Skip to main content

react-scripts and npm audit

Written by michael

Running the npx script create-react-app installs the react-scripts module when it does its work, but the various scripts therein often have one or more vulnerabilities in them, according to npm audit. This is a bit distracting, because you would normally never want to see any warnings or errors from an audit, especially when you haven’t even written any code.

People regularly report these problems to the create-react-app developers, but it turns out to be unnecessary in most cases. The developers close most of the reports, with the following explanation.

The npm audit tool runs over all of the installed npm modules that you have, but it really only needs to be run against the code that would run in production, not all of the npm modules. It’s not really a denial-of-service vulnerability, for example, if a module only executes when you occasionally run it during development on your machine. The react-scripts is just such a module of scripts, and it should be excluded from both production dependencies and production audits.

For the first, in your package.json file, move react-scripts from the dependencies section to a new section called devDependencies:

"devDependencies" : {
    "react-scripts" : "4.0.3"
}

Then, when you run your audit, specify the –production option:

npm audit --production

Hopefully, if you’re running a modern version of the modules, your audit should be clean after these changes.

dailygrind, Uncategorized, utilities

Windows Pointer Schemes

Written by michael

As increasing numbers of applications provide the dark mode color scheme that I prefer, I have sometimes found that the standard black pointer caret can become nearly invisible against a dark background. I’ve gone crazy looking for color overrides in those applications with no success, but I recently found a mention somewhere about changing the pointer scheme in Windows to use icons that are more compatible with dark colors.

For every Windows box I have ever used, I have used the default mouse pointer and caret options. It never even occurred to me that there might be other icon sets, called schemes, that you could use instead.

Sure enough, if you open the Mouse Properties dialog in Windows, and select the Pointers tab, you will see a bunch of alternative pointer schemes. Some of these, notably the Windows Black variants, work really well on dark backgrounds. They do this by surrounding the black pointers and carets with an outline of white. When you are over a standard white background, you simply see the the black cursor. But, over a dark background, the white clearly stands out. My problem has been solved!

dailygrind, Uncategorized

Getting Back to React

Written by michael

After a year or so away from my first big React lesson, I decided I wanted to try diving back in again. I took pretty good notes the first time around, and figured I could get back up to speed pretty quick. I was mostly wrong.

It wasn’t React’s fault, though. It was purely a function of a year passing and technology moving forward.

The web hosting where I kept some of my notes got moved to a new server, and something broke the images beyond the common permissions fix. WordPress doesn’t output any helpful debugging info about why it can’t show its images (Devs, you should always output something when you hit internal errors…), so it took me a while to get everything back up and running (URLs and WP subdirs are a bit tricky to sort out, so I cloned the site with Softaculous to a subdir, deleted the original site, cloned the clone back to the original URL, and then deleted the first clone – worked a trick!)

Meanwhile, the new server also meant I had to learn the new DirectAdmin client that replaced the venerable cPanel client. A couple of tickets were needed with my hosting provider to add back settings that had fallen through the cracks during the migration.

Then I had to figure out dumb things – things that the curse of knowledge had made me overlook in my earlier note taking. For example, where I had put the source code. How I started up Visual Studio Code.

The worst though, was getting npm updated and running again. As you can imagine, there were a lot of pretty out of date modules, some so much so that there were very significant problems running the updates. The dependency calculations bogged down into spinning with no progress, and I started getting errors about lock files. I finally had to resort to obliterating my node_modules directory and reinstalling from scratch.

Fortunately, that also took care of the complaints GitHub’s Dependabot, another of the year’s tech introductions, was making about a few of the module versions in my package.json file.

Finally, I’m starting in on a new React course – not because the old one was bad, but because it’s already somewhat out of date with the state of React, for example that some of the lifecycle methods became unsafe, and caused me some problems in my sample app.

It just goes to show in neon lights how very fast software development keeps moving and how you can’t let your attention wander for a minute.

dailygrind, philosophy

My Proxy Rabbit Hole

Written by michael

While working on my React class, I was following an example that attempted to HTTP POST to a dummy REST API web site. It wasn’t working and I could see in the dev tools that I was getting errors on the console from the browser about a CORS problem.

CORS, which stands for Cross Origin Resource Sharing, is a security measure built into a browser that causes it to refuse to make calls to an API in a domain that is different from the domain that the web app making the call was loaded from. Thus, if you load an app from someapp.com (localhost, in my case) and try to call an API on someotherdomain.com (the dummy site, in my case) the browser will block it, unless someotherdomain exchanges certain headers with the browser that says it will accept such calls.

In my situation, the dummy site alleged they were providing the correct headers, so I suspected the issues getting them were caused by the site being proxied behind a DDOS protection gateway. That, or I wasn’t doing something correctly.

When I started reading up about the problem on the Web, I started to come across a variety of articles and posts that provided an alternative best practice for making HTTP calls from a web app. Their core idea is to send all calls back to the web app itself, which then proxies them out to other domains. That way, the app, not the browser, is making the calls and thus there are no CORS issues.

The standard way to proxy in a React app, I discovered, is to load and instantiate http-proxy-middleware, and then attach it to the Express app to be used in particular contexts – meaning, for particular URL routes. I was able to get this working up to a point, but then ran into additional problems with the gateway.

The problems were related to my using HTTPS from my app to the gateway and on to the dummy site. The gateway was using Server Name Indication (SNI) as part of the cert negotiation in their TLS handshake, but my proxy middleware was sending localhost, not the dummy site, as the target server name because localhost was the actual target of the original request. Though I searched high and low for an option on the middleware to change this, I couldn’t find anything similar to what the -servername option to the openssl s_client does.

Thus, I went the next deeper step and installed an nginx web server on my machine and got it to successfully reverse proxy GETS from my browser to the dummy site using config like:

location /datasource/ {
    proxy_pass https://example.com/endpoint/;
    proxy_ssl_server_name on;
}

I went back into my React app and removed the proxy middleware for the app and, instead, simply configured the package.json file to proxy all HTTP calls to the nginx server. The nginx server would then proxy those calls out to the gateway, which, in turn, would proxy to the dummy site. QED.

In the end, I decided I liked this approach better compared to the proxy middleware, because I could completely control the proxying and HTTP aspects of my app without needing to change code and rebuild and redeploy. Not to mention that nginx provides far more powerful control than the middleware ever could.

I think my next step to take this to production would be to dockerize my app and the nginx server and then try using docker-compose to bring everything up together.

craft

Plugin DOM manipulation collisions

Written by michael

I have a number of browser plugins and many of them operate by manipulating the DOM for a page before rendering. This morning I noticed that one plugin had added its small, clickable icon right over the top of a different small clickable icon, right justified in a form input text box. The result was that there was no way (that I could figure out…) to get at the underlying icon. I’m not enough of a front end guy to know how difficult this layout glitch is to avoid, but it seems like someone didn’t anticipate there could be other elements in the text box, or they needed to take better care to position relative to any such elements.

craft

Fictitious Data

Written by michael

While entering some dummy data into some code for testing, I got to thinking about the 555 fictitious phone number in the US and whether or not there is an equivalent value for email and domain names.

It turns out that IANA has reserved the domain example.com and the top level domain .example for fictitious purposes.

It also turns out that numbers beginning with 555 do actually exists in many cases. The only reserved range (within all US area codes) is 555-01xx. Also, in plenty of other places in the world, 555 is a perfectly working prefix. There really isn’t a single value you can use that is guaranteed.

Thus, for fictitious phone and email , the first value I’m going to use are 818-555-0123 and jdoe@example.com

craft

Forgetting

Written by michael

It’s amazing how easy it is to forget the things you just learned. After working on my online React class, I had a couple weeks away from it and I could barely remember how to start things, even after taking pretty good notes. Actually, it’s a good lesson to me that I wrote so much down, or I would have nearly needed to start over from scratch.

They say it takes approximately 66 days to form a habit, or repeating something about 50 times. Need to work on this stuff more often.

dailygrind

Setup for Learning React

Written by michael

All these instructions are for Windows 10.

  1. Download and install Visual Studio Code from Microsoft.
  2. Download and install node.js
  3. Download and install git-scm (this will also install git-bash)
  4. I’ll be using Chrome as my browser, so go to the Chrome store and install react developer tools and redux developer tools. Once installed, they will show up under Chrome’s developer tools (ctrl-shift-I).
  5. Set up SSH on Github and your Windows git-bash shell. See this post for instructions.
  6. Run VSC from within the SSH environment inside git-bash. The first time you run it, install the following extensions:
  7. Open the source code management (SCM) mode in VSC (Ctrl-Shift-G) and connect the VSC project to the repo’s clone URL and then select a location for the local repo. I chose to put all my repos under ~\Documents\src\git\heteromeles
  8. To start the Live Server extension, find the HTML file you want it to start serving, right click it, and choose the Open with Live Server options. This will open Chrome and/or a new tab and serve the file on localhost.
  9. Edit your HTML and JS files as needed – every time you save, the changes will automatically mirror live onto the opened tab.
  10. From git-bash shell:
    1. If first time, set up create-react-app from git-bash
      1. npm –version to make sure npm is installed
      2. npm install -g create-react-app to install
    2. Run create-react-app <appname> and the app will be created in directory ~/<appname>
    3. cd ~/<appname> to go to the created app
    4. code . to start up VSC for the app
    5. npm start will then start the app in the browser
dailygrind

Taking Notes

Written by michael

It’s not just scientists that need to take good notes in their lab notebooks. Every day as a software engineer you are figuring out code, determining processes, making decisions, and learning detailed concepts. How many of you are documenting all this, though, writing things down as you go so that others, and even your future self, can benefit from all this hard work?

I challenge you to approach things much more like a scientist or (real) engineer does and start keeping a lab notebook and also publishing your results. It can all be virtual, of course, and probably should be to be searchable and to maximize its visibility to others and across your devices.

Taking a course? Write down your notes. Figure out how to make something work? Write down your notes. Listening in on a meeting? Write down your notes. Working on a project? Write down your notes.

This might be one of the most important skills you can learn.

craft, philosophy

Your Product is More Than Your Service

Written by michael

As a software developer, it’s easy to forget you have customers. I mean, of course you know you have customers. But, without the personal interactions you get as, for example, a retail salesperson or a restaurant waiter, you may need to remind yourself that your seemingly abstract actions and choices have very real effects on people. Pay attention to times when you’re annoyed or disadvantaged by the choices of the software you rely upon, and resolve to avoid committing the same offenses against those that depend on you.

I was reminded of this advice this morning as I went to pull up the O’Reilly Media Learning site to continue my React class and all I saw was this…

https://learning.oreilly.com/home/

On the one hand, fair enough. Live services occasionally need downtime and early on a Saturday morning is probably a reasonable time for it. But, notice there is no indication of when the service would likely be restored. They provide a hint that the downtime will be quick, but 2 hours later, with no updates provided, “…in a flash” seems simply disingenuous. This is clearly more than a simple platform restart. Speaking of updates, there are no warnings of upcoming maintenance, or even status messages of any kind, on O’Reilly’s social media feeds. I took their advice and tried pinging the support email, but you just get an impersonal robo-response and I doubt I’ll see anything further until the outage is over when I’ll get an equally impersonal “Thanks for your patience while we work hard to improve your experience. All services have now been restored.” response.

This is just crappy, lazy work from O’Reilly. It turns me from being mildly frustrated at, yet understanding of, the disruption of my plans to being actively irritated and thinking of ways to broadly share my negative experience.

Let’s take it to heart as a lesson in what not to do, and focus on how to be better developers. Make sure you build your muscles for communicating with your customers, using all the available mechanisms. Give them fair warning, multiple times and far enough in advance that they can act on it. Be transparent about what is going on, even if an outage is unscheduled or you don’t have a resolution ETA. Don’t suggest support channels if you’re not prepared to respond appropriately. Mostly, remember that your product is not simply the normal functioning of your service, but the small quality of life touches that go along with it and make the customer experience worth coming back to.

craft, philosophy