Closed johnwalicki closed 4 years ago
I will investigate.
I believe that this is due to a vulnerability in axis 0.18.0, so this issue is dependent fix which will bump the dependancy. - https://github.com/watson-developer-cloud/node-sdk/issues/1043
I don't fully understand. I've subscribed to https://github.com/IBM/node-sdk-core/issues/93
I think @chughts is referring to this DOS behavior? https://github.com/axios/axios/issues/2164
Does Node-RED / node-red-node-watson in IBM Cloud hammer at its ibm-watson dependency and then its ibm-cloud-sdk-core dependency in a way that causes a DOS "continuing to accepting content after maxContentLength is exceeded." ?
Why does this work when running Node-RED / node-red-node-watson on localhost?
What is the "fix" for ibm-cloud-sdk-core? What dependency does ibm-cloud-sdk-core need to bump?
The error is indicating an error in installing the axios
module. The Watson nodes don't have a direct dependancy on axios. It's a dependancy (axios) of a dependancy (node-sdk-core) of a dependancy (ibm-watson). That dependancy is on 0.18.0, which is marked as vulnerable.
I think either npm or the cloud installer has decided that 0.18.0 shouldn't be used so is now preventing it from being. The fix would be to bump the dependancy to the latest version 0.19.2.
If you are running then you probably installed before npm decided to flag it.
Thanks for the explanation. Who do we need to poke to get this fixed? I can go ring bells over in the node-sdk-core / ibm-cloud-sdk-core git repo.
To test this theory, I could
fork node-sdk-core repo. Modify the package.json to increment axios https://github.com/johnwalicki/node-sdk-core
fork ibm-watson repo. Modify the package.json to depend on my version of node-sdk-core https://github.com/johnwalicki/node-sdk
fork node-red-node-watson repo. Modify the package.json to depend on my version of ibm-watson https://github.com/johnwalicki/node-red-node-watson
Modify my Node-RED CF app package.json to depend on my version of node-red-node-watson
Restage
Two of my old Node-RED cloud foundry apps had this problem. A newer Node-RED web app did not fail on node-red-node-watson - even after rebuilding/restaging. Lots of hurdles later, I was able to fix my problem by forcing the missing npm dependencies that node-red-node-watson requires in my Node-RED applications' package.json
"axios":"0.x",
"axios-cookiejar-support":"0.x",
"ibm-cloud-sdk-core":"2.x",
So I don't know why forcing these packages is the "solution" but I have a fix. Not certain if the problem is upstream.
So new apps are ok, but there is a problem in rebuilding / restating existing apps ? That is odd, as the only bit of code you will have is node-red and it's package.json file. So why is it failing on a deep nested dependancy.
Maybe there is a problem at the cloud foundry build pack and / or node.js version the existing apps are using.
Seriously, I cloned both the new Node-RED node.js app and the old Node-RED node.js app to my local disk. Deleted the .git from the new app, saved the manifest.yml and package.json from old app. Copied the entirety of the new app directory into the old. Restored the manifest.yml. Merged package.json (with heavy preference to the new package.json file). Pushed the old app to the IBM Cloud gitlab toolchain. Restaged. Had to fiddle with the cloudant DBs. It still failed (until I added the axios packages as dependencies. I don't recommend this as a fix but it works now.
Once, I discovered the "fix", I just added those 3 explicit dependencies to the 2nd of my failing old Node-RED applications (without the lobotomy and risky rebase). It restaged and node-red-node-watson Nodes work fine now.
Closing ticket. I'm still confused why.
If this is a wider problem, then I can reluctantly and temporally add them as direct dependencies. I am loathed to do so as they are not direct dependencies, and would need cleaning out at some stage in the future.
A hard dependency, per the discussion in https://github.com/IBM/node-sdk-core/issues/93 also fixes the issue (without explicit dependency an axios verison) "ibm-cloud-sdk-core":"2.4.1"
Bumped my head on this problem again. Google Search found this issue and my fix. Amazing when I search and find my own investigation and solution.
My Node-RED starter kit apps in IBM Cloud do not find node-red-node-watson nodes. This happens on two different CF applications in IBM Cloud. I had to restage and pin "node-red-node-watson":"0.7.5" - Now my flows work. That's the last version that uses watson-developer-cloud instead of "ibm-watson" I suspect there's a breaking change somewhere in ibm-watson I use package.json to list the node dependencies.
After the Node-RED app starts in IBM Cloud it reports that the watson nodes are missing. When I open the Manage Palette, it reports: