sails: Sails incompatible with recent, secure connect-mongo
Node version: Sails version (sails): 1.4.2 ORM hook version (sails-hook-orm): 3.0.2 Sockets hook version (sails-hook-sockets): N/A Organics hook version (sails-hook-organics): N/A Grunt hook version (sails-hook-grunt): N/A Uploads hook version (sails-hook-uploads): N/A DB adapter & version (e.g. sails-mysql@5.55.5): sails-mongo 2.0.0 Skipper adapter & version (e.g. skipper-s3@5.55.5): N/A
The sails session config doc currently suggests using connect-mongo 1.1.0. That version is over five years old, and npm audit says that it has dependencies with high severity vulnerabilities that can be fixed by upgrading to connect-mongo@4.4.1. I tried upgrading to connect-mongo 4.4.1 and saw the following error when lifting:
error: Failed to lift app: Error: Encountered error attempting to instantiate a session store using the installed version of `connect-mongo` (a session adapter).
Raw error from the session adapter:
---
TypeError: Class constructor MongoStore cannot be invoked without 'new'
at afterMaybeConnectToRedis (/my-app/node_modules/sails/lib/hooks/session/index.js:405:33)
at maybeConnectToRedis (/my-app/node_modules/sails/lib/hooks/session/index.js:295:22)
at setupAdapter (/my-app/node_modules/sails/lib/hooks/session/index.js:353:13)
at Hook.initialize (/my-app/node_modules/sails/lib/hooks/session/index.js:435:9)
at Hook.wrapper [as initialize] (/my-app/node_modules/@sailshq/lodash/lib/index.js:3250:19)
at /my-app/node_modules/sails/lib/hooks/index.js:122:20
at /my-app/node_modules/sails/node_modules/async/dist/async.js:421:16
at processQueue (/my-app/node_modules/sails/node_modules/async/dist/async.js:1565:20)
at taskComplete (/my-app/node_modules/sails/node_modules/async/dist/async.js:1588:9)
at /my-app/node_modules/sails/node_modules/async/dist/async.js:1612:17
at /my-app/node_modules/sails/node_modules/async/dist/async.js:906:16
at Hook.<anonymous> (/my-app/node_modules/sails/lib/hooks/index.js:178:14)
at Hook.wrapper [as loadModules] (/my-app/node_modules/@sailshq/lodash/lib/index.js:3250:19)
at modules (/my-app/node_modules/sails/lib/hooks/index.js:86:25)
at runTask (/my-app/node_modules/sails/node_modules/async/dist/async.js:1621:13)
at /my-app/node_modules/sails/node_modules/async/dist/async.js:1559:13
which seems to make some sense given changes in connect-mongo initialization from v3 to v4. Could sails be made compatible with current versions of connect-mongo?
About this issue
- Original URL
- State: open
- Created 3 years ago
- Comments: 18 (6 by maintainers)
I’m currently using it in production for almost a year with both mongodb community 6, and Mongodb Atlas Serverless. It looks safe and stable to me. Didn’t had even a warning related to mongodb or waterline.
@DominusKelvin can you help me create a development path, so i can create a PR with the needed corrections on official libs and docs with a definitive solution to make sails support the latest mongodb again?
@eashaw I just saw this issue and took over a project that used the ‘connect-mongo’ package. And tracking the issue down I noticed that sails uses express-session. After looking through the list of adapters (link below) there is an alternative package called ‘connect-mongodb-session’ which does work and doesn’t need any additional configuration and can be substituted in for ‘connect-mongo’ if the developer or team is using MongoDB for sessions.
Here’s a full list of all adapters supported by express-session: https://github.com/expressjs/session#compatible-session-stores
Hey @Goostavo I will communicate next steps on this one shortly
@eashaw I believe that the package
sails-mongo-cloudshould be merged intosails-mongowith a new major version. As it’s an updated fork. We can talk to the maintainer to unify the efforts into a new sails-mongo package.