search

BSC-ES / autosubmit-gui

The Autosubmit Graphical User Interface (GUI) is the web-based Autosubmit frontend, allowing users to discover, monitor, and analyze experiments. It is based on ReactJS and relies on the Autosubmit API as the middleware to get experiment information.
MIT License
2 stars 0 forks source link

Upgrade node and dependencies #92

Closed kinow closed 2 months ago

kinow commented 11 months ago

In GitLab by @bdepaula on Nov 23, 2023, 11:04

The GUI has been using an old version of Node. The current LTS seems to be 20 - nvm gives me that, their page also shows that one.

image

The GUI is using an older LTS, v14.21.3, that fixed two CVE's. I don't know what's the release cadence for older LTS versions, but it might be safer to use a newer version. Also in case other tools use a newer Node version and if we ever need to deploy both in the same VM/container (hopefully the containers will be separated like EDITO/SURF, so a low risk).

This also prevents users from using newer version. I tried the GUI with v18 and it failed with

$ npm start

> autosubmitgui@1.0.0 start
> react-scripts start

node:internal/modules/cjs/loader:573
      throw e;
      ^

Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: Package subpath './lib/tokenize' is not defined by "exports" in /home/kinow/Development/javascript/workspace/autosubmitreact/node_modules/postcss-safe-parser/node_modules/postcss/package.json
    at new NodeError (node:internal/errors:405:5)
    at exportsNotFound (node:internal/modules/esm/resolve:362:10)
    at packageExportsResolve (node:internal/modules/esm/resolve:698:9)
    at resolveExports (node:internal/modules/cjs/loader:567:36)
    at Module._findPath (node:internal/modules/cjs/loader:636:31)
    at Module._resolveFilename (node:internal/modules/cjs/loader:1063:27)
    at Module._load (node:internal/modules/cjs/loader:922:27)
    at Module.require (node:internal/modules/cjs/loader:1143:19)
    at require (node:internal/modules/cjs/helpers:119:18)
    at Object.<anonymous> (/home/kinow/Development/javascript/workspace/autosubmitreact/node_modules/postcss-safe-parser/lib/safe-parser.js:1:17) {
  code: 'ERR_PACKAGE_PATH_NOT_EXPORTED'
}

Node.js v18.18.0

So if LangTech, EDITO, etc., has the requirement to use, for example, the latest LTS v20 (driven by security/ops requirements) that would prevent them from using our GUI.

Not high priority as v14 got an update in February, but good to have that in our radar.

Installing the GUI dependencies I also get a message about security issues.

kinow@ranma:~/Development/javascript/workspace/autosubmitreact$ npm install
npm WARN old lockfile 
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile 
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile 

up to date, audited 2364 packages in 28s

206 packages are looking for funding
  run `npm fund` for details

124 vulnerabilities (1 low, 81 moderate, 31 high, 11 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

So maybe it'd be worth to check dependencies, maybe with npx ncu or something else.

kinow commented 10 months ago

In GitLab by @ltenorio on Dec 11, 2023, 15:41

An additional perk of reviewing and updating the dependencies of the project is that we can replace the ones that are provided via CDN to be contained inside the compiled project.

The GUI is a reproducible application that can be installed in environments with limited access to the internet, so almost all the features become unusable when it doesn't have proper access to these remote resources (styling, network graphs, icons, javascript functions, etc). This can be easily tested by turning off the internet and running the GUI with the API (which doesn't need access to the internet) serving it.

This was an issue that was invisible to us until now as we always deployed the GUI on environments with free access to the internet resources, but removing this limitation could be a MUST afterward.

kinow commented 10 months ago

In GitLab by @ltenorio on Dec 22, 2023, 16:26

mentioned in commit 19f25a715c4935bf6a3158e96462e9a1e07a0102

kinow commented 10 months ago

In GitLab by @ltenorio on Dec 27, 2023, 17:12

mentioned in commit 3164f06c36dc2a7c96d3f9f0c96fd8eb98609e19

kinow commented 10 months ago

In GitLab by @ltenorio on Dec 28, 2023, 14:06

mentioned in commit c7e2d7f5c55fbf731c844bf864d45ddd4bdf5617

kinow commented 9 months ago

In GitLab by @mcastril on Jan 31, 2024, 18:19

Do you mean the dependencies defined in the package.json file?

kinow commented 9 months ago

In GitLab by @ltenorio on Feb 1, 2024, 09:23

Some dependencies were defined in the package.json but never used from the node_modules directory. Instead, they were downloaded from the internet via CDN every time the user load the GUI.

This issue is already solved in the new GUI upgrade.

kinow commented 9 months ago

In GitLab by @bdepaula on Feb 1, 2024, 09:26

And to add to what Luiggi said, I believe besides downloading these dependencies someone also patched/modified them. So Luiggi also had to spend time comparing versions and changes before upgrading them.

kinow commented 9 months ago

In GitLab by @mcastril on Feb 2, 2024, 17:41

I see, thanks for the explanation

kinow commented 8 months ago

In GitLab by @ltenorio on Mar 5, 2024, 11:15

Master branch already been updated to Node.js lts/iron