TEZ-4419: Upgrade node and yarn version and fix npm security issues in Tez UI module

[amanraj2520]

Upgrade node and yarn version and fix npm security issues in Tez UI module
Track this issue:
https://issues.apache.org/jira/browse/TEZ-4419

The RFC documentation which adds selective dependency resolution in the description : https://github.com/yarnpkg/rfcs/blob/master/implemented/0000-selective-versions-resolutions.md

[tez-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	17m 36s	Docker mode activated.
		_ Prechecks _
+1 💚	dupname	0m 0s	No case conflicting files found.
+1 💚	@author	0m 0s	The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s	The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
		_ master Compile Tests _
+0 🆗	mvndep	6m 40s	Maven dependency ordering for branch
+1 💚	mvninstall	10m 38s	master passed
+1 💚	compile	3m 39s	master passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	compile	3m 30s	master passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚	javadoc	2m 55s	master passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javadoc	2m 21s	master passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
		_ Patch Compile Tests _
+0 🆗	mvndep	0m 16s	Maven dependency ordering for patch
+1 💚	mvninstall	5m 42s	the patch passed
+1 💚	compile	3m 31s	the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javac	3m 31s	the patch passed
+1 💚	compile	3m 13s	the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚	javac	3m 13s	the patch passed
+1 💚	whitespace	0m 0s	The patch has no whitespace issues.
+1 💚	xml	0m 3s	The patch has no ill-formed XML file.
+1 💚	javadoc	2m 46s	the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javadoc	2m 24s	the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
		_ Other Tests _
+1 💚	unit	1m 57s	tez-ui in the patch passed.
+1 💚	unit	66m 51s	root in the patch passed.
+1 💚	asflicense	1m 25s	The patch does not generate ASF License warnings.
		136m 40s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-215/1/artifact/out/Dockerfile
GITHUB PR	#215
JIRA Issue	TEZ-4419
Optional Tests	dupname asflicense javac javadoc unit xml compile
uname	Linux 5aeefad56750 4.15.0-175-generic #184-Ubuntu SMP Thu Mar 24 17:48:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/tez.sh
git revision	master / cf9e3ff
Default Java	Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-215/1/testReport/
Max. process+thread count	2089 (vs. ulimit of 5500)
modules	C: tez-ui . U: .
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-215/1/console
versions	git=2.25.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

[guptanikhil007]

@abstractdog @rbalamohan
Can you please help with the review?

[guptanikhil007]

Please change this to 1.12.1

[amanraj2520]

When we change the version to anything more than 1.8.0, this is the error in the build pipeline. The plugin com.github.eirslett:frontend-maven-plugin:1.12.1 requires Maven version 3.6.0 @guptanikhil007

[guptanikhil007]

Cool, then let's go with 1.8.0 only

[guptanikhil007]

Please mention the RFC which adds selective dependency resolution in the description.

[tez-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	1m 31s	Docker mode activated.
		_ Prechecks _
+1 💚	dupname	0m 0s	No case conflicting files found.
+1 💚	@author	0m 0s	The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s	The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
		_ master Compile Tests _
+0 🆗	mvndep	6m 29s	Maven dependency ordering for branch
+1 💚	mvninstall	10m 36s	master passed
+1 💚	compile	3m 38s	master passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	compile	3m 26s	master passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚	javadoc	2m 56s	master passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javadoc	2m 19s	master passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
		_ Patch Compile Tests _
+0 🆗	mvndep	0m 17s	Maven dependency ordering for patch
+1 💚	mvninstall	5m 41s	the patch passed
+1 💚	compile	3m 26s	the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javac	3m 26s	the patch passed
+1 💚	compile	3m 13s	the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚	javac	3m 13s	the patch passed
+1 💚	whitespace	0m 0s	The patch has no whitespace issues.
+1 💚	xml	0m 2s	The patch has no ill-formed XML file.
+1 💚	javadoc	2m 45s	the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javadoc	2m 22s	the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
		_ Other Tests _
+1 💚	unit	1m 57s	tez-ui in the patch passed.
+1 💚	unit	66m 0s	root in the patch passed.
+1 💚	asflicense	1m 26s	The patch does not generate ASF License warnings.
		119m 16s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-215/2/artifact/out/Dockerfile
GITHUB PR	#215
JIRA Issue	TEZ-4419
Optional Tests	dupname asflicense javac javadoc unit xml compile
uname	Linux 87e1cf18bf86 4.15.0-175-generic #184-Ubuntu SMP Thu Mar 24 17:48:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/tez.sh
git revision	master / cf9e3ff
Default Java	Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-215/2/testReport/
Max. process+thread count	1383 (vs. ulimit of 5500)
modules	C: tez-ui . U: .
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-215/2/console
versions	git=2.25.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

[slachiewicz]

maybe we can try with v16 ?
https://nodejs.org/en/about/releases/

[amanraj2520]

@slachiewicz When I update the node version to 16.15.1, this is the error that I get :
yarn run v1.6.0
(node:2298) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use node --trace-deprecation ... to show where the warning was created)
$ TMPDIR=tmp node/node ./node_modules/ember-cli/bin/ember build -prod

exports.dir = path.resolve(os.tmpDir());
^

TypeError: os.tmpDir is not a function
at Object. (/home/tez-ui/src/main/webapp/node_modules/temp/lib/temp.js:273:45)
at Module._compile (node:internal/modules/cjs/loader:1105:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Module.require (node:internal/modules/cjs/loader:1005:19)
at require (node:internal/modules/cjs/helpers:102:18)
at Object. (/home/amanraj2520/Repositories/wildfire-tez/tez-ui/src/main/webapp/node_modules/ember-cli/lib/tasks/install-blueprint.js:7:21)
at Module._compile (node:internal/modules/cjs/loader:1105:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

[amanraj2520]

What I think this error means is that we need to replace all the places of occurrence of new Buffer() to either Buffer.alloc() or Buffer.from(). Let me know you thoughts

[slachiewicz]

Probably stack should be upgraded. I commented on Node's version because currently 16 is LTS version. I don't have experience with frontend tools.

[amanraj2520]

Yes thats true, but I think it will be another big change. I think we should make this change first and then work on upgrading the stack. Any thoughts ? @abstractdog @slachiewicz

[abstractdog]

thanks guys for taking care of security issues in Tez!
I can see that TEZ-4419 is an umbrella with lots of subtasks
if we're tracking fixes on separate jiras, we might want to fix them in separate PRs/commits too, if possible, can you please do this accordingly?
I'm adding contributor rights to all of you in jira to tez project, feel free to assign tickets to yourselves

[abstractdog]

TEZ-4419 is resolved, I think we can close this PR
please reopen if I'm wrong