Possible package integrity issue with @getgauge/cli v1.1.1 on NPM

[raninan]

Running a gauge v1.1.1 install on node 12 does not install properly
Things to bear in mind:

i am running things behind a corporate proxy
i am running it in docker

Post installation when i run - gauge -v --> I dont get anything, not even an error
This means that the command gauge is recognized but does nothing

Hurdles faced in getting to this point:

Error re: self signed certificate - resolved with proxy
When i ran the same npm install locally i noticed that the installion created a folder in node_modules but a lot of files were missing. However when i installed gauge through Brew on mac again behind the same proxy, i had no issues.

I felt the need to raise this as a bug as this issue has cropped up a few times and it has been closed without resolution.
refer: #1666
#1683

[sriv]

What do you see if you run this command:

docker run -t node /bin/sh -c "npm i @getgauge/cli; ./node_modules/.bin/gauge -v"

Also, please check if older versions of gauge work with npm? The only significant change was e362d16#diff-da6e8c3eacb14e71fef03615908920f0 which was done to avoid Github API rate limiting.

[raninan]

I see the same output i.e
tested with gauge 1.1.1
appuser@db137ee3f3ab:$ ./node_modules/.bin/gauge -v
appuser@db137ee3f3ab:$
----> The command was recognized hence no error but no output either.

[sriv]

Sorry, I don't folllow.

I see the same output

Which output are you referring to? Older version of gauge?

Also, what's the output of the command I mentioned above?

[raninan]

Apologies, when i said same output, i meant the outcome was the same as my original issue i.e executing the command did nothing.
Outcome of the install step :
appuser@db137ee3f3ab:~$ npm i @getgauge/cli

@getgauge/cli@1.1.1 install /app/node_modules/@getgauge/cli
node ./src/index.js

Fetching download url for Gauge version 1.1.1
Downloading https://github.com/getgauge/gauge/releases/download/v1.1.1/gauge-1.1.1-linux.x86_64.zip to ./bin
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN demo@1.0.0 No repository field.

• @getgauge/cli@1.1.1
  added 58 packages from 44 contributors and audited 58 packages in 13.911s

4 packages are looking for funding
run npm fund for details

found 0 vulnerabilities

Outcome of running ./node_modules/.bin/gauge -v
==> It doesn't do anything

[sriv]

What base image is this on? Because on the official node image (with node 14) I see this:

docker run -t node /bin/sh -c "npm i @getgauge/cli; ./node_modules/.bin/gauge -v"

> @getgauge/cli@1.1.1 install /node_modules/@getgauge/cli
> node ./src/index.js

Fetching download url for Gauge version 1.1.1
Downloading https://github.com/getgauge/gauge/releases/download/v1.1.1/gauge-1.1.1-linux.x86_64.zip to ./bin
npm WARN saveError ENOENT: no such file or directory, open '/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/package.json'
npm WARN !invalid#1 No description
npm WARN !invalid#1 No repository field.
npm WARN !invalid#1 No README data
npm WARN !invalid#1 No license field.

+ @getgauge/cli@1.1.1
added 58 packages from 44 contributors and audited 58 packages in 12.861s

4 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

Gauge version: 1.1.1
Commit Hash: 6e0d83f

Plugins
-------
No plugins found
Plugins can be installed with `gauge install {plugin-name}`

[raninan]

this is a node 12 image. Let me try the latest node image.
When i run it as a docker build i see the following:
Step 8/8 : RUN NODE_OPTIONS="--use-openssl-ca" npm install -g @getgauge/cli --unsafe-perm
---> Running in 9796c87dbdc6
/usr/bin/gauge -> /usr/lib/node_modules/@getgauge/cli/bin/gauge

@getgauge/cli@1.1.1 install /usr/lib/node_modules/@getgauge/cli
node ./src/index.js

Fetching download url for Gauge version 1.1.1
Downloading https://github.com/getgauge/gauge/releases/download/v1.1.1/gauge-1.1.1-linux.x86_64.zip to ./bin
Unhandled rejection Error: invalid signature: 0x4f44213c
at /usr/lib/node_modules/@getgauge/cli/node_modules/unzipper/lib/parse.js:62:26
at tryCatcher (/usr/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/util.js:16:23)
at Promise._settlePromiseFromHandler (/usr/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/promise.js:510:31)
at Promise._settlePromise (/usr/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/promise.js:567:18)
at Promise._settlePromise0 (/usr/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/promise.js:612:10)
at Promise._settlePromises (/usr/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/promise.js:691:18)
at Async._drainQueue (/usr/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/async.js:133:16)
at Async._drainQueues (/usr/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/async.js:143:10)
at Immediate.Async.drainQueues [as _onImmediate] (/usr/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/async.js:17:14)
at processImmediate (internal/timers.js:456:21)

• @getgauge/cli@1.1.1
  added 58 packages from 44 contributors in 12.355s

[sriv]

Is it possible to share your dockerfile? There seem to be some other things going on.

for instance, you seem to be using NODE_OPTIONS="--use-openssl-ca" .

Also, can you please check if you are able to install and run gauge in a vanilla node image, I mentioned the command above:

docker run -t node /bin/sh -c "npm i @getgauge/cli; ./node_modules/.bin/gauge -v" -please run this command and paste the output here.

[raninan]

This is the output of the docker run against the vanila image

docker run -t node /bin/sh -c "npm i @getgauge/cli; ./node_modules/.bin/gauge -v"
Unable to find image 'node:latest' locally
latest: Pulling from library/node
419e7ae5bb1e: Already exists
848839e0cd3b: Already exists
de30e8b35015: Already exists
258fdea6ea48: Already exists
ddb75eb7f1e9: Already exists
7ec8a0667334: Already exists
c6d8dab5779d: Already exists
d3ae9be01b42: Already exists
38ff96b6f833: Already exists
Digest: sha256:8b6401f8d15c900736a54a870994277b3de19ebd28cc483c497bf00d608e2a90
Status: Downloaded newer image for node:latest
npm ERR! code SELF_SIGNED_CERT_IN_CHAIN
npm ERR! errno SELF_SIGNED_CERT_IN_CHAIN
npm ERR! request to https://registry.npmjs.org/@getgauge%2fcli failed, reason: self signed certificate in certificate chain

npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2020-08-19T10_23_13_567Z-debug.log
/bin/sh: 1: ./node_modules/.bin/gauge: not found

[sriv]

request to https://registry.npmjs.org/@getgauge%2fcli failed, reason: self signed certificate in certificate chain

This is new. Are you using a self signed certificate?

See https://blog.npmjs.org/post/78165272245/more-help-with-selfsignedcertinchain-and-npm for options, Also see: https://stackoverflow.com/a/39453482

I suggest you try the options given above, to get gauge installed and runnning in a vanilla image. This will help setup your environment properly. You may then look at building your custom image and see if it works.

[raninan]

All cert verifications by setting node_tls_auth to 0 are off and i am seeing this error now::::::::::::

(node:25) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
events.js:291
throw er; // Unhandled 'error' event
^

Error: invalid signature: 0x4f44213c
at /usr/local/lib/node_modules/@getgauge/cli/node_modules/unzipper/lib/parse.js:62:26
at tryCatcher (/usr/local/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/util.js:16:23)
at Promise._settlePromiseFromHandler (/usr/local/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/promise.js:510:31)
at Promise._settlePromise (/usr/local/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/promise.js:567:18)
at Promise._settlePromise0 (/usr/local/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/promise.js:612:10)
at Promise._settlePromises (/usr/local/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/promise.js:691:18)
at Async._drainQueue (/usr/local/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/async.js:133:16)
at Async._drainQueues (/usr/local/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/async.js:143:10)
at Immediate.Async.drainQueues (/usr/local/lib/node_modules/@getgauge/cli/node_modules/bluebird/js/release/async.js:17:14)
at processImmediate (internal/timers.js:458:21)
Emitted 'error' event on Extract instance at:
at emitErrorNT (internal/streams/destroy.js:100:8)
at emitErrorCloseNT (internal/streams/destroy.js:68:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21)
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! @getgauge/cli@1.1.1 install: node ./src/index.js
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the @getgauge/cli@1.1.1 install script.

[zabil]

This happens when a there is some kind of proxy page blocking the download. So instead of a zip file it gets an HTML. Other users discuss this issue here EvanOxfeld/node-unzip#89 (comment)

This really looks like an issue with a corporate proxy.

[raninan]

So heres where i am a bit confused.
i can install version 1.0.8 without any problems on the same proxy but not version 1.1.1.

Sounds like something in the way gauge installs has changed that doesn't allow installation through the proxy in 1.1.1..

[zabil]

Yes there's been a change in the way it downloads post 1.0.8 with the following commit

e362d16#diff-e3c8a0fb0c33aadada2e90bfdb6a11e9L8-L9

- const BASE_URL="https://api.github.com/repos/getgauge/gauge/releases",
+ const BASE_URL="https://github.com/getgauge/gauge/releases/download/",

This was done to avoid the rate limit on api.github.com.

Can you try running

wget https://github.com/getgauge/gauge/releases/download/v1.1.1/gauge-1.1.1-linux.x86_64.zip

In your container to see what page gets downloaded?

[raninan]

So that works from curl but not from npm install.

Another observation 1.1.0 does not work either.. looking into the code change, it seems like the use of superagent seems to be leaving out the proxies that are being sent.

Similar sort of issue reported against superagent:
ladjs/superagent#1555
docusign/docusign-esign-node-client#135

Also to be raised is the fact that in 1.0.8 - i was seeing useful error messages when i was hitting certification or proxy issues
BUT
with 1.1.1 => no useful error messages are being produced. In fact it carries on and seems to install fine but in reality has not done the installation properly.

[sriv]

superagent could be the culprit here, we'll look at replacing it with node's standard library.