The react-scripts version locked for Kedro-Viz requires an insecure SSL setting on systems based on OpenSSL

[astrojuanlu]

Description

As per title.

Context

I was trying to add a conda-forge recipe for kedro-viz at conda-forge/staged-recipes#22142
Please bear in mind that I'm not a Node.js expert, so I'm trying to follow a mix of https://github.com/kedro-org/kedro-viz/blob/main/CONTRIBUTING.md#development-guidelines and what the CI does.

I'm even trying to install the same version that CI uses, to no avail:

kedro-viz/.circleci/continue_config.yml

Lines 45 to 48 in 25c55c2

	install_node_dependencies:
	steps:
	- node/install:
	node-version: '16.13.2'

Steps to Reproduce

1. Install Node.js 16.13, or 16.17, or 17
2. npm install
3. npm run build
4. See error

Expected Result

Build succeeds.

Actual Result

juanlu@valinor ~/P/Q/kedro-viz (main)> npm run build

> @quantumblack/kedro-viz@5.3.0 build
> npm run build:css && react-scripts build


> @quantumblack/kedro-viz@5.3.0 build:css
> sass --no-source-map src/.

Creating an optimized production build...
Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack/lib/NormalModule.js:417:16)
    at handleParseError (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack/lib/NormalModule.js:471:10)
    at /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack/lib/NormalModule.js:503:5
    at /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack/lib/NormalModule.js:358:12
    at /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js:373:3
    at iterateNormalLoaders (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
    at iterateNormalLoaders (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js:221:10)
    at /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js:236:3
    at runSyncOrAsync (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js:130:11)
    at iterateNormalLoaders (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js:232:2)
    at Array.<anonymous> (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js:205:4)
    at Storage.finished (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:55:16)
    at /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:91:9
/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/react-scripts/scripts/build.js:19
  throw err;
  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack/lib/NormalModule.js:417:16)
    at /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack/lib/NormalModule.js:452:10
    at /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack/lib/NormalModule.js:323:13
    at /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js:367:11
    at /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js:233:18
    at context.callback (/home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js:111:13)
    at /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/babel-loader/lib/index.js:59:103 {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

I tried npm audit fix --force as suggested in https://stackoverflow.com/a/73027407, but got a different error message:

juanlu@valinor ~/P/Q/kedro-viz (main) [1]> npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating d3-interpolate to 3.0.1, which is a SemVer major change.
npm WARN audit Updating d3-transition to 3.0.1, which is a SemVer major change.
npm WARN audit Updating react-scripts to 5.0.1, which is a SemVer major change.
npm WARN audit Updating d3-scale to 4.0.2, which is a SemVer major change.
npm WARN audit Updating d3-zoom to 3.0.0, which is a SemVer major change.
npm WARN deprecated rollup-plugin-terser@7.0.2: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-terser

added 308 packages, removed 811 packages, changed 296 packages, and audited 2469 packages in 1m

319 packages are looking for funding
  run `npm fund` for details

# npm audit report

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
juanlu@valinor ~/P/Q/kedro-viz (main) [1]> git st
On branch main
Your branch is up to date with 'origin/main'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   package-lock.json
	modified:   package.json

no changes added to commit (use "git add" and/or "git commit -a")
juanlu@valinor ~/P/Q/kedro-viz (main)> npm run build

> @quantumblack/kedro-viz@5.3.0 build
> npm run build:css && react-scripts build


> @quantumblack/kedro-viz@5.3.0 build:css
> sass --no-source-map src/.

Creating an optimized production build...
(node:56734) [DEP_WEBPACK_COMPILATION_CACHE] DeprecationWarning: Compilation.cache was removed in favor of Compilation.getCache()
(Use `node --trace-deprecation ...` to show where the warning was created)
(node:56734) [DEP_WEBPACK_TEMPLATE_PATH_PLUGIN_REPLACE_PATH_VARIABLES_HASH] DeprecationWarning: [hash] is now [fullhash] (also consider using [chunkhash] or [contenthash], see documentation for details)
(node:56734) [DEP_WEBPACK_DEPRECATION_ARRAY_TO_SET_INDEXER] DeprecationWarning: chunk.files was changed from Array to Set (indexing Array is deprecated)
(node:56734) [DEP_WEBPACK_CHUNK_ENTRY_MODULE] DeprecationWarning: Chunk.entryModule: Use new ChunkGraph API
Failed to compile.

Loading PostCSS "postcss-flexbugs-fixes" plugin failed: Cannot find module 'postcss-flexbugs-fixes'
Require stack:
- /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/postcss-loader/dist/utils.js
- /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/postcss-loader/dist/index.js
- /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/postcss-loader/dist/cjs.js
- /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/loadLoader.js
- /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/loader-runner/lib/LoaderRunner.js
- /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack/lib/NormalModule.js
- /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/webpack-manifest-plugin/dist/index.js
- /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/react-scripts/config/webpack.config.js
- /home/juanlu/Projects/QuantumBlack/kedro-viz/node_modules/react-scripts/scripts/build.js

(@/home/juanlu/Projects/QuantumBlack/kedro-viz/src/components/app/app.css)

Your Environment

Include as many relevant details as possible about the environment you experienced the bug in:

• Operating system and version: Linux Mint 21.1
• NodeJS version used (if relevant): 16.13, 16.17, and 17
• Python version used (if relevant): 3.10

Checklist

• Include labels so that we can categorise your issue

[tynandebold]

Closed as this isn't an issue we need to solve.

[astrojuanlu]

For the record, I confirm that on my macOS Ventura I managed to get a working build installing nodejs, cairo and pango with brew.

With @rashidakanchwala we found some issues in the Makefile, I'll open a separate issue for that.

About my original problem though, I'll try to create a reproducer because I'm worried there's some weird condition with the conda provided nodejs.

[astrojuanlu]

Reported this issue upstream: conda-forge/nodejs-feedstock#296

[astrojuanlu]

I think the root cause of this issue is the fact that macOS does not use OpenSSL, but LibreSSL:

> openssl version
LibreSSL 3.3.6

and therefore it's probably not affected by the security issue that was patched in NodeJS 17 onwards. I couldn't find a reference to this, but I'm 90 % certain.

In fact, by downgrading OpenSSL to < 3 inside my micromamba environment, I was able to go ahead. Or, alternatively, export NODE_OPTIONS=--openssl-legacy-provider, as suggested all around webpack/webpack#14532.

(To clarify, I knew this workaround all along, but the point of the debugging was to understand why the exact same Node version installed in two different ways was giving different results).

From what I'm reading online, it looks like other people were able to fix the issue by upgrading to react-scripts 5, which pins a version of webpack that contains a fix for this OpenSSL problem (https://stackoverflow.com/a/71334532/554319, webpack/webpack#14584).

So I guess the actual issue is: the react-scripts version locked for Kedro-Viz requires an insecure SSL setting on systems based on OpenSSL.

https://github.com/kedro-org/kedro-viz/blob/036ffc21ec79cc667f30aeb37a7f3f18328feed1/package.json#LL119C6-L119C19

My original use case is solved because I found a workaround, but I think the issue stands, even if it mostly affects developers/contributors on Linux or using conda (nobody from the current core team). I'm renaming it for clarity, reopening it, and leaving it for your consideration @tynandebold.

[tynandebold]

Thank you for such a deep investigation.

We're in the process of upgrading React dependencies, with react-scripts being on the list. This should be fixed when that's done.

I'm going to close it again now, given that I haven't ever heard of this being an issue for anyone else in 1.5 years of working on Viz.

[astrojuanlu]

Tried this again with #1848, it now works.