New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecation warning at start #1442

Closed
jaydenseric opened this Issue Oct 29, 2018 · 10 comments

Comments

6 participants
@jaydenseric

jaydenseric commented Oct 29, 2018

The latest version of Nodemon on the latest version of Node.js causes a deprecation warning to be logged when starting.

This relates to Nodemon and not my start script, because when I run npm start directly (not via Nodemon) no deprecation warning is logged.

  • nodemon -v: 1.18.5
  • node -v: 11.0.0
  • Operating system/terminal environment: macOS
  • Command you ran:
{
  "watch": "nodemon",
  "start": "node --experimental-modules --no-warnings -r dotenv/config server"
}
npm run watch

Expected behaviour

Nodemon does not use deprecated Node.js APIs, causing deprecation warnings to be logged.

Actual behaviour

A deprecation warning is logged:

[DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.

Steps to reproduce

Use Nodemon and Node.js versions as specified above.


If applicable, please append the --dump flag on your command and include the output here ensuring to remove any sensitive/personal details or tokens.

@jaydenseric

This comment has been minimized.

jaydenseric commented Oct 29, 2018

I tried adding --trace-deprecations to my start script but it has no effect, since the deprecation warning is triggered by Nodemon code (or dependencies) that runs before the start script.

@remy

This comment has been minimized.

Owner

remy commented Oct 29, 2018

If you try nodemon with a bare index.js, do you get the warning still?

ie.

echo "" > index.js
nodemon index.js
@jaydenseric

This comment has been minimized.

jaydenseric commented Oct 29, 2018

Yep:

screen shot 2018-10-29 at 8 28 30 pm

@stromcon

This comment has been minimized.

stromcon commented Nov 9, 2018

Indeed, I also got the issue.

node index.js => no warning
nodemon index.js => got the warning

@jkhusanov

This comment has been minimized.

jkhusanov commented Nov 12, 2018

Same issue,

nodemon version: 1.18.6

@FallingSnow

This comment has been minimized.

FallingSnow commented Nov 20, 2018

Here's the trace:

> nodemon index.js                                                                                                                                                                                                
                                                                                                                                                                                                                  
(node:27294) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.                                                                                                                                   
    at [redacted]/node_modules/flatmap-stream/index.min.js:1:1264                                                                                                                      
    at Object.<anonymous> ([redacted]/node_modules/flatmap-stream/index.min.js:1:1423)                                                                                                 
    at Module._compile (internal/modules/cjs/loader.js:707:30)                                                                                                                                                    
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:718:10)                                                                                                                                      
    at Module.load (internal/modules/cjs/loader.js:605:32)                                                                                                                                                        
    at tryModuleLoad (internal/modules/cjs/loader.js:544:12)                                                                                                                                                      
    at Function.Module._load (internal/modules/cjs/loader.js:536:3)                                                                                                                                               
    at Module.require (internal/modules/cjs/loader.js:643:17)                                                                                                                                                     
    at require (internal/modules/cjs/helpers.js:22:18)                                                                                                                                                            
    at Object.<anonymous> ([redacted]/node_modules/event-stream/index.js:11:15)
@FallingSnow

This comment has been minimized.

FallingSnow commented Nov 20, 2018

And it comes full circle... Turns out it's some kind of injection attack.
dominictarr/event-stream#116
Related: #1451

FallingSnow added a commit to FallingSnow/nodemon that referenced this issue Nov 21, 2018

fix: Update audit dependencies and remove pstree.remy
pstree.remy has a dependency with a compromised dependency

Fixes: remy#1442
Fixes: remy#1451
@remy

This comment has been minimized.

Owner

remy commented Nov 22, 2018

I'm trying to get a release out on nodemon but tests aren't passing (one of the integration tests is leaving a background server running).

That said, a fresh install of nodemon should pull in pstree.remy@1.1.2 which, if it's causing this warning, should be clean now.

Can someone test (and confirm with npm ls pstree.remy against the nodemon install dif)?

@jaydenseric

This comment has been minimized.

jaydenseric commented Nov 25, 2018

This issue has been resolved by the pstree.remy release; the infected package has been removed from the nodemon dependency tree. Thanks!

@murrayju

This comment has been minimized.

murrayju commented Nov 27, 2018

I'm trying to get a release out on nodemon but tests aren't passing (one of the integration tests is leaving a background server running).

@remy glad to hear you have failing tests, things are definitely broken. See #1464.

m-mohr added a commit to Open-EO/openeo-earthengine-driver that referenced this issue Nov 28, 2018

Update package.json
Fixing security vulnerability in nodemon 1.18.6, see remy/nodemon#1442
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment