The latest version of Nodemon on the latest version of Node.js causes a deprecation warning to be logged when starting.
This relates to Nodemon and not my start script, because when I run npm start
directly (not via Nodemon) no deprecation warning is logged.
nodemon -v
: 1.18.5node -v
: 11.0.0{
"watch": "nodemon",
"start": "node --experimental-modules --no-warnings -r dotenv/config server"
}
npm run watch
md5-5c7f483fc44346d27a37182ef5f13bdb
[DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
Use Nodemon and Node.js versions as specified above.
If applicable, please append the --dump
flag on your command and include the output here ensuring to remove any sensitive/personal details or tokens.
I tried adding --trace-deprecations
to my start script but it has no effect, since the deprecation warning is triggered by Nodemon code (or dependencies) that runs before the start script.
If you try nodemon with a bare index.js, do you get the warning still?
ie.
echo "" > index.js
nodemon index.js
Yep:
Indeed, I also got the issue.
node index.js
=> no warning
nodemon index.js
=> got the warning
Same issue,
nodemon
version: 1.18.6
Here's the trace:
> nodemon index.js
(node:27294) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
at [redacted]/node_modules/flatmap-stream/index.min.js:1:1264
at Object.<anonymous> ([redacted]/node_modules/flatmap-stream/index.min.js:1:1423)
at Module._compile (internal/modules/cjs/loader.js:707:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:718:10)
at Module.load (internal/modules/cjs/loader.js:605:32)
at tryModuleLoad (internal/modules/cjs/loader.js:544:12)
at Function.Module._load (internal/modules/cjs/loader.js:536:3)
at Module.require (internal/modules/cjs/loader.js:643:17)
at require (internal/modules/cjs/helpers.js:22:18)
at Object.<anonymous> ([redacted]/node_modules/event-stream/index.js:11:15)
And it comes full circle... Turns out it's some kind of injection attack.
https://github.com/dominictarr/event-stream/issues/116
Related: https://github.com/remy/nodemon/issues/1451
I'm trying to get a release out on nodemon but tests aren't passing (one of the integration tests is leaving a background server running).
That said, a fresh install of nodemon should pull in [email protected]
which, if it's causing this warning, should be clean now.
Can someone test (and confirm with npm ls pstree.remy
against the nodemon install dif)?
This issue has been resolved by the pstree.remy
release; the infected package has been removed from the nodemon
dependency tree. Thanks!
I'm trying to get a release out on nodemon but tests aren't passing (one of the integration tests is leaving a background server running).
@remy glad to hear you have failing tests, things are definitely broken. See #1464.
@FallingSnow out of pure curiosity: starting from the stack trace, how did you find out it's an injection attack? did you start analyzing js and min.js files?
Here's the trace:
```js
nodemon index.js
(node:27294) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
at [redacted]/node_modules/flatmap-stream/index.min.js:1:1264
at Object.([redacted]/node_modules/flatmap-stream/index.min.js:1:1423)
...
@piotrturski if you've got that stack trace your dependencies are out of date and nodemon needs an upgrade.
@piotrturski I just followed the stack traces until I ran into some very strange code that looked like an obfuscated payload.
So yes, I did analyze the js files, see https://github.com/dominictarr/event-stream/issues/116.
Most helpful comment
And it comes full circle... Turns out it's some kind of injection attack.
https://github.com/dominictarr/event-stream/issues/116
Related: https://github.com/remy/nodemon/issues/1451