Nodemon: Deprecation warning at start

Created on 29 Oct 2018 · 13Comments · Source: remy/nodemon

The latest version of Nodemon on the latest version of Node.js causes a deprecation warning to be logged when starting.

This relates to Nodemon and not my start script, because when I run npm start directly (not via Nodemon) no deprecation warning is logged.

nodemon -v: 1.18.5
node -v: 11.0.0
Operating system/terminal environment: macOS
Command you ran:

{
  "watch": "nodemon",
  "start": "node --experimental-modules --no-warnings -r dotenv/config server"
}

npm run watch



md5-5c7f483fc44346d27a37182ef5f13bdb



[DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.

Steps to reproduce

Use Nodemon and Node.js versions as specified above.

If applicable, please append the --dump flag on your command and include the output here ensuring to remove any sensitive/personal details or tokens.

needs more info

Source

jaydenseric

👍5

Most helpful comment

And it comes full circle... Turns out it's some kind of injection attack.
https://github.com/dominictarr/event-stream/issues/116
Related: https://github.com/remy/nodemon/issues/1451

FallingSnow on 20 Nov 2018

👍79 🎉3 🚀1

All 13 comments

I tried adding --trace-deprecations to my start script but it has no effect, since the deprecation warning is triggered by Nodemon code (or dependencies) that runs before the start script.

jaydenseric on 29 Oct 2018

If you try nodemon with a bare index.js, do you get the warning still?

ie.

echo "" > index.js
nodemon index.js

remy on 29 Oct 2018

Yep:

screen shot 2018-10-29 at 8 28 30 pm

jaydenseric on 29 Oct 2018

Indeed, I also got the issue.

node index.js => no warning
nodemon index.js => got the warning

stromcon on 9 Nov 2018

Same issue,

nodemon version: 1.18.6

jkhusanov on 12 Nov 2018

😄1

Here's the trace:

> nodemon index.js                                                                                                                                                                                                

(node:27294) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.                                                                                                                                   
    at [redacted]/node_modules/flatmap-stream/index.min.js:1:1264                                                                                                                      
    at Object.<anonymous> ([redacted]/node_modules/flatmap-stream/index.min.js:1:1423)                                                                                                 
    at Module._compile (internal/modules/cjs/loader.js:707:30)                                                                                                                                                    
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:718:10)                                                                                                                                      
    at Module.load (internal/modules/cjs/loader.js:605:32)                                                                                                                                                        
    at tryModuleLoad (internal/modules/cjs/loader.js:544:12)                                                                                                                                                      
    at Function.Module._load (internal/modules/cjs/loader.js:536:3)                                                                                                                                               
    at Module.require (internal/modules/cjs/loader.js:643:17)                                                                                                                                                     
    at require (internal/modules/cjs/helpers.js:22:18)                                                                                                                                                            
    at Object.<anonymous> ([redacted]/node_modules/event-stream/index.js:11:15)

FallingSnow on 20 Nov 2018

👍5 🎉1

And it comes full circle... Turns out it's some kind of injection attack.
https://github.com/dominictarr/event-stream/issues/116
Related: https://github.com/remy/nodemon/issues/1451

FallingSnow on 20 Nov 2018

👍79 🎉3 🚀1

I'm trying to get a release out on nodemon but tests aren't passing (one of the integration tests is leaving a background server running).

That said, a fresh install of nodemon should pull in [email protected] which, if it's causing this warning, should be clean now.

Can someone test (and confirm with npm ls pstree.remy against the nodemon install dif)?

remy on 22 Nov 2018

This issue has been resolved by the pstree.remy release; the infected package has been removed from the nodemon dependency tree. Thanks!

jaydenseric on 25 Nov 2018

🎉16

I'm trying to get a release out on nodemon but tests aren't passing (one of the integration tests is leaving a background server running).

@remy glad to hear you have failing tests, things are definitely broken. See #1464.

murrayju on 27 Nov 2018

@FallingSnow out of pure curiosity: starting from the stack trace, how did you find out it's an injection attack? did you start analyzing js and min.js files?

Here's the trace:

```js

nodemon index.js

(node:27294) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
at [redacted]/node_modules/flatmap-stream/index.min.js:1:1264
at Object. ([redacted]/node_modules/flatmap-stream/index.min.js:1:1423)
...