Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecation warning at start #1442

Closed
jaydenseric opened this issue Oct 29, 2018 · 13 comments
Closed

Deprecation warning at start #1442

jaydenseric opened this issue Oct 29, 2018 · 13 comments

Comments

@jaydenseric
Copy link

@jaydenseric jaydenseric commented Oct 29, 2018

The latest version of Nodemon on the latest version of Node.js causes a deprecation warning to be logged when starting.

This relates to Nodemon and not my start script, because when I run npm start directly (not via Nodemon) no deprecation warning is logged.

  • nodemon -v: 1.18.5
  • node -v: 11.0.0
  • Operating system/terminal environment: macOS
  • Command you ran:
{
  "watch": "nodemon",
  "start": "node --experimental-modules --no-warnings -r dotenv/config server"
}
npm run watch

Expected behaviour

Nodemon does not use deprecated Node.js APIs, causing deprecation warnings to be logged.

Actual behaviour

A deprecation warning is logged:

[DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.

Steps to reproduce

Use Nodemon and Node.js versions as specified above.


If applicable, please append the --dump flag on your command and include the output here ensuring to remove any sensitive/personal details or tokens.

@jaydenseric
Copy link
Author

@jaydenseric jaydenseric commented Oct 29, 2018

I tried adding --trace-deprecations to my start script but it has no effect, since the deprecation warning is triggered by Nodemon code (or dependencies) that runs before the start script.

@remy
Copy link
Owner

@remy remy commented Oct 29, 2018

If you try nodemon with a bare index.js, do you get the warning still?

ie.

echo "" > index.js
nodemon index.js
@jaydenseric
Copy link
Author

@jaydenseric jaydenseric commented Oct 29, 2018

Yep:

screen shot 2018-10-29 at 8 28 30 pm

@stromcon
Copy link

@stromcon stromcon commented Nov 9, 2018

Indeed, I also got the issue.

node index.js => no warning
nodemon index.js => got the warning

@jkhusanov
Copy link

@jkhusanov jkhusanov commented Nov 12, 2018

Same issue,

nodemon version: 1.18.6

@FallingSnow
Copy link

@FallingSnow FallingSnow commented Nov 20, 2018

Here's the trace:

> nodemon index.js                                                                                                                                                                                                
                                                                                                                                                                                                                  
(node:27294) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.                                                                                                                                   
    at [redacted]/node_modules/flatmap-stream/index.min.js:1:1264                                                                                                                      
    at Object.<anonymous> ([redacted]/node_modules/flatmap-stream/index.min.js:1:1423)                                                                                                 
    at Module._compile (internal/modules/cjs/loader.js:707:30)                                                                                                                                                    
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:718:10)                                                                                                                                      
    at Module.load (internal/modules/cjs/loader.js:605:32)                                                                                                                                                        
    at tryModuleLoad (internal/modules/cjs/loader.js:544:12)                                                                                                                                                      
    at Function.Module._load (internal/modules/cjs/loader.js:536:3)                                                                                                                                               
    at Module.require (internal/modules/cjs/loader.js:643:17)                                                                                                                                                     
    at require (internal/modules/cjs/helpers.js:22:18)                                                                                                                                                            
    at Object.<anonymous> ([redacted]/node_modules/event-stream/index.js:11:15)
@FallingSnow
Copy link

@FallingSnow FallingSnow commented Nov 20, 2018

And it comes full circle... Turns out it's some kind of injection attack.
dominictarr/event-stream#116
Related: #1451

FallingSnow added a commit to FallingSnow/nodemon that referenced this issue Nov 21, 2018
pstree.remy has a dependency with a compromised dependency

Fixes: remy#1442
Fixes: remy#1451
@remy
Copy link
Owner

@remy remy commented Nov 22, 2018

I'm trying to get a release out on nodemon but tests aren't passing (one of the integration tests is leaving a background server running).

That said, a fresh install of nodemon should pull in pstree.remy@1.1.2 which, if it's causing this warning, should be clean now.

Can someone test (and confirm with npm ls pstree.remy against the nodemon install dif)?

@jaydenseric
Copy link
Author

@jaydenseric jaydenseric commented Nov 25, 2018

This issue has been resolved by the pstree.remy release; the infected package has been removed from the nodemon dependency tree. Thanks!

@murrayju
Copy link

@murrayju murrayju commented Nov 27, 2018

I'm trying to get a release out on nodemon but tests aren't passing (one of the integration tests is leaving a background server running).

@remy glad to hear you have failing tests, things are definitely broken. See #1464.

m-mohr added a commit to Open-EO/openeo-earthengine-driver that referenced this issue Nov 28, 2018
Fixing security vulnerability in nodemon 1.18.6, see remy/nodemon#1442
@piotrturski
Copy link

@piotrturski piotrturski commented Dec 20, 2018

@FallingSnow out of pure curiosity: starting from the stack trace, how did you find out it's an injection attack? did you start analyzing js and min.js files?

Here's the trace:

> nodemon index.js                                                                                                                                                                                                
                                                                                                                                                                                                                  
(node:27294) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.                                                                                                                                   
    at [redacted]/node_modules/flatmap-stream/index.min.js:1:1264                                                                                                                      
    at Object.<anonymous> ([redacted]/node_modules/flatmap-stream/index.min.js:1:1423)                                                                                                 
    ...
@remy
Copy link
Owner

@remy remy commented Dec 20, 2018

@piotrturski if you've got that stack trace your dependencies are out of date and nodemon needs an upgrade.

@FallingSnow
Copy link

@FallingSnow FallingSnow commented Dec 20, 2018

@piotrturski I just followed the stack traces until I ran into some very strange code that looked like an obfuscated payload.

So yes, I did analyze the js files, see dominictarr/event-stream#116.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants