8.6.0 version started requiring new major Node version

[ncucinotta-reply]

We are using version 8.6.0 of cdxgen in our Jenkins pipelines for node projects, where the build environment is a Docker container with the required Node.js version node:<project_version>. Since yesterday (first known reported issue, might have started happening earlier in the month) we noticed this log in our node:16.19.0 projects:

+ npm install @cyclonedx/cdxgen@8.6.0
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'cheerio@1.0.0',
npm WARN EBADENGINE   required: { node: '>=18.17' },
npm WARN EBADENGINE   current: { node: 'v16.19.0', npm: '8.19.3' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'undici@6.19.8',
npm WARN EBADENGINE   required: { node: '>=18.17' },
npm WARN EBADENGINE   current: { node: 'v16.19.0', npm: '8.19.3' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'whatwg-mimetype@4.0.0',
npm WARN EBADENGINE   required: { node: '>=18' },
npm WARN EBADENGINE   current: { node: 'v16.19.0', npm: '8.19.3' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'whatwg-encoding@3.1.1',
npm WARN EBADENGINE   required: { node: '>=18' },
npm WARN EBADENGINE   current: { node: 'v16.19.0', npm: '8.19.3' }
npm WARN EBADENGINE }
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported

which leads to a generation issue:

+ npx cdxgen -t node.js -o /tmp/bom.xml --server-url <REDACTED> --api-key <REDACTED> --project-name=<REDACTED> --project-version 1.0.3-rc.7
/home/tomcat/workspace/<REDACTED>/node_modules/undici/lib/web/fetch/response.js:527
  ReadableStream
  ^

ReferenceError: ReadableStream is not defined
    at Object.<anonymous> (/home/tomcat/workspace/<REDACTED>/node_modules/undici/lib/web/fetch/response.js:527:3)
    at Module._compile (node:internal/modules/cjs/loader:1165:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1219:10)
    at Module.load (node:internal/modules/cjs/loader:1043:32)
    at Function.Module._load (node:internal/modules/cjs/loader:878:12)
    at Module.require (node:internal/modules/cjs/loader:1067:19)
    at require (node:internal/modules/cjs/helpers:103:18)
    at Object.<anonymous> (/home/tomcat/workspace/<REDACTED>/node_modules/undici/lib/web/fetch/index.js:11:5)
    at Module._compile (node:internal/modules/cjs/loader:1165:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1219:10)

A previous pipeline run log from the 8th of August, 2024, does not report the EBADENGINE warnings when installing @cyclonedx/cdxgen@8.6.0, and the SBOM generation proceeds without issues.

I have been able to reproduce the issue in a brand new docker container:

• docker run -it node:16.19.0 /bin/bash
• mdkir /app
• cd /app
• npm init
• npm install @cyclonedx/cdxgen@8.6.0
• npx cdxgen -t node.js -o /tmp/bom.xml

I would therefore like to know if there is any cdxgen version that currently supports Node 16 (and possibly Node 14), or any workaround to the reported issue in version 8.6.0. From the GitHub Page associated to this project, I could only see Node 20 referenced as a minimum runtime environment for your latest version, which we are currently unable to support in our legacy projects.

If necessary, we are able to upgrade/downgrade the cdxgen version. Thank you!

[prabhu]

This is an interesting bug. It appears like these old versions do not use a lock file, so they are not reproducible.

https://www.npmjs.com/package/@cyclonedx/cdxgen/v/8.6.0?activeTab=code

In general, we can only support the current major version. You can try using our container image which is immutable.

[prabhu]

I have pushed 8.6.3 with some fixes (and test failures). Hopefully it works. We seriously do not have the funding, bandwidth, time, etc to maintain v8, when the current version is v10 and v11 is due later this year.

[heubeck]

Hey @prabhu ,

we're getting now

npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE   package: '@cyclonedx/cdxgen@8.6.3',
npm warn EBADENGINE   required: { node: '>=12.0.0 <17.0.0' },
npm warn EBADENGINE   current: { node: 'v18.20.4', npm: '10.7.0' }
npm warn EBADENGINE }
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported

when installing cdxgen 8.6.3 :(

[prabhu]

@heubeck can you not use v9 or above, since you have node 18? What exactly is the barrier to upgrade to v10?

[heubeck]

ok, sorry, was confused by myself. we're using v10...

but when running npm install -g @cyclonedx/cdxgen or npm install -g @cyclonedx/cdxgen@latest it isn't actually latest:

[prabhu]

Oh dear. Looks like npmjs is assuming the last release to be the latest. Can you explicitly specify the version number while I investigate this