift/src +-- buffer-equals@1.0.4 +-- commander@2.11.0 +-- connect@3.6.3 +-- istanbul@0.4.5 +-- minimatch@3.0.4 +-- node-int64@0.4.0 +-- phantomjs@2.1.7 +-- q@1.5.0 +-- run-browser@2.0.2 +-- tape@4.8.0 +-- utf-8-validate@3.0.3 `-- ws@3.1.0
Node updated to version 8.5 and when that happened the CI builds broke. Node 8.5, jsdoc, grunt-jsdoc, or something in that area has a backwards compatibility issue in copyFile handling. I have downgraded node to version 7 on the CI image for now.
Attachments
Issue Links
- is duplicated by
-
THRIFT-3975 Security issue in Node.js module dependencies
-
- Closed
-
- links to
