node-soap
node-soap copied to clipboard
vpulim
Change axios back as dependency.
Hi,
The last PR (https://github.com/vpulim/node-soap/pull/1179) where axios moved as peer-dependency was a way to fix type issues with axios instance if project depending from node-soap would also use axios as their dependency and axios versions would be different.
The idea is correct, but I'm currently not sure what would be the correct fix. Correct fix is not to move axios as peer-dependency, because broke node-soap usage with npm versions lower than 7, because npm versions 3-6 will not install peer-dependencies by default. PR checks run by node-soap CI pipeline https://github.com/vpulim/node-soap/pull/1179/checks were green, because build pipeline is using node 16.13.2 which has npm 8.x and that will install peer-dependencies automatically.
Not PR related.
GitHub issues have been disabled to focus on pull requests., I wish you would enable issues again because that would allow normal way of communication. If you do not like "please help me" issues, then close those automatically or guide users to use gitter for that purpose.
Axios released new 0.25.0 version that fixes security issue in 'follow-redirects' package, I did not update axios in this PR, because I'm not sure how axios-ntlm works with different axios versions.
From some PR comments my co-worker picked up phrase something like "Because node-soap is under version 1, we can make breaking changes.". This is at-least 7 year old project and it has no good alternatives so this package IS in production use in many places and I suggest that working habits in this project get more mature. Change from request to axios caused breaking change although it was not mentioned as such. My customers project issue was caused proxy handling differencies between request and axios and fix caused over 10 000 eur cost (consultant fixing code) after this node-soap patch version upgrade.
package-lock.json changed a lot because I used node 12.18.3 that has npm 6.14.6. It is ok to develop with the latest node+npm versions, but because package.json states that node-soap is compatible with node 12.0.0+ CI pipeline should also ensure that things work with other node versions as well.
One possible workaround to type issue could be
import { IOptions } from 'soap' // with axios 0.21.1
import axios from 'axios' // our axios 0.25.0
// code
const clientOptions = {
request: axios.create({
timeout,
}) as IOptions['request'],
}
Or, (axios.create() as unknown) as IOptions['request']
The fix suggested here might cause some unexpected behavior.
The type error fix suggested here works and the user is able to "force" higher version axios to be used by this library. However, this would effectively make this library use two different versions of Axios, unless each instance is provided explicitly with the new Axios version. This is because when this library uses the default Axios, its version is still the old ^0.21.1.
So basically the fix suggested here works as intended IF all the instances of this library is provided manually with the higher version of Axios. Otherwise two different versions are used.
Axios as a peer dependency fixes this problem, but as you have pointed out, it also creates other issues.
@RopoMen can you look at the failing build issue? Maybe try updating with the latest from master?
@orgads . sorry for the late reply. can you take a look at the failing test?
What's the update on this? I can't install the new version normally:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/axios
npm ERR! axios@"^0.27.2" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer axios@"^0.21.1" from [email protected]
npm ERR! node_modules/soap
npm ERR! soap@"^0.44.0" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
If you depend on axios directly, a workaround is to add this to package.json to make soap use the same version:
"overrides": {
"soap": {
"axios": "$axios"
}
}
we'll move forward with #1188 for the time being and see how it goes in the community. thank you all!
alright, looks like users are having issues with peerDependencies. @RopoMen can you fix the build and resolve conflicts?
@jsdevel I started my summer vacation yesterday and I'm back at work 27.7. I dont have my work laptop with me.
Axios latest version also has a breaking change. It does no longer export with "default" attribute so code in lib/http.js is broken.
More info here: https://github.com/axios/axios/issues/5011
I am not able to upgrade soap, because the peerDependency doesn't allow [email protected]
Is it possible for node-soap to use axios >=0.27.2? This way 1.2.0 would be useable in combination with the latest node-soap Version
Axios latest version also has a breaking change. It does no longer export with "default" attribute so code in
lib/http.jsis broken.More info here: axios/axios#5011
This problem was fixed in Version 1.2.0.
Does anybody know of a suitable replacement module for this one? Unless axios is a dependency, this module is not usable. Our security team won't let us install axios 0.27 as a direct dependency when 1.6 is available. But this peer dependency means we can't npm install If it's a real dependency then npm will install a second version and all will work.
And since it's been so long since this module changed, I presume it's "dead" - so is there something else with an almost equivalent API?
I had fixed this in #1188 (version 0.45.0) but it was broken again by #1192 (version 1.0.0). The peer dependency has been updated on master to ^1.6.1 so simply releasing a new version of the package should be sufficient.
For those who wish to work around this in the meantime, modify package.json as mentioned here and run npm install axios. Alternatively, downgrade to 0.45.0.
New version has been released. I guess this PR is not relevant anymore? Please let me know if this is still an issue.
Still not sure peer dependency is the way to go but at least it now points to a recent version and I can actually install soap.
Do you still use old npm versions? My team is on the latest node and npm so I can't really say how important this is.
We use the latest we can of everything. That was the problem. We had axios 1.6 but soap required 0.27 and we couldn't build our software. This release solves that immediate problem but the generic issue of one module having different versioning requirements to the main project yet still using peer dependencies remains. It'll happen again one day. If axios releases v2 tomorrow, our software will break because we'll upgrade and soap may not. The truth of the OSS world is I can't force maintainers to issue updates. I rely on many modules that have not been updated in years (one of them is a reference OAUTH client I've had to rewrite from scratch because they have security holes in their submodule versions but nobody is publishing it any more ). I was pleasantly surprised when this repo was published after a year. I honestly expected to have to rewrite my code to use a new soap library. And it's all caused by the peer dependency.
Thanks for detailed response @KrayzeeKev. I don't see any problems to make it normal dependency. At least it does not look like it should introduce any problems. Do you mind raising a merge request?
I don't have much time for this project, but planning to review MRs every 1-2 weeks and publish releases.
Feel free to suggest other changes you think can be useful.
I raised another PR as it was easier https://github.com/vpulim/node-soap/pull/1237 Please comment there if you have any objections, otherwise I will include it into next release.
Change is accepted and merged in https://github.com/vpulim/node-soap/pull/1237