0.36.0: Cannot import crypto module on NodeJS 19

[dvzrv]

Hi! I package this project for Arch Linux.

I noticed that with 0.36.0, matrix-appservice-irc requires a dependency with a critical vulnerability rating (allows arbitrary code execution): nedb

We build like this:

npm install --cache "$srcdir"/npm-cache

which goes alright:

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'matrix-appservice@1.1.0',
npm WARN EBADENGINE   required: { node: '>=14 <=18' },
npm WARN EBADENGINE   current: { node: 'v19.0.0', npm: '8.19.2' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'matrix-appservice-bridge@6.0.0',
npm WARN EBADENGINE   required: { node: '>=16 <=18' },
npm WARN EBADENGINE   current: { node: 'v19.0.0', npm: '8.19.2' }
npm WARN EBADENGINE }
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request-promise@4.2.6: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported

> matrix-appservice-irc@0.36.0 prepare
> npm run build

> matrix-appservice-irc@0.36.0 build
> tsc --project ./tsconfig.json

added 709 packages, and audited 710 packages in 2m

83 packages are looking for funding
  run `npm fund` for details

4 vulnerabilities (1 high, 3 critical)

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

Then we run some audit and test (which fails):

npm audit || echo "npm audit output might return non-zero"
npm test

which fails:

# npm audit report

nedb  *
Severity: critical
Prototype Pollution - https://github.com/advisories/GHSA-339j-hqgx-qrrx
Depends on vulnerable versions of binary-search-tree
Depends on vulnerable versions of underscore
No fix available
node_modules/nedb
  matrix-appservice-bridge  *
  Depends on vulnerable versions of nedb
  node_modules/matrix-appservice-bridge

underscore  1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/underscore
  binary-search-tree  *
  Depends on vulnerable versions of underscore
  node_modules/binary-search-tree

4 vulnerabilities (1 high, 3 critical)

Some issues need review, and may require choosing
a different dependency.
npm audit output might return non-zero

> matrix-appservice-irc@0.36.0 test
> BLUEBIRD_DEBUG=1 jasmine --stop-on-failure=true

Error: Cannot find module '@matrix-org/matrix-sdk-crypto-nodejs-linux-x64-gnu'
Require stack:
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/@matrix-org/matrix-sdk-crypto-nodejs/index.js
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/matrix-bot-sdk/lib/e2ee/CryptoClient.js
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/matrix-bot-sdk/lib/index.js
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/matrix-appservice-bridge/lib/components/logging.js
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/matrix-appservice-bridge/lib/index.js
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/spec/util/test.js
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/spec/util/env-bundle.js
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/spec/integ/admin-rooms.spec.js
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/jasmine/lib/loader.js
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/jasmine/lib/jasmine.js
- /build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/jasmine/bin/jasmine.js
    at Module._resolveFilename (node:internal/modules/cjs/loader:995:15)
    at Module._load (node:internal/modules/cjs/loader:841:27)
    at Module.require (node:internal/modules/cjs/loader:1061:19)
    at require (node:internal/modules/cjs/helpers:103:18)
    at Object.<anonymous> (/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/@matrix-org/matrix-sdk-crypto-nodejs/index.js:174:31)
    at Module._compile (node:internal/modules/cjs/loader:1159:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1213:10)
    at Module.load (node:internal/modules/cjs/loader:1037:32)
    at Module._load (node:internal/modules/cjs/loader:878:12)
    at Module.require (node:internal/modules/cjs/loader:1061:19) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/@matrix-org/matrix-sdk-crypto-nodejs/index.js',
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/matrix-bot-sdk/lib/e2ee/CryptoClient.js',
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/matrix-bot-sdk/lib/index.js',
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/matrix-appservice-bridge/lib/components/logging.js',
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/matrix-appservice-bridge/lib/index.js',
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/spec/util/test.js',
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/spec/util/env-bundle.js',
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/spec/integ/admin-rooms.spec.js',
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/jasmine/lib/loader.js',
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/jasmine/lib/jasmine.js',
    '/build/matrix-appservice-irc/src/matrix-appservice-irc-0.36.0/node_modules/jasmine/bin/jasmine.js'
  ]
}

[Half-Shot]

0.36.0 has a dependency on Node 16+, and you are seeing a warning about a bad engine version.

The module not found error is due to a dependency not being built on old versions of Node.

EDIT Ah, you are using Node 19. We've not tested Node 19 yet which isn't in our supported range.

The audit failure is known, we are in the process of removing the dependency

[Half-Shot]

Looks to be due to https://github.com/matrix-org/matrix-rust-sdk/issues/1160, will track upstream.

[Half-Shot]

Fixed in https://github.com/matrix-org/matrix-rust-sdk/pull/1164