Cannot install BitGo Express using NodeJs v16 and NPM v8

[Brandon23z]

Environment Details

• OS: Ubuntu 20.04 LTS
• Node Version: 16.13.2
• NPM Version: 8.1.2
• Yarn Version:
• BitGoJS Version: rel/latest (9.6.2)
• BitGo Environment: can't get this far.

Expected Behavior

Software should install correctly into non-prod environment.

Current Behavior

For some reason, I'm getting a bunch of dependency errors which finally end with error TS2731:

root@BitcoinBabylon-NodeExpress-ubuntu-s-2vcpu-4gb-nyc1-01:~# git clone -b bitgo@9.0.0 https://github.com/bitgo/bitgojs Cloning into 'bitgojs'... remote: Enumerating objects: 65161, done. remote: Counting objects: 100% (2673/2673), done. remote: Compressing objects: 100% (1151/1151), done. remote: Total 65161 (delta 1769), reused 2255 (delta 1491), pack-reused 62488 Receiving objects: 100% (65161/65161), 36.39 MiB | 31.18 MiB/s, done. Resolving deltas: 100% (46340/46340), done. Note: switching to '1bb5e33400e6d2faa419b2ab7e1dbfb34b0f95f7'.

You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example:

git switch -c

Or undo this operation with:

git switch -

Turn off this advice by setting config variable advice.detachedHead to false

root@BitcoinBabylon-NodeExpress-ubuntu-s-2vcpu-4gb-nyc1-01:~# cd bitgojs/modules/express root@BitcoinBabylon-NodeExpress-ubuntu-s-2vcpu-4gb-nyc1-01:~/bitgojs/modules/express# npm ci npm WARN old lockfile npm WARN old lockfile The package-lock.json file was created with an old version of npm, npm WARN old lockfile so supplemental metadata must be fetched from the registry. npm WARN old lockfile npm WARN old lockfile This is a one-time fix-up, please be patient... npm WARN old lockfile npm WARN EBADENGINE Unsupported engine { npm WARN EBADENGINE package: 'bitgo@9.6.2', npm WARN EBADENGINE required: { node: '>=8 <12.0.0', npm: '>=3.10.10' }, npm WARN EBADENGINE current: { node: 'v16.13.2', npm: '8.1.2' } npm WARN EBADENGINE } npm WARN deprecated flat@4.1.0: Fixed a prototype pollution security issue in 4.1.0, please upgrade to ^4.1.1 or ^5.0.1. npm WARN deprecated socks@1.1.10: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0 npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated uuid@2.0.1: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated formidable@1.2.1: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau npm WARN deprecated uuid@3.3.2: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) npm WARN deprecated ethereumjs-tx@1.3.7: New package name format for new versions: @ethereumjs/tx. Please update. npm WARN deprecated superagent@3.8.3: Please upgrade to v7.0.2+ of superagent. We have fixed numerous issues with streams, form-data, attach(), filesystem errors not bubbling up (ENOENT on attach()), and all tests are now passing. See the releases tab for more information at https://github.com/visionmedia/superagent/releases. Thanks to @shadowgate15, @spence-s, and @niftylettuce. Superagent is sponsored by Forward Email at https://forwardemail.net. npm WARN deprecated axios@0.18.1: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410 npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410 npm WARN deprecated superagent@4.1.0: Please upgrade to v7.0.2+ of superagent. We have fixed numerous issues with streams, form-data, attach(), filesystem errors not bubbling up (ENOENT on attach()), and all tests are now passing. See the releases tab for more information at https://github.com/visionmedia/superagent/releases. Thanks to @shadowgate15, @spence-s, and @niftylettuce. Superagent is sponsored by Forward Email at https://forwardemail.net. npm WARN deprecated core-js@1.2.7: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js. npm WARN deprecated core-js@2.6.9: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

@bitgo/express@9.0.0 prepare npm run build

@bitgo/express@9.0.0 build tsc

src/clientRoutes.ts:556:25 - error TS2731: Implicit conversion of a 'symbol' to a 'string' will fail at runtime. Consider wrapping this expression in 'String(...)'.

556 acc.push(${key}=${val});

Found 1 error.

npm ERR! code 2
npm ERR! path /root/bitgojs/modules/express
npm ERR! command failed
npm ERR! command sh -c npm run build

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2022-01-26T17_20_29_340Z-debug.log

## Possible Solution
I got it working with NPM v8 a few days ago, but the readme shows v6. I haven't tried this yet because I feel like higher level software would be safer due to vulnerabilities and what not. 

## Steps to Reproduce
Using Digital Ocean VPS Droplet: Basic Shared CPU 2 vCPUs 4 GB 80 GB 4 TB
#apt update && apt upgrade (Upgrading server after first creation)
Open Console (not in Root mode)

#sudo apt update && sudo apt install curl
#curl -sL https://deb.nodesource.com/setup_16.x | sudo -E bash -
#sudo apt install -y nodejs
#git clone -b rel/latest https://github.com/bitgo/bitgojs
#cd ~/bitgojs/modules/express
#npm c
![2022-01-26 12_20_46-BitcoinBabylon-NodeExpress-ubuntu-s-2vcpu-4gb-nyc1-01 - DigitalOcean Droplet Web](https://user-images.githubusercontent.com/9116999/151215089-067ced18-e29d-4616-bd72-b798b180246d.png)
i

[Brandon23z]

Bumping this. Any update? I cannot install the express node, which BitGo charges for since it's going through their API.

[Brandon23z]

Still seeing issues with

root@BitGo-ubuntu-s-2vcpu-4gb-nyc1-01:~/bitgojs/modules/express# node -v v10.19.0 root@BitGo-ubuntu-s-2vcpu-4gb-nyc1-01:~/bitgojs/modules/express# npm -v 6.14.4

[mmcshinsky-bitgo]

Hello @Brandon23z. Thank you for the provided details. It is very helpful. At the start of the code provided, it looks like the version of bitgo being cloned is 9.0.0 (git clone -b bitgo@9.0.0 https://github.com/bitgo/bitgojs). The current version is 14.0.0. Are the errors resolved by cloning using the following command?

git clone bitgo https://github.com/bitgo/bitgojs

[Brandon23z]

I've tried BitGo rel/latest and the same thing happens. Going to try using Docker instillation next week when I get some time. I've heard it works.

[mmcshinsky-bitgo]

I wanted to follow up @Brandon23z. Did the Docker version work for you?

[Brandon23z]

I wanted to follow up @Brandon23z. Did the Docker version work for you?

Yes, Docker works. Thanks!

[Brandon23z]

Should this ticket be closed? Docker works, but NPM install still does not work due to deprecated dependencies. I will leave it up to the team to decide if this should be closed.

[mmcshinsky-bitgo]

I'm glad to hear that! We'll go ahead and close it with the next release updating the errors mentioned.