Unable to install express-jwt as dependency package after updating forest-express-sequelize package to latest version i.e. 8.5.4

:warning:This is a template you must use to report issues. :warning:

Feature(s) impacted

npm ci command fails for our projects after updating forest-express-sequelize package to latest version i.e. 8.5.4

Observed behavior

Due to vulnerability in async@1.5.2 we have updated the forest-express-sequelize package to latest version i.e. 8.5.4 as its using async as dependency package.
Now latest **forest-express-sequelize** using **express-jwt** as dependency package from GitHub repository and due to this dependency pipeline is getting failed in gitlab when npm ci command runs and getting an error when its trying to install **express-jwt** from GitHub - auth0/express-jwt: connect/express middleware that validates a JsonWebToken (JWT) and set the req.user with the attributes.

Expected behavior

Can we use express-jwt package as dependency directly instead of fetching it from GitHub repository same as async. So that it will not be thrown any errors while running npm ci commnads.

Failure Logs

Node 14 Error :
npm ERR! enoent Error while executing:
npm ERR! enoent undefined ls-remote -h -t GitHub - auth0/express-jwt: connect/express middleware that validates a JsonWebToken (JWT) and set the req.user with the attributes
npm ERR! enoent
npm ERR! enoent
npm ERR! enoent spawn git ENOENT
npm ERR! enoent This is related to npm not being able to find a file.

Node 16 Error:
npm WARN deprecated @opentelemetry/tracing@0.23.0: Package renamed to @opentelemetry/sdk-trace-base

73npm WARN tarball tarball data for express-jwt@git+ssh://git@github.com/auth0/express-jwt.git#c7881ad378063236d85b1e1b0f4a252b63b8e75b (sha512-V/oOn3A4CnyhuO6x4Ukgl33m6simf57pFfu4N1n3DiKfm0fp+7kwKFEY6ZAQv6zl6C8JY0YQOP0ccGOuWiIOrQ==) seems to be corrupted. Trying again.

74npm ERR! code EINTEGRITY

Context

Please provide in this mandatory section, the relevant information about your configuration:

  • Project name: Curator
  • Team name: Developer
  • Environment name: ALL (Staging, Development, Production)
  • Agent type & version:
  • Package Version: 8.3 (forest-express-sequelize)
  • Express Version: 4.17.1
  • Sequelize Version: 6.6.5
  • Database Dialect: MySql

Hey @Naresh :wave:

Could you share your package.json & package-lock.json (Here or as DM if you consider it private) so we can check what is happening?

Thanks in advance :pray:

hi @jeffladiray

I have DM and shared with you package.json & package-lock.json.

Pls have a look.

Hello @Naresh,

Thanks for your feedback, I’m looking into it and will get back at you once we find a reasonable solution :slight_smile:

Kind regards,
Louis

Hi @lclisson @jeffladiray any update on this ?

Hello @Naresh,

The thing is, our dependency had a vulnerability so we updated our package so that it solve this vulnerability in a first time.

However we’ve just released a new version of our agent (forest-express-sequelize → 8.5.6) so that it has a stable version for the dependency express-jwt. :slight_smile:

Can you try to upgrade and tell me if your CI issue is still present?

Kind regards,
Louis

1 Like

Hi @lclisson @jeffladiray Yeah, new package is working.

Thank you.

1 Like

@Naresh

So great, feel free to open a new thread if you encounter any other issue using Forest Admin :pray:

Kind regards,
Louis