Dependency versions

[eddybl]

Currently I am trying to build clog2 in a Docker envoirnment

According to the readme node.js version 16.19.0 should be used, but according to the node.js homepage: https://endoflife.date/nodejs 16.* is not maintained any more.

Would it be possible to raise the base node.js version to one of the supported LTS versions:

• node.js LTS 18.* (end of life April 2025)
• node.js LTS 20.* (end of life April 2026)

I tried using the LTS 18.* version which seemed to work, but I get quite a lot of deprecation warnings and vulnerabilities reported

Frontend

Step 8/17 : RUN npm ci
 ---> Running in d90886d2d831
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin.
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.

In addition some vulnerabilities:

14 vulnerabilities (11 moderate, 2 high, 1 critical)

Backend

Step 17/17 : RUN npm ci
 ---> Running in 3de0888fa148
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

Vulnerabilities:

25 vulnerabilities (22 moderate, 1 high, 2 critical)

Trying to use node.js LTS 20.* there are issues with achrinza/node-ipc@9.2.6 not being compatible.

All in all, I guess most issues can be resolved by carefully updating the main dependencies to more recent versions. Do you see there any blockers to do that?

[wanglin86769]

Thanks for the report and suggestion.

I have updated some dependencies in package.json and package-lock.json for both frontend and backend.

Currently on my Node.js 20.12.2 environment on Windows 10, backend does not display warnings or vulnerabilities.

However, there are still warnings and vulnerabilities on frontend, most of which result from "@vue/cli-service" package that depends on some old version packages.

We can keep this issue ticket open, and I still need time to consider if I should replace "@vue/cli-service" package or find other solutions.

[eddybl]

Hey,

thanks a lot, this already looks great! I can confirm your results.

Just another quick thing I noticed: in the package.json of both front- and backend a version is defined. Not sure if you want to keep this in sync with the Github releases, but both are still von 2.0.0

[wanglin86769]

Thanks for pointing this out, I have updated the version in package.json for both frontend and backend.

[eddybl]

And another question: Do you see any issues with using MongoDB 7.0 instead of 6.0?

[wanglin86769]

Clog2 just uses very basic features of MongoDB, and it does not use transaction or other new features of MongoDB, so I think any version of MongoDB should work as long as the mongoose driver package is compatible with the MongoDB version.

Just now I installed MongoDB 7.0.8 Community version on another computer, cloned the Clog2 source code, and restored the database in docs/database folder, it seems to work properly.