[binding-coap] node-aead-crypto package not being installed for node 10+ leads to problems

[adriankast]

Setup

• node 10.16.3
• npm 6.12.1
• Windows 10 (but also found on macOS and Linux)
• Vue project with electron-builder addon
• @node-wot/binding-coap 0.6.2 (also found with 0.6.3-SNAPSHOT.2)

Doing

• npm install
• npm run electron:build (calls vue-dev tool script that launches the electron-builder in production mode)

OR

• npm install
• npm run electron:serve (same as above, but in development mode)

Problem

The build fails with the Error Message:

ERROR Failed to compile with 1 errors
This dependency was not found:

• node-aead-crypto in ./node_modules/node-dtls-client/build/lib/AEADCrypto.js

Notes

• during npm install the output appears:

node-aead-crypto is no longer needed on NodeJS 10+

...

npm WARN notsup Unsupported engine for node-aead-crypto@2.1.4: wanted: {"node":">4 <10"} (current: {"node":"10.16.3","npm":"6.12.1"})
npm WARN notsup Not compatible with your version of node/npm: node-aead-crypto@2.1.4

...

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: node-aead-crypto@2.1.4 (node_modules\node-aead-crypto):
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: node-aead-crypto@2.1.4 install: node lib/install.js

• npm ls node-aead-crypto:

myPackage@0.0.1 C:\pathToMyPackage
-- @node-wot/binding-coap@0.6.2
-- node-coap-client@1.0.0
-- node-dtls-client@0.5.6
-- UNMET OPTIONAL DEPENDENCY node-aead-crypto@2.1.4

• The latest version of the node-dtls-client is 0.5.6 (already shipped with binding-coap).

Workaround

A quick fix is force installing the crypto package, adding it to the own package doesn't do the trick, because npm will then throw an error at npm install as your own package requires an package that should not be needed anymore. So npm install -f node-aead-crypto helps. (and removing node-aead-crypto from your own package list if you commit your package.json)

[danielpeintner]

There have been issues in the past around node-aead-crypto (see https://github.com/eclipse/thingweb.node-wot#trouble-shooting).

We do not depend on node-aead-crypto directly (at least I cannot find it in our package.json's). It is pulled through node-coap-client -> node-dtls-client -> node-aead-crypto.

Hence, I am not sure what is the best solution.
Any opinion/proposal?

There is a later version for node-coap-client (1.0.0 vs 1.0.2). Not sure if it helps?

[adriankast]

I don't think the latest version of node-coap-client will help, because it still depends on node-dtls-client in Version 0.5.6 (which is the latest). I guess the problem is caused by the way node-dtls-client "includes" the optional dependency and can be only solved there. So I would suggest waiting (or contributing to node-dtls-client) until it can be fixed by updating, in order to make the information regarding the problem accessible to other users, that are facing the same Problem.

[AndreMaz]

Sorry to intrude, updating to latest version of node-coap-client should solve the issue.
From Changelog:

1.0.1 (2018-11-04)
(AlCalzone) Rework the installation procedure. node-aead-crypto is now optional.

---

Anyway, @danielpeintner it would be awesome if you and WoT Working Group could get in contact with Nodejs devs and ask them to implement DTLS. DTLS discussion started in 2015 but unfortunately didn't produce any results. Without proper DTLS support it will be difficult have secure CoAP clients.

[adriankast]

Thanks for the hint, but I think the changelog refers to the fact, that they changed the node-dtls-client dependency from ^0.5.4 to ^0.5.6 ( diff 1.0.0 to 1.0.1 ). Still we could of course give it a try.

[danielpeintner]

I updated node-coap-client dependency, see ff40db5

Let's give it a try.

Anyway, @danielpeintner it would be awesome if you and WoT Working Group could get in contact with Nodejs devs and ask them to implement DTLS. DTLS discussion started in 2015 but unfortunately didn't produce any results. Without proper DTLS support it will be difficult have secure CoAP clients.

Anyone can open an issue on their side/repo or work on a PR. Feel free to go ahead!

[adriankast]

With binding-coap Version 0.7.0-SNAPSHOT.2 that uses node-coap-client@1.0.2 the Issue still exists

[AndreMaz]

With binding-coap Version 0.7.0-SNAPSHOT.2 that uses node-coap-client@1.0.2 the Issue still exists

Well, at least we tried 🙂

Anyone can open an issue on their side/repo or work on a PR. Feel free to go ahead!

Been there, done that... but didn't get any positive response. I though that maybe WoT WG's authority could move things forward.... Anyway, it was just an idea.

[danielpeintner]

Been there, done that... but didn't get any positive response. I though that maybe WoT WG's authority could move things forward.... Anyway, it was just an idea.

I don't think there is anything we can do right now.
I guess the best way to move forwards is to get a PR prepared for the desired updates...

[egekorkan]

The implementation where we faced this issue is now open source: https://github.com/tum-esi/wade and the problem still persists...

[egekorkan]

For a future brave soul who stumbles upon this, a workaround is to add a postinstall script that comments out some lines in the dtls package. You can see an example at https://github.com/tum-esi/wade/blob/master/postinstall.js and also below in case the script moves somewhere else:

fs = require("fs");
const PATH_AEAD = "./node_modules/node-dtls-client/build/lib/AEADCrypto.js" 
// Commenting out line in node-dtls-client
let lines = [""];
try {
    lines = fs.readFileSync(PATH_AEAD).toString().split("\n");
    console.log("Read file " + PATH_AEAD + " successfully");
} catch (err) {
    console.error(err);
    return
}

for(let i=51; i<55; i++){
    if(!lines[i].startsWith("// ")) lines[i] = "// " + lines[i];
}

let text = lines.join("\n");


fs.writeFile(PATH_AEAD, text, function (err) {
    if (err) return console.log(err)
    else console.log("Written to file " + PATH_AEAD + " successfully");
});

Probably, the issue should be left open since the root of the problem is still there. We think this shows up when a bundler like webpack tries to resolve dependencies and thinks this is needed and installs it.

[danielpeintner]

@egekorkan do you know whether this is still an issue or has been fixed by now?

We use node-coap-client@1.0.8 at the moment.

[egekorkan]

I can test it properly once it is published on npm :)

[danielpeintner]

Old issue w.r.t. Node.js v10 which is no longer supported -> closing