search

jeffbski / wait-on

wait-on is a cross-platform command line utility and Node.js API which will wait for files, ports, sockets, and http(s) resources to become available
MIT License
1.87k stars 77 forks source link

wait-on doesn't work due to lodash error #67

Closed caiofbpa closed 4 years ago

caiofbpa commented 4 years ago

Installation is successful:

$ npm install -g wait-on
npm WARN deprecated @hapi/formula@2.0.0: This version has been deprecated and is no longer supported or maintained
/usr/local/bin/wait-on -> /usr/local/lib/node_modules/wait-on/bin/wait-on
+ wait-on@5.0.1
added 15 packages from 18 contributors in 2.847s

But when trying to run:

$ wait-on -v http://web:8000
internal/modules/cjs/loader.js:796
    throw err;
    ^
Error: Cannot find module 'lodash/fp'
Require stack:
- /usr/local/lib/node_modules/wait-on/lib/wait-on.js
- /usr/local/lib/node_modules/wait-on/bin/wait-on
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:793:17)
    at Function.Module._load (internal/modules/cjs/loader.js:686:27)
    at Module.require (internal/modules/cjs/loader.js:848:19)
    at require (internal/modules/cjs/helpers.js:74:18)
    at Object.<anonymous> (/usr/local/lib/node_modules/wait-on/lib/wait-on.js:11:72)
    at Module._compile (internal/modules/cjs/loader.js:955:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:991:10)
    at Module.load (internal/modules/cjs/loader.js:811:32)
    at Function.Module._load (internal/modules/cjs/loader.js:723:14)
    at Module.require (internal/modules/cjs/loader.js:848:19) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/usr/local/lib/node_modules/wait-on/lib/wait-on.js',
    '/usr/local/lib/node_modules/wait-on/bin/wait-on'
  ]
}

This started this morning, perhaps some dependency not pinned that got updated and broke it?

chulanovskyi-bs commented 4 years ago

Same issue, but during the Travis build, inside docker env:

....
success Installed "wait-on@5.0.1" with binaries:
      - wait-on
...
internal/modules/cjs/loader.js:985
  throw err;
  ^

Error: Cannot find module 'lodash/fp'
Require stack:
- /usr/local/share/.config/yarn/global/node_modules/wait-on/lib/wait-on.js
- /usr/local/share/.config/yarn/global/node_modules/wait-on/bin/wait-on
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:982:15)
    at Function.Module._load (internal/modules/cjs/loader.js:864:27)
    at Module.require (internal/modules/cjs/loader.js:1044:19)
    at require (internal/modules/cjs/helpers.js:77:18)
    at Object.<anonymous> (/usr/local/share/.config/yarn/global/node_modules/wait-on/lib/wait-on.js:11:72)
    at Module._compile (internal/modules/cjs/loader.js:1158:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1178:10)
    at Module.load (internal/modules/cjs/loader.js:1002:32)
    at Function.Module._load (internal/modules/cjs/loader.js:901:14)
    at Module.require (internal/modules/cjs/loader.js:1044:19) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/usr/local/share/.config/yarn/global/node_modules/wait-on/lib/wait-on.js',
    '/usr/local/share/.config/yarn/global/node_modules/wait-on/bin/wait-on'
  ]
}
MikeTaylor commented 4 years ago

Confirmed: I have this problem, too, and pinning lodash to v4.17.15 prevents the problem.

I think this issue should be closed, and a new one opened on lodash, which seems to have removed fp/index.js in v4.17.17.

caiofbpa commented 4 years ago

@MikeTaylor it's already there: https://github.com/lodash/lodash/issues/4848

s100 commented 4 years ago

Pinning to 4.17.15 also pins you to a version still vulnerable to this vulnerability. wait-on isn't directly affected by this vulnerability, since it doesn't use the vulnerable method in question, but this pinning would mean that wait-on would get flagged in security audit scans. I'm going to suggest that it may be time to just stop using lodash entirely.

MikeTaylor commented 4 years ago

Abandoning lodash feels like a big solution to a small problem. But if that's what makes sense to you, go ahead!

s100 commented 4 years ago

Well, this is coming from a combination of factors... the security vulnerability I mentioned was ignored for months, including two months where a PR was open to fix the issue but the maintainer actively ignored it. And it's hard to say whether the current issue (lodash/fp not loading) will be take a similar amount of time to be addressed. I think if the maintainer of lodash is no longer willing to maintain it, it's reasonable to think about trying to shed that dependency.

Also, wait-on's usage of lodash isn't particularly intensive, and it has decent unit tests, so it might be a fairly painless piece of refactoring.

I will look into opening a PR to this effect. It might be today or tomorrow, can't say for sure right now.

jeffbski commented 4 years ago

I have a branch with a fix and am testing in travis now.

s100 commented 4 years ago

Ah, in that case I will defer to @jeffbski! Thank you for your prompt work in any case.

jeffbski commented 4 years ago

Yes, agreed if lodash continues to be a source of problems for us then we will cut ties. For now I have updated to lodash@4.17.17 and just used the original lodash functions rather than the fp and have put in adapters for the few that need to be changed for the fp calling conventions.

rodush commented 4 years ago

They suggest 4.17.18, @jeffbski

jeffbski commented 4 years ago

Awesome thanks @rodush. I'm glad they resolved this quickly. I'll give it a try.

jeffbski commented 4 years ago

lodash@4.17.18 appears to work fine (fp is back). I have published wait-on@5.0.2 which uses the updated version. https://github.com/jeffbski/wait-on/releases/tag/v5.0.2

Thanks everyone who helped us to resolve this!

jeffbski commented 4 years ago

lodash@4.17.19 was also just dropped, so I published https://github.com/jeffbski/wait-on/releases/tag/v5.0.3 for good measure.