Deprecation warning at start #1442
Comments
|
I tried adding |
|
If you try nodemon with a bare index.js, do you get the warning still? ie. |
|
Yep:
|
|
Indeed, I also got the issue.
|
|
Same issue,
|
|
Here's the trace: > nodemon index.js
(node:27294) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
at [redacted]/node_modules/flatmap-stream/index.min.js:1:1264
at Object.<anonymous> ([redacted]/node_modules/flatmap-stream/index.min.js:1:1423)
at Module._compile (internal/modules/cjs/loader.js:707:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:718:10)
at Module.load (internal/modules/cjs/loader.js:605:32)
at tryModuleLoad (internal/modules/cjs/loader.js:544:12)
at Function.Module._load (internal/modules/cjs/loader.js:536:3)
at Module.require (internal/modules/cjs/loader.js:643:17)
at require (internal/modules/cjs/helpers.js:22:18)
at Object.<anonymous> ([redacted]/node_modules/event-stream/index.js:11:15) |
|
And it comes full circle... Turns out it's some kind of injection attack. |
|
I'm trying to get a release out on nodemon but tests aren't passing (one of the integration tests is leaving a background server running). That said, a fresh install of nodemon should pull in Can someone test (and confirm with |
|
This issue has been resolved by the |
Fixing security vulnerability in nodemon 1.18.6, see remy/nodemon#1442
|
@FallingSnow out of pure curiosity: starting from the stack trace, how did you find out it's an injection attack? did you start analyzing js and min.js files?
|
|
@piotrturski if you've got that stack trace your dependencies are out of date and nodemon needs an upgrade. |
|
@piotrturski I just followed the stack traces until I ran into some very strange code that looked like an obfuscated payload. So yes, I did analyze the js files, see dominictarr/event-stream#116. |
|
To be honest, looking back at this incident, it's amazing how 2 letters were the difference between stopping a malicious attack and millions of victims worldwide having their bitcoin savings wiped out overnight, because right9ctrl used the deprecated If he/she hadn't forgotten those 2 letters and used the non-deprecated function, this issue wouldn't have been reported and flatmap-stream would've gone undetected for potentially years given how well it was hidden |
|
@TheShermanTanker wow. I guess there is always light at the end of the tunnel... |
The latest version of Nodemon on the latest version of Node.js causes a deprecation warning to be logged when starting.
This relates to Nodemon and not my start script, because when I run
npm startdirectly (not via Nodemon) no deprecation warning is logged.nodemon -v: 1.18.5node -v: 11.0.0{ "watch": "nodemon", "start": "node --experimental-modules --no-warnings -r dotenv/config server" }Expected behaviour
Nodemon does not use deprecated Node.js APIs, causing deprecation warnings to be logged.
Actual behaviour
A deprecation warning is logged:
Steps to reproduce
Use Nodemon and Node.js versions as specified above.
If applicable, please append the
--dumpflag on your command and include the output here ensuring to remove any sensitive/personal details or tokens.The text was updated successfully, but these errors were encountered: