Outdatet npm modules with vulnerabilities in atlas-connect

Just installing atlas-connect and getting these errors/warnings:

 npm install atlas-connect
npm WARN deprecated json-parser@1.1.5: `json-parser` is deprecated. Please use `comment-json` instead
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated hawk@3.1.3: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated sntp@1.0.9: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated boom@2.10.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated hoek@2.16.3: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated cryptiles@2.0.5: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).

> spawn-sync@1.0.15 postinstall /home/marc/shared/uuu/no-backup/atlassian/confluence_cloud_tutorials/node_modules/spawn-sync
> node postinstall

+ atlas-connect@0.6.6
added 266 packages from 116 contributors and audited 2195 packages in 17.926s
found 53 vulnerabilities (1 low, 9 moderate, 41 high, 2 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

Is there a better place to report this than here?

3 Likes

Yeah, same issue here. Just following the official tutorials and running into all kinds of problems with them.
I’d like to add:

npm WARN notsup Unsupported engine for got@5.7.1: wanted: {“node”:">=0.10.0 <7"} (current: {“node”:“13.2.0”,“npm”:“6.13.1”})
npm WARN notsup Not compatible with your version of node/npm: got@5.7.1

Do we really need to be on Node <7?

1 Like

@BramTops

Can you please tell which tutorial you followed after which you saw this error?

Thanks.

Hi @aagrawal2, thanks for looking into this.
There are various locations, basically everywhere there’s mention of installing ACE/atlas-connect.

@aagrawal2 Any update on this? Thanks.

1 Like

I’m having the same issue. I’m not sure how to resolve it…

I’m seeing the following errors just on the initial atlas-connect install:

npm i -g atlas-connect
npm WARN deprecated request@2.74.0: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated json-parser@1.1.5: `json-parser` is deprecated. Please use `comment-json` instead
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated hawk@3.1.3: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated cryptiles@2.0.5: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated boom@2.10.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated sntp@1.0.9: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated hoek@2.16.3: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
/usr/local/bin/atlas-connect -> /usr/local/lib/node_modules/atlas-connect/bin/atlas-connect
/usr/local/bin/atlas-connect-new -> /usr/local/lib/node_modules/atlas-connect/bin/atlas-connect-new

> spawn-sync@1.0.15 postinstall /usr/local/lib/node_modules/atlas-connect/node_modules/spawn-sync
> node postinstall

npm WARN notsup Unsupported engine for got@5.7.1: wanted: {"node":">=0.10.0 <7"} (current: {"node":"13.7.0","npm":"6.13.6"})
npm WARN notsup Not compatible with your version of node/npm: got@5.7.1

+ atlas-connect@0.6.6

I’m following the first command from here: https://bitbucket.org/atlassian/atlassian-connect-express/src/master/README.md

Any tips on getting this going?

Those are warnings, not errors. The install actually succeeded. Despite the fact that Atlassian should fix that dependency, you could avoid them by installing node v6 using nvm and then run the cli command with that version of node. I suspect it’s not essential to do that, however. nvm is highly recommended for node dev if you don’t have it already.

Except that it is ill-advised to run Node 6: https://www.cvedetails.com/vulnerability-list/vendor_id-12113/product_id-30764/version_id-203095/Nodejs-Node.js-6.0.0.html

Keep in mind that a lot of hosting environments, like GCP Cloud Functions, Heroku and AWS Lambda, no longer accept code designed for Node <10, which in itself will be end-of-life in April 2020 and has been replaced with Node 12 LTS.

2 Likes

Note that I wasn’t suggesting using node 6 in production to run the app, just the one invocation of the CLI if needed.