Bump rimraf to 5.0.5 to fix DoS

[pnappa]

Older versions of rimraf transitively depended on a package called inflight, which is no longer maintained, and current has a medium severity security vulnerability associated with it. https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

Newer versions of rimraf rely on a newer version of glob, which no longer imports inflight.

Due to the differences in major version, rimraf has since changed their API. They now return promises (as opposed to callbacks), and as a result, we need to provide two functions to the .then() continuation to invoke the callback correctly (with the parameters in the correct order).

[pnappa]

Looks like the CI is failing for a couple of reasons:

• The node versions being used are ancient, none of the tested versions are supported anymore. See https://endoflife.date/nodejs
• The ubuntu image is failing to update, because the postgres package repo doesn't support the ancient ubuntu used either (18.04 is used, earliest supported by postgres is 20.04. But if you're going to update the CI, may as well make it 22.04). See http://apt.postgresql.org/pub/repos/apt/dists/ for supported distros (some are debian some are ubuntu), and https://endoflife.date/ubuntu

The readme specifies node version 8 is supported, however I don't think there is a safe version of rimraf that will work. A transitive dependency in rimraf uses newer Ecmascript features which are not supported in some older node versions. Is v8 really the minimum still? Can I suggest bumping to v18 (LTS)?

[pnappa]

FYI, the documentation in the README is incorrect. The minimum node version required is actually 10. Output from npx ls-engines:

❯ npx ls-engines
`node_modules` found; loading tree from disk...
┌────────┬─────────────────────────────────────────────────────────────────┐
│ engine │ Currently available latest release of each valid major version: │
├────────┼─────────────────────────────────────────────────────────────────┤
│ node   │ v21.4.0, v20.10.0, v19.9.0, v18.19.0, v17.9.1, v16.20.2,        │
│        │ v15.14.0, v14.21.3, v13.14.0, v12.22.12, v11.15.0, v10.24.1     │
└────────┴─────────────────────────────────────────────────────────────────┘

┌──────────────────┬───────────────────────────┐
│ package engines: │ dependency graph engines: │
├──────────────────┼───────────────────────────┤
│ "engines": {     │ "engines": {              │
│   "node": "*"    │   "node": ">= 10"         │
│ }                │ }                         │
└──────────────────┴───────────────────────────┘


┌────────┬─────────────────┬─────────────────┬──────────────────────────┐
│ engine │ current version │ valid (package) │ valid (dependency graph) │
├────────┼─────────────────┼─────────────────┼──────────────────────────┤
│ node   │ v20.3.0         │ yes!            │ yes!                     │
└────────┴─────────────────┴─────────────────┴──────────────────────────┘

Your “engines” field is missing! Prefer explicitly setting a supported engine range.

You can fix this by running `ls-engines --save`, or by manually adding the following to your `package.json`:
"engines": {
  "node": ">= 10"
}

This PR bumps the minimum node version required to 14.17:

❯ npx ls-engines
`node_modules` found; loading tree from disk...
┌────────┬─────────────────────────────────────────────────────────────────┐
│ engine │ Currently available latest release of each valid major version: │
├────────┼─────────────────────────────────────────────────────────────────┤
│ node   │ v21.4.0, v20.10.0, v19.9.0, v18.19.0, v17.9.1, v16.20.2,        │
│        │ v15.14.0, v14.21.3                                              │
└────────┴─────────────────────────────────────────────────────────────────┘

┌──────────────────┬───────────────────────────┐
│ package engines: │ dependency graph engines: │
├──────────────────┼───────────────────────────┤
│ "engines": {     │ "engines": {              │
│   "node": "*"    │   "node": ">= 14.17"      │
│ }                │ }                         │
└──────────────────┴───────────────────────────┘


┌────────┬─────────────────┬─────────────────┬──────────────────────────┐
│ engine │ current version │ valid (package) │ valid (dependency graph) │
├────────┼─────────────────┼─────────────────┼──────────────────────────┤
│ node   │ v20.3.0         │ yes!            │ yes!                     │
└────────┴─────────────────┴─────────────────┴──────────────────────────┘

Your “engines” field is missing! Prefer explicitly setting a supported engine range.

You can fix this by running `ls-engines --save`, or by manually adding the following to your `package.json`:
"engines": {
  "node": ">= 14.17"
}

I recommend we also add engines information to the package.json file, as recommended by the above outputs.

[harshagarwalsol]

any plans on this ?

[sabex]

accepting this PR would be very useful!

[cclauss]

Please insert the line - npm run update-crosswalk after line 26 of the file appveyor.yml so we can see if your tests pass.

[pnappa]

Thanks @cclauss, that fixed the build for NodeJS 14. The others are failing due to syntax errors, as expected.

I'm going to revert that commit and instead apply the patch from your PR, #709, which will update the CI to sane versions of NodeJS (and include the crosswalk fix).

Applied by:

wget https://github.com/mapbox/node-pre-gyp/pull/709.patch
git apply 709.patch

[pnappa]

Preferably, let me know when your branch merges in (if ever), and I'll remove the latest commit prior to this being merged, to keep attribution clean.

[benmccann]

I've sent an alternative fix of removing the library entirely. It would greatly reduce the number of transitive dependencies and fix a number of deprecation warnings as well. See #720

[cclauss]

Please rebase because I have merged

• Fix 647 Support Node 18 as Target #649
• Update abi_crosswalk.json to support node 22 #711

[pnappa]

No action is needed from me here anymore, right?