node-gyp as a dependency

[abmusse]

Original report by Aaron Bartell (Bitbucket: aaronbartell, GitHub: aaronbartell).

---

Given we are delivering the pre-compiled binary via npm install is it possible to remove node-gyp (and maybe others) from the dependencies section?

This surfaced because of a vulnerability warning in the latest version of npm. Recreate the issue...

First upgrade npm if you're not on the latest version:

┌─[aaron @ KT4001]─[~]
└─[$]› npm i -g npm
/QOpenSys/pkgs/lib/nodejs8/bin/npx -> /QOpenSys/pkgs/lib/nodejs8/lib/node_modules/npm/bin/npx-cli.js
/QOpenSys/pkgs/lib/nodejs8/bin/npm -> /QOpenSys/pkgs/lib/nodejs8/lib/node_modules/npm/bin/npm-cli.js
+ npm@6.3.0
added 283 packages, removed 363 packages and updated 41 packages in 315.849s


   ╭─────────────────────────────────────╮
   │                                     │
   │   Update available 5.6.0 → 6.3.0    │
   │     Run npm i -g npm to update      │
   │                                     │
   ╰─────────────────────────────────────╯


┌─[aaron @ KT4001]─[~]
└─[$]› npm -v
6.3.0

Create a project to test. The npm audit command requires a package.json file.

$]› mkdir idb-connector-audit

┌─[aaron @ KT4001]─[~/git]
└─[$]› cd idb-connector-audit/

┌─[aaron @ KT4001]─[~/git/idb-connector-audit]
└─[$]› npm -y init
Wrote to /home/aaron/git/idb-connector-audit/package.json:

{
  "name": "idb-connector-audit",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}

Do an install to see warnings.

┌─[aaron @ KT4001]─[~/git/idb-connector-audit]
└─[$]› npm install idb-connector

> idb-connector@1.1.1 install /home/aaron/git/idb-connector-audit/node_modules/idb-connector
> node-pre-gyp install --fallback-to-build

node-pre-gyp WARN Using request for node-pre-gyp https download
[idb-connector] Success: "/home/aaron/git/idb-connector-audit/node_modules/idb-connector/lib/binding/Release/node-v57-ibmi-ppc64/db2ia.node" is installed via remote
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN idb-connector-audit@1.0.0 No description
npm WARN idb-connector-audit@1.0.0 No repository field.

+ idb-connector@1.1.1
added 173 packages from 109 contributors and audited 287 packages in 118.04s
found 4 moderate severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

Run npm audit as recommended.

┌─[aaron @ KT4001]─[~/git/idb-connector-audit]
└─[$]› npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   idb-connector

  Path            idb-connector > node-gyp > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

[abmusse]

Original comment by Xu Meng (Bitbucket: mengxumx, GitHub: dmabupt).

---

@aaronbartell I will remove the node-gyp dependency in next version.

[abmusse]

Original comment by Xu Meng (Bitbucket: mengxumx, GitHub: dmabupt).

---

updated idb-connector to v1.1.12 to remove the node-gyp dependency.