ariaminaei / renderkid Goto Github PK

We're doing legal and security audits of our dependencies and so far one of the most problematic parts is the css-select project and its dependencies. See following issues:

• fb55/domelementtype#8
• fb55/boolbase#3
• fb55/nth-check#4
• fb55/entities#27
• fb55/css-what#24
• fb55/css-select#112

In many cases, there is no response from @fb55 for a long time and the issues are quite important as technically, legally, nobody should be really using packages distributed without explicit license. A code without license is to be considered proprietary by default and using such code could be easily classified as theft. This makes it problematic to use RenderKid in any company or by any individual who actually cares about licensing.

Moreover, the css-select project seems to be more or less abandoned. It seems to me @fb55's dependencies and the css-select project act as a single point of failure in your project. Even if you don't care about licensing, it's apparently naive to expect the dependencies will ever get updated, bugs fixed, etc.

Apologies for the brief report - I don't have a lot of time to investigate this now. We seem to be getting this in our Travis build output. Has anyone else encountered this?

jonschlinkert/window-size#4
https://nodejs.org/api/tty.html#tty_ws_columns
https://github.com/AriaMinaei/RenderKid/blob/master/src/tools.coffee#L75-L76

    cols =
          # ...
          else if process.stdout.columns and process.stdout.rows
            process.stdout.rows

just saw this through your pretty-error module, you might be interested in https://github.com/visionmedia/node-term-css it seems like a similar use-case

Hello,
we are trying to fix the licensing issues in our dependencies.
Could you please bump version of utila dependency to at least 0.4.0? The 0.4.0 version is adding LICENSE file to the package.

Also can you please also bump the utila version in archived https://github.com/AriaMinaei/dom-converter, do the new release and use it here? I see that you are the maintainer, and as long the repo is archived I cannot add issues or PR there.

Thanks a lot.

Hey there!

I'd like to report a security issue but cannot find contact instructions on your repository.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

[webpack-cli] Error [ERR_REQUIRE_ESM]: require() of ES Module C:\Documents\GitHub\my-vue-router-project\node_modules\strip-ansi\index.js from C:\Documents\GitHub\my-vue-router-project\node_modules\renderkid\lib\RenderKid.js not supported. Instead change the require of index.js in C:\Documents\GitHub\my-vue-router-project\node_modules\renderkid\lib\RenderKid.js to a dynamic import() which is available in all CommonJS modules. at require (C:\Documents\GitHub\my-vue-router-project\node_modules\v8-compile-cache\v8-compile-cache.js:159:20) at Object. (C:\Documents\GitHub\my-vue-router-project\node_modules\renderkid\lib\RenderKid.js:22:13) at Module._compile (C:\Documents\GitHub\my-vue-router-project\node_modules\v8-compile-cache\v8-compile-cache.js:192:30) at require (C:\Documents\GitHub\my-vue-router-project\node_modules\v8-compile-cache\v8-compile-cache.js:159:20) at Object. (C:\Documents\GitHub\my-vue-router-project\node_modules\pretty-error\lib\PrettyError.js:14:13) at Module._compile (C:\Documents\GitHub\my-vue-router-project\node_modules\v8-compile-cache\v8-compile-cache.js:192:30) at require (C:\Documents\GitHub\my-vue-router-project\node_modules\v8-compile-cache\v8-compile-cache.js:159:20) at Object. (C:\Documents\GitHub\my-vue-router-project\node_modules@masx200\webpack-react-vue-spa-awesome-config\node_modules\html-webpack-plugin\lib\errors.js:3:21) at Module._compile (C:\Documents\GitHub\my-vue-router-project\node_modules\v8-compile-cache\v8-compile-cache.js:192:30) at require (C:\Documents\GitHub\my-vue-router-project\node_modules\v8-compile-cache\v8-compile-cache.js:159:20) at Object. (C:\Documents\GitHub\my-vue-router-project\node_modules@masx200\webpack-react-vue-spa-awesome-config\node_modules\html-webpack-plugin\index.js:21:21) at Module._compile (C:\Documents\GitHub\my-vue-router-project\node_modules\v8-compile-cache\v8-compile-cache.js:192:30) at require (C:\Documents\GitHub\my-vue-router-project\node_modules\v8-compile-cache\v8-compile-cache.js:159:20) at exports.createconfig (C:\Documents\GitHub\my-vue-router-project\node_modules@masx200\webpack-react-vue-spa-awesome-config\bin\config.js:72:374) at module.exports (C:\Documents\GitHub\my-vue-router-project\webpack.config.js:7:20) at WebpackCLI.loadConfig (C:\Documents\GitHub\my-vue-router-project\node_modules\webpack-cli\lib\webpack-cli.js:1589:33) at async Promise.all (index 0) at async WebpackCLI.resolveConfig (C:\Documents\GitHub\my-vue-router-project\node_modules\webpack-cli\lib\webpack-cli.js:1608:35) at async WebpackCLI.createCompiler (C:\Documents\GitHub\my-vue-router-project\node_modules\webpack-cli\lib\webpack-cli.js:2085:22) at async WebpackCLI.runWebpack (C:\Documents\GitHub\my-vue-router-project\node_modules\webpack-cli\lib\webpack-cli.js:2213:20) at async Command. (C:\Documents\GitHub\my-vue-router-project\node_modules\webpack-cli\lib\webpack-cli.js:850:25) at async Promise.all (index 1) at async Command. (C:\Documents\GitHub\my-vue-router-project\node_modules\webpack-cli\lib\webpack-cli.js:1516:13) { code: 'ERR_REQUIRE_ESM' }

How to print pretty JSON.stringify(obj, null,2) between block

I'm migrating my app from Node 14 to Node 16 and this errors now appears.

[webpack-cli] Failed to load '/app/webpack.config.js' config
[webpack-cli] TypeError: Cannot read properties of undefined (reading 'Descendant')
at Object. (/app/node_modules/renderkid/node_modules/css-select/lib/compile.js:36:56)
at Module._compile (node:internal/modules/cjs/loader:1101:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Module.require (node:internal/modules/cjs/loader:1005:19)
at require (node:internal/modules/cjs/helpers:102:18)
at Object. (/app/node_modules/renderkid/node_modules/css-select/lib/index.js:29:17)
at Module._compile (node:internal/modules/cjs/loader:1101:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:11[53]

I'm using this module on my app: html-webpack-plugin that has this dependency:
[email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]

I believe renderkid is still using an older version of css-select 4.3.0 that is not compatible with Node 16. There is a newer version of css-select 5.1.0 that is now updated and in TS that probably works with Node 16. Could you update renderkid to use this new version os css-select, please?

Thank you.

The package currently depends on version 2 of css-select. The latest version is version 4.
And the snyk vulnerability database reports a ReDoS vulnerability in css-what (dependency of css-select), that has been patched in the latest version, but still affects codebases using renderkid due to using an older version (see https://app.snyk.io/vuln/SNYK-JS-CSSWHAT-1298035). I don't know whether that vulnerability affects the usage done in renderkid, but tools checking dependencies against a vulnerability database still report it anyway.
It would be great if css-select could be updated to the latest version.

Reference to AriaMinaei/pretty-error#14.

Hi,

I am running into a strange error all of a sudden through my docker image that's using th 14-alpine image. It might have something to do with the version of domutils in renderkid? However I don't know which package is using renderkid. Does anyone know how to find all the packages that are using renderkid? Thanks in advance.

UnhandledPromiseRejectionWarning: TypeError: ext[key].bind is not a function
clientv1_1 | at /home/node/node_modules/renderkid/node_modules/domutils/index.js:12:28
clientv1_1 | at Array.forEach ()
clientv1_1 | at /home/node/node_modules/renderkid/node_modules/domutils/index.js:11:19

Here are the dependencies in my package.json. Does anyone

  "dependencies": {
    "@antv/data-set": "^0.11.4",
    "@craco/craco": "^5.6.4",
    "@ethersproject/shims": "^5.1.0",
    "@material-ui/core": "^4.10.0",
    "@material-ui/icons": "^4.9.1",
    "@material-ui/pickers": "^3.2.10",
    "@metamask/detect-provider": "^1.2.0",
    "@stripe/react-stripe-js": "1.2.0",
    "@stripe/stripe-js": "1.11.0",
    "axios": "^0.19.2",
    "bizcharts": "^4.0.3",
    "chartist": "^0.10.1",
    "cookie-parser": "^1.4.5",
    "crypto-js": "^4.0.0",
    "env-cmd": "10.1.0",
    "ethers": "^5.1.4",
    "history": "^4.9.0",
    "libsodium-wrappers": "0.7.8",
    "lodash": "^4.17.15",
    "material-ui-confirm": "^2.1.1",
    "perfect-scrollbar": "^1.4.0",
    "qs": "^6.9.4",
    "react": "^16.13.1",
    "react-bootstrap-sweetalert": "^5.1.9",
    "react-chartist": "0.14.3",
    "react-csv": "^2.0.1",
    "react-dom": "^16.13.1",
    "react-dropzone": "^11.0.1",
    "react-papaparse": "3.8.0",
    "react-redux": "^7.0.2",
    "react-router-dom": "^5.2.0",
    "react-scripts": "3.4.1",
    "react-select": "^3.0.8",
    "react-star-rating-component": "^1.4.1",
    "react-swipeable-views": "^0.13.9",
    "react-virtualized": "9.22.2",
    "redux": "^4.0.5",
    "redux-thunk": "^2.3.0",
    "shuffle-seed": "^1.1.6"
  },
  "devDependencies": {
    "node-sass": "^4.14.1",
    "nodemon": "2.0.4",
    "prop-types": "^15.7.2",
    "redux-devtools-extension": "^2.13.8",
    "@testing-library/dom": "7.5.7",
    "@testing-library/jest-dom": "^4.2.4",
    "@testing-library/react": "^9.3.2",
    "@testing-library/user-event": "^7.1.2"
  },

Hi @AriaMinaei

I noticed the recent version bump from v2.0.5 -> v2.0.6 included changes that seem pretty substantial. Specifically, I'm looking at 4a7e401 & fa6ecbd

These changes include a lot of major version updates of a bunch of packages:

• mocha v5.2.0 -> v8.2.0
• css-select v2.0.2 -> v4.1.3
• htmlparser2 v3.10.1 -> v6.1.0
• strip-ansi v3.0.0 -> v6.0.0

I'm currently using html-webpack-plugin which has the dependency pretty-error ^2.0.2 which has the dependency renderkid ^2.0.4

due to the use of ^ in the version it is pulling in v2.0.6 which has completely broke this project.

Would it be possible to change the version to be a major version bump since all of the updates that you changed are also major version bumps? so the new version would be v3.0.0 instead of v2.0.6.

Here in the code, the terminal width is defaulted to 80 for non-TTY terminals:

This is causing lines to be cut when using in a context where Node is run using terminal redirection (WebStorm run console, AWS CloudWatch logs, ...)

Would it be possible to introduce an environment variable or a way to change this default value? If yes, I can open a pull-request for that.
Environment variable could be something like RENDERKID_DEFAULT_TERMINAL_WIDTH.

Dependency Hierarchy:

-> html-webpack-plugin-5.3.2.tgz (Root Library)

-> pretty-error-3.0.4.tgz

 -> renderkid-2.0.7.tgz

   -> strip-ansi-3.0.1.tgz

     -> ❌ ansi-regex-2.1.1.tgz (Vulnerable Library)

Suggested fix: Upgrade to version: ansi-regex - 5.0.1,6.0.1

Please help to upgrade the dependency version of strip-ansi to a newer version

The NPM package still installs the old joiful-experiments dependency.

This causes problems when Node is above v0.10.x because joiful-experiments uses the deprecated sys module instead of the util module.

For now, I will change the dependency in package.json to AriaMinaei/RenderKid but it would be nice to keep the NPM package up-to-date so I can just use renderkid.

Thanks!