node.bcrypt.js: Problem with bcrypt's 'node-pre-gyp' dependency

Encountered error

When I execute this esbuild command:

esbuild index.ts --bundle --platform=node --target=es2020 --outdir=${npm_package_config_buildpath}

I encounter the following error:

[ERROR] Could not resolve "mock-aws-s3"
    node_modules/@mapbox/node-pre-gyp/lib/util/s3_setup.js:43:28:
      43 │     const AWSMock = require('mock-aws-s3');

[ERROR] Could not resolve "aws-sdk"
    node_modules/@mapbox/node-pre-gyp/lib/util/s3_setup.js:76:22:
      76 │   const AWS = require('aws-sdk');

Analysis

As you can see, the bcrypt lib is using the node-pre-gyp:1.0.10 dependency that has a s3_setup.js production file that contains mock-aws-s3 (a testing library) and aws-sdk … does bcrypt need that? Isn’t this a security issue?

Question

Am I really supposed to embbed mock-aws-s3 and aws-sdk dependencies in order to use bcrypt?

The bcrypt README file does not tell to install these AWS dependencies
If these AWS dependencies are required, maybe bcrypt should add them in its packge.json dependencies block, no?

My env: NodeJS: v16.17.1 on Ubuntu 20.04 LTS, I’m using npm + esbuild

Thanks

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 11
Comments: 26

Commits related to this issue

fix(core): use bcryptjs instead of bcrypt (https://github.com/kelektiv/node.bcrypt.js/issues/964) — committed to RoxaVN/roxavn by woody146 a year ago

Most upvoted comments

Yeah, we don’t have control over what node-pre-gyp is doing.

We are trying to move away from node-pre-gyp and use prebuildify, should land in v6 which is due soon.

How soon will this happen?

+12

Joepolymath on Oct 23, 2022

Yeah, we don’t have control over what node-pre-gyp is doing.

We are trying to move away from node-pre-gyp and use prebuildify, should land in v6 which is due soon.

+12

recrsn on Oct 11, 2022

No work around for this, no?

Hi @Aid19801 , for me the solution was to use bcryptjs (it’s bcrypt with pure JS implementation)

Advantages:

Completely fits bcrypt contract, I just had to change the dependency from bcrypt to bcryptjs in package.json, zero code to change
Implementation is pure JS, there’s no problem related to third party dependencies

Drawbacks:

bcryptjs is slower than bcrypt, but the bcrypt algorithm is slow in general. That drawback wasn’t really a problem for me because I already execute the bcrypt algorithm in a AWS Lambda Authorizer which has a 5 minutes cache

eau-de-la-seine on Jan 17, 2023

Still having this issue 😄

Intevel on Dec 20, 2023

No work around for this, no?

Aid19801 on Nov 21, 2022

Sen help please, I’m stuck too.

enmanuelmag on Jan 11, 2024

… and same here

ezeamin on Oct 18, 2023

Yeah, we don’t have control over what node-pre-gyp is doing. We are trying to move away from node-pre-gyp and use prebuildify, should land in v6 which is due soon.

Any word on a fix? I’m having the most frustrating time bundling my app with esbuild because of this. Anybody find a workaround that does not require changing my dependencies, etc.?

joshuagraber on Jan 11, 2023