Closed outSH closed 11 months ago
@outSH Yeah, sorry, this is on me, going fast and breaking things (as much as I don't like to do that). Deadlines are a bit tight right now and that's been a forcing function.
Below is my step by step update on each of the issues you mentioned:
For the iroha-helpers
issue: old grpc
is so bad that if Iroha v1 keeps depending on it in my opinion we should just deprecate the Iroha 1 connector. With that said, I'd guess there's a good chance if we update your PR to use the new pure JS grpc package instead of the legacy grpc
, it will just work and then Iroha v1 is no longer an issue.
For the axios
problems: I'll submit another PR with fine-tuning my earlier changes (I figured out a way to not have the vulnerable versions and yet keep the tests functional)
ipfs-http-client
: This one is the hardest. This package is also entirely deprecated and won't receive security updates (which means we shouldn't be using it at all for production code) but I haven't yet been able to find a quick and dirty solution to fix this. The only solution right now seems to be to do a full migration over to this new helia
package that they point to in their readme (but that seems like a much bigger chunk of work and I'm really tight on time right now). I'm looking into options here, any help is most welcome.
@petermetz
ipfs-http-client
: This one is the hardest. This package is also entirely deprecated and won't receive security updates
I think the replacement for it is https://github.com/ipfs/js-kubo-rpc-client (for HTTP API), but it claims to be Work In Progress. They didn't commit any significant change this year so maybe they are done, but I'm not sure.
Either way I didn't find any other alternative, so it seems we are between a rock and a hard place on ths one :S
@petermetz BTW If you're OK with using https://github.com/ipfs/js-kubo-rpc-client I can migrate to it
@petermetz BTW If you're OK with using https://github.com/ipfs/js-kubo-rpc-client I can migrate to it
@outSH I'm 100% OK with that, whatever that actually works and isn't vulnerable is still better than something that is known to never again receive security updates. So the kubo RPC client is a step forward IMO even if it's right now unstable.
On the topic of the axios fix: I just submitted a PR that should take care of that problem. Between that and your kubo migration we just down to the grpc
issue.
@petermetz Hi, I've prepared a draft with some comments for fixing IPFS issues, have a look - #2829
@petermetz @izuru0 @jagpreetsinghsasan
Describe the bug
After recent dependency bumps many tests are failing in CI - see https://github.com/hyperledger/cacti/pull/2805. I confirmed some of these errors on main branch (run locally).
TLDR I'd propose to rollback the following commits and investigate how to bump these packages without breaking the CI:
As for now I've identified the following issues:
iroha-helpers
This is caused by invalid dependency in iroha-helpers package - after we upgraded to grpc-js it can't find grpc. I've opened an issue in their repository and proposed to add grpc dependency.
Axios
I think this one is caused by axios-cookiejar-support that lists axios as peer depdendency
"axios": ">=0.16.2",
(so matches 1. we use) but it should list only 0. releases. I'll open an issue in their repo once I confirm this.Axios 2
ipfs-http-client