SPI Error

[RaymondVA]

Hi i2Group,

When I run this command: npm init @i2analyze/connector my-connector

to create a connector, and I try to run the connector, I get this error from i2Analyze: ‪Failed to parse configuration information for the connector with identifier 'my-connector' from the URL 'http://localhost:3002/config'. The connector with identifier 'my-connector' specified SPI version 1.1, which is not supported by this server. This server supports the following SPI versions: 1.0.‬

We got this error message on 2 different machines running i2Analyze4.4.0 and i2Analyze4.4.1 So I have the questions: 4.4.0 I am aware the i2Analyze4.4.0 only supports SPI 1.0 so is it possible to change parts of the generated my-connector to erase traces of SPI 1.1? Also, I'm worried that connectors that were previously developed may become obsolete - will they continue to stay relevant or do we need to somehow upgrade them?

4.4.1 Have you had any incidents of this occurence?

[Anthony-Johnson-i2]

Hi @RaymondVA I had this issue when trying to do some testing for a customer that required me to create a connector that would work with i2 Analyze 4.4.0.

You need to tell npm to load an older i2connect version so that you get the older SPI/SDK that your server needs.

If you look in package.json I expect that you will see that is says something like :

"dependencies": {
    "@i2analyze/i2connect": "^2.2.0"
  }

If you alter that to be:

  "dependencies": {
  "@i2analyze/i2connect": "2.1.4"
  }

And then run

npm install

again it should remove the newer version and get the older compatible one you need.

As for your other questions they are probably best answered by someone who is currently developing this area of things @Jonny-Cornwell-i2 knows this stuff inside out :-)

Cheers

[RaymondVA]

Hi Anthony,

I tried doing this without doing anything with the example files that get generated from the npm init @i2analyze/connector my-connector command and it worked.

However, when I start adding extra .ts files, I get the same error message again. It seems like when I run npm start, in package.json it will change back to "dependencies": { "@i2analyze/i2connect": "^2.2.0" }

even though I keep changing it to 2.1.4 and running npm start.

[RaymondVA]

Hi Anthony,

Just to update you, I noticed that it is when I add new dependencies in the package.json and then run npm install, it will ask me to run npm audit fix --force.

When I run npm audit fix --force, this is what causes package.json to automatically change to "@i2analyze/i2connect": "^2.2.0". Of course I tried to change it back to 2.1.4, run npm install, then it will prompt me with npm audit fix --force again (which changes it back to ^2.2.0)

[Anthony-Johnson-i2]

Hi Raymond

I am glad that we were on to the right track with what I showed you to fix this initially.

Thank you for the extra information you have now provided regarding this being reset to the newer version.

I have spoken directly with @Jonny-Cornwell-i2 who is now aware of your posting here.

Cheers

[Jonny-Cornwell-i2]

Hi Raymond,

I believe the underlying cause of you being prompted to to run "npm audit fix" is because of xml2js. This is a development dependency package for the @i2anlyze/i2connect package which is used to process the xml schemas and subsequently auto generate a typescript file. I suspect if you run npm audit it will take you to the following advisory https://github.com/advisories/GHSA-776f-qx25-q3cc. Given the nature of the advisory and how it is used internally, i.e. to read schema xml files generated from schema designer it will not cause issues, assuming this is the only advisory listed when you run npm audit I would suggest it is tolerable. However, I will look to publish a patch release 2.1.X which increments the minimum required version of xml2js.

For reference the reason the @i2anlyze/i2connect package is not auto updating to the latest minor version of xml2js to >=0.5.X is due to special behaviour regarding npm packages with a major version of 0.

I would note if you are also using xml2js <0.5.0 as a runtime dependency I would suggest it is upgraded and/or the advisory is assessed in the context of your code.

Kind Regards, Jonny

[Jonny-Cornwell-i2]

2.1.6 has been published which should resolve the advisory, if you could update to use this and let us know if the advisory is resolved that would be great and we can close the issue?

Cheers, Jonny

[RaymondVA]

Hi Jonny,

Thanks for publishing the fix for 2.1.6. The following is the output that I got when doing npm install and npm audit.

**npm install npm WARN deprecated start@5.1.0: Deprecated in favor of https://github.com/deepsweet/start

added 141 packages, changed 1 package, and audited 402 packages in 27s 94 packages are looking for funding run npm fund for details

4 moderate severity vulnerabilities

Some issues need review, and may require choosing a different dependency.

Run npm audit for details. PS C:\VSC WORKSPACES\AU_NSW_NSWPOL\test> npm audit

npm audit report

semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available node_modules/nodemon/node_modules/semver node_modules/simple-update-notifier/node_modules/semver nodemon 1.4.10-alpha.1 - 1.4.10-alpha.3 || >=1.14.10 Depends on vulnerable versions of semver Depends on vulnerable versions of simple-update-notifier node_modules/nodemon @i2analyze/i2connect-scripts * node_modules/@i2analyze/i2connect-scripts simple-update-notifier >=1.0.7 Depends on vulnerable versions of semver node_modules/simple-update-notifier

4 moderate severity vulnerabilities

Some issues need review, and may require choosing a different dependency.**

Despite the output of npm audit, the connector works.

Cheers, Raymond.

[Jonny-Cornwell-i2]

Glad it is all sorted, I would note that deepsweet is not a package used by the @i2analyze/i2connect-scripts or @i2analyze/i2connect as far as I know or can see.

It looks like the semver advisory is relatively new and I can see a PR has been made to nodemon to fix this (https://github.com/remy/nodemon/pull/2118), so once that is merged it should be able to be fixed by npm audit fix soon.

Cheers

[Anthony-Johnson-i2]

Closing as this now seems to be resolved.

Cheers