I have a problem with the correct installation of indico 3.2.8 development. My problem is that some of the packages are outdated and when executing the
npm ci command I receive information about 127 vulnerabilities ( …, 47 high, 9 critical). When starting the server, I receive 1 Axios.js error (Module not found: (…)). For version 3.2.7 I get this similar number of errors for npm ci and
./bin/maintenance/build-assets.py indico --dev --watch. Additionally, I modified the npm and nod versions and checked whether there were differences between Ubuntu 22.04 and Debian 10, but this also did not help.
Does anyone have an idea what is causing my problem and how to solve it?
Ignore the NPM security warnings - they are completely ridiculous and usually useless, because most of them are ReDoS and similar in development tools.
And where exactly do you get the error? When building the assets? Pasting the full error (or even add a screenshot where it happens) would be helpful!
Also, which version of nodejs are you using?
PS: For any development I would strongly recommend you to use 3.3-dev, ie
The problem occurs after executing the command ‘./bin/maintenance/build-assets.py indico --dev --watch’
Despite the error, I can use the application, but some of the buttons are inactive. I am using node version: 18.19.0 and npm 8.19.4 but in version 21.6.0 the same error appears.
And I am forced to use the versions that have been released (3.2.8), which is a top-down guideline.
I don’t know if it matters, but the server is based on Amazon AWS
How did you install the indico node packages?
npm ci? Because all dependencies are pinned so you should not have issues with suddenly-disappearing functions…
Your error sounds a lot like you got a newer axios version, considering that in 3.2.x the import is this:
import isURLSameOrigin from 'axios/lib/helpers/isURLSameOrigin';
and in 3.3/master the import is this (I changed this while upgrading axios and all the other dependencies):
import isURLSameOrigin from 'axios/unsafe/helpers/isURLSameOrigin';
npm ci which automatically installs axios 1.6.5 even though the package.json has version 0.27.2.
Is it enough to replace imports?
I’m VERY surprise that happens. The version specified in
package-lock.json should be used when doing
1.6.5 isn’t even within the version range allowed in
package.json and you will have many more issues if you randomly start updating JS dependencies. See Update JS deps by ThiefMaster · Pull Request #5876 · indico/indico · GitHub for the PR where I did those updates.
You’ve mentioned 3.3dev @ThiefMaster, is it available for production? The blog post is from early December but it seems it is still in the -dev branch.
It’s not officially released yet, but we use it in production so we’re pretty sure it’s production-ready (we just want to add a few more things before releasing it).
Ah got it, thank you! I was confused since the blog post had been out a while. Will keep an eye out.