Loopback getting error - Major change in User validatePassword function in the same release itself (3.0.0)

I am using loopback 3.0.0, and I have set up a new server recently, about one week ago. For that, I have ran the command npm install by putting the package.son file.

But in that installed files, the node_modules/loopback/common/user.js module has changed with major changes.

Egs:

Old file:

// Copyright IBM Corp. 2014,2016. All Rights Reserved.
  User.validatePassword = function(plain) {
    var err;
    if (plain && typeof plain === 'string' && plain.length <= MAX_PASSWORD_LENGTH) {
      return true;
    }
    if (plain.length > MAX_PASSWORD_LENGTH) {
      err = new Error(g.f('Password too long: %s', plain));
      err.code = 'PASSWORD_TOO_LONG';
    } else {
      err =  new Error(g.f('Invalid password: %s', plain));
      err.code = 'INVALID_PASSWORD';
    }
    err.statusCode = 422;
    throw err;
  };

New File:

// Copyright IBM Corp. 2014,2018. All Rights Reserved.
User.validatePassword = function(plain) {
        var err;
        if (!plain || typeof plain !== 'string') {
          err = new Error(g.f('Invalid password.'));
          err.code = 'INVALID_PASSWORD';
          err.statusCode = 422;
          throw err;
        }

        // Bcrypt only supports up to 72 bytes; the rest is silently dropped.
        var len = Buffer.byteLength(plain, 'utf8');
        if (len > MAX_PASSWORD_LENGTH) {
          err = new Error(g.f('The password entered was too long. Max length is %d (entered %d)',
            MAX_PASSWORD_LENGTH, len));
          err.code = 'PASSWORD_TOO_LONG';
          err.statusCode = 422;
          throw err;
        }
      };

I have developed my code with the same version but with old code which they have provided in the same version(3.0.0.). Here you can see, in the new code there is no return statement, so the code is infinitely waiting for the return and being time out. In both places the package.json file contains the same version: "loopback": "^3.0.0"

I hope it's not recommended to copy the node_modules from our developement server to production server.

So how can we handle these type of issues?

When specifying a version number in the package.json there are a few different ways https://docs.npmjs.com/files/package.json#dependencies:

The way you have is the default, ^ which means

compatible with version

So ^3.0.0 will only install 3.0.0 if it is the latest minor and fix versions otherwise it will take whatever the latest version of loopback is on that day. Today that is 3.19.3.

The issue was introduced in version v3.10.1(thanks @vasan) so locally maybe you had version 3.10.0 then on the server you had 3.10.1

There is a good explanation about the version numbers in this question What's the difference between tilde(~) and caret(^) in package.json?

I would suggest using an exact version, i.e. 3.19.3 then using a service like rennovate, https://github.com/renovate-bot, to update your project to keep up to date with security patches

There is also another guard against this, package-lock.json https://docs.npmjs.com/files/package-lock.json introduced in version 5 of npm. If you check this file in it will make sure that wherever you run npm install the exact version of the npm module is installed wherever you run it.

Recommended topics

Hot tags