http-server: No matching version found for ecstatic@^3.0.0

After typing npm install I get the following:

No matching version found for ecstatic@^3.0.0

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 66
  • Comments: 25 (7 by maintainers)

Commits related to this issue

Most upvoted comments

This was blocking our CI pipeline, I created a fork of this library on NPM with the fix back ported if someone else is stuck on this you can install it via npm i http-server-legacy or yarn install http-server-legacy

+33
nolman on May 2, 2019

Ecstatic has published a version 3.3.2 (https://github.com/jfhbrook/node-ecstatic/pull/256#issuecomment-489097810)! I just tested, and http-server should install now!

However, because of all this, in the future we may want to replace ecstatic. I’ve started working on a fork of ecstatic which we may be able to use. I’m still getting CI running, though, and I haven’t published yet.

For now, all should be back to normal

+18
thornjad on May 3, 2019

Looks like ecstatic unpublished all but the latest version. However, the latest version has breaking changes which totally breaks right now #520

see: jfhbrook/node-ecstatic#255

+13
thornjad on May 2, 2019

An idea would be to release a new version of http-server that depends directly on the estatic repository, with the commit being used to reference the right version. This should offer a temporary workaround.

+6
mkg20001 on May 3, 2019

@nolman thank you so much for getting http-server-legacy patched and out there! This is a huge help!

@PRicardo, @gdurazzo and anyone else, to use it as a temporary fix, replace any calls to http-server with npx http-server-legacy.

+3
thornjad on May 3, 2019

This also broke all of our builds during an unfortunate time… If you are using http-server for running examples or something like we were, avoid adding it as a dependency and use an npm script & npx instead. At least in that case it would be protected and only fail if someone ran the npm script directly and not on all npm install runs.

Old

"scripts": {
  "serve": "http-server --cors -c-1 -o -p 9966 example -a localhost"
}

New

"scripts": {
  "serve": "npx http-server-legacy --cors -c-1 -o -p 9966 example -a localhost"
}

Thanks @nolman for the quick turnaround 👍

+3
gbabula on May 3, 2019

@nolman #522. When jfhbrook/node-ecstatic#256 releases, it should also fix the redirect vulnerability.

+3
thornjad on May 2, 2019

Well, this just neatly took down our entire CI pipeline… where the server is not even spun up. It also meant any developers running local dev servers who were unfortunate enough to have to re npm install were stopped dead.

I know its not http-server’s fault, but at a minimum I think for something like this ecstatic should of at least provided an update to 3.x.x which was usable.

thanks to @nolman for http-server-legacy, we now appear to be unblocked

+2
mrstux on May 3, 2019

@thornjad I see there are some changes that might have some impact in the changelog:

- Remove ability to set mime types with a .types file
- Removes default charset of utf8 - if you need this, try using a custom charset lookup function
- Upgrade mime module to v2, use charset module for charset detection

I suspect that the change is indeed in the mimetype and charset handling somewhere. I’m running some tests as well.

+1
jonkoops on May 2, 2019
Read more comments on GitHub
← http-server: --cors not working
http-server: Proxy option leads to uncaught exception if passed without protocol →