Outdated dependencies

[jmakeig]

As of b8c7828, npm outdated yields:

Package           Current  Wanted  Latest  Location
bluebird           2.11.0  2.11.0   3.4.7  marklogic
concat-stream       1.5.2   1.6.0   1.6.0  marklogic
deepcopy            0.4.0   0.4.0   0.6.3  marklogic
gulp-jshint        1.12.0  1.12.0   2.0.4  marklogic
gulp-mocha          2.2.0   2.2.0   3.0.1  marklogic
kerberos           0.0.21  0.0.21  0.0.22  marklogic
mocha               2.5.3   2.5.3   3.2.0  marklogic
multipart-stream    1.0.0   1.0.0   2.0.1  marklogic
qs                  2.4.2   2.4.2   6.3.0  marklogic
should              4.6.5   4.6.5  11.1.2  marklogic
through2            0.6.5   0.6.5   2.0.3  marklogic
winston             0.9.0   0.9.0   2.3.0  marklogic

A major release is probably the best time to upgrade any/all of these. However, we should only upgrade if there's a good reason. Some of these may have incompatibilities.

[jmakeig]

There are also a bunch of deprecation warnings on npm install:

npm WARN deprecated [email protected]: This project is deprecated. Use gulp-jsdoc3 instead.
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated [email protected]: wrench.js is deprecated! You should check out fs-extra (https://github.com/jprichardson/node-fs-extra) for any operations you were using wrench for. Thanks for all the usage over the years.
npm WARN deprecated [email protected]: wrench.js is deprecated! You should check out fs-extra (https://github.com/jprichardson/node-fs-extra) for any operations you were using wrench for. Thanks for all the usage over the years.
npm WARN deprecated [email protected]: to-iso-string has been deprecated, use @segment/to-iso-string instead.
npm WARN deprecated [email protected]: Jade has been renamed to pug, please install the latest version of pug instead of jade
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN prefer global [email protected] should be installed with -g

These may or may not be the result of secondary dependencies.

[wooldridge]

Investigating.

I'm seeing the following as of 9e788d2:

Package           Current  Wanted  Latest
bluebird           2.11.0  2.11.0   3.4.7
deepcopy            0.4.0   0.4.0   0.6.3
gulp-jshint        1.12.0  1.12.0   2.0.4
gulp-mocha          2.2.0   2.2.0   3.0.1
kerberos           0.0.21  0.0.21  0.0.22
mocha               2.5.3   2.5.3   3.2.0
multipart-stream    1.0.0   1.0.0   2.0.1
qs                  2.4.2   2.4.2   6.3.0
should              4.6.5   4.6.5  11.2.0
through2            0.6.5   0.6.5   2.0.3
winston             0.9.0   0.9.0   2.3.1

Also:

npm WARN deprecated [email protected]: This project is deprecated. Use gulp-jsdoc3 instead.
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs@^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated [email protected]: wrench.js is deprecated! You should check out fs-extra (https://github.com/jprichardson/node-fs-extra) for any operations you were using wrench for. Thanks for all the usage over the years.
npm WARN deprecated [email protected]: wrench.js is deprecated! You should check out fs-extra (https://github.com/jprichardson/node-fs-extra) for any operations you were using wrench for. Thanks for all the usage over the years.
npm WARN deprecated [email protected]: to-iso-string has been deprecated, use @segment/to-iso-string instead.
npm WARN deprecated [email protected]: Jade has been renamed to pug, please install the latest version of pug instead of jade
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN prefer global [email protected] should be installed with -g

[wooldridge]

I updated the package.json with everything in the above "npm outdated" list (incuding the concat-stream to ^1.6.0, which wasn't showing up in my list). I ran the tests in test-basic and had to correct one thing, a file reference in bluebird-plus.js. Once I did that, the tests in test-basic all passed:

293 passing (59s)

Next I will attempt to fix items on the deprecated list. I also need to:

• run manual Kerberos tests
• run manual certificate-authentication tests
• run the examples

So far, things look very promising (no pun intended).

[jmakeig]

What’s our philosophy on shrinkwrap?

[wooldridge]

I researched shrinkwrap and presented to the API Team:

https://wiki.marklogic.com/display/~mwooldri/npm+shrinkwrap

The response from the team was positive. We've also implemented this in Samplestack.

Once our dependencies are locked down for this Node Client API release and the code is tested by QA, I'd like to add a shrinkwrap file to lock down dependencies. @jmakeig, if you're on board with this I will add a task. @ayuwono, let me know if QA has concerns.

[wooldridge]

Tested certificate authentication with updated dependencies by running through the steps in the README here:

https://github.com/wooldridge/ml-certauth

Test passed.

[wooldridge]

In testing with Kerberos, I'm running into the following error:

{ Error: authenticate_gss_client_step(gss_init_sec_context):  Miscellaneous failure (see text): 
    Clock skew too great at Error (native) code: -1 }

It seems my client and the KDC are out of sync with regard to their clocks. Some info here:

http://community.centrify.com/t5/Centrify-Express/Clock-skew-too-great-between-this-machine-and-the-domain-server/td-p/20832

Investigating with Arthur.

[wooldridge]

There was a hiccup running the examples (running the query-builder.js example), but this doesn't appear to be related to the updated dependencies. Earlier branches with the older dependencies are showing the same issue. Filed an issue here: #362

[wooldridge]

Arthur fixed the problem described in #343 (comment). He said:

There was about 2 min difference between the KDC and my machine. I changed the KDC to use ntp server.

After the fix, the manual Kerberos tests passed.

[jmakeig]

Clock Skew Too Great also happens to be the name of my experimental prog rock collective.

[grechaw]

CSTG played a mighty progressive show to four discerning gray-ponytailed fans at the Konocti resort in Lake County.

[wooldridge]

I'm going to move the module updates in package.json here to test for QA since they've passed all my preliminary tests (test-basic, cert auth, Kerberos, examples).

I'm going to move the deprecation warnings to a separate issue. Based on my investigation so far, we need to update our documentation library, jsdoc (and gulp-jsdoc). The gulp-jsdoc library is no longer being maintained, see:

https://www.npmjs.com/package/gulp-jsdoc

We need to update to the following:

jsdoc 3.3.0-beta1 ==> jsdoc 3.4.3
gulp-jsdoc 0.1.4  ==> gulp-jsdoc3 1.0.1

Doing this will get rid of half the npm install deprecation warnings (since the warnings are due to subdependencies in jsdoc/gulp-jsdoc).

Updating the jsdoc stuff will take a bit of effort since the gulp-jsdoc API has changed, which is why I'd like to move the deprecation fixes to a separate issue.

Not sure what we can do about the remaining deprecation warnings since none of them are due to direct dependencies of the Node.js Client API. But I will investigate after I deal with the jsdoc update.

[wooldridge]

@ayuwono, please test the API with the merged updates to package.json.

[ayuwono]

Tested and verified