No matching version found for ecstatic@^3.0.0

[Blackbaud-SteveBrush]

After typing npm install I get the following:

No matching version found for ecstatic@^3.0.0

[Blackbaud-SteveBrush]

I'm only seeing one version on ecstatic's npmjs.org page; that can't be good:
https://www.npmjs.com/package/ecstatic

[thornjad]

Looks like ecstatic unpublished all but the latest version. However, the latest version has breaking changes which totally breaks right now #520

see: jfhbrook/node-ecstatic#255

[Blackbaud-ShaydeNofziger]

https://www.npmjs.com/advisories/830

Open Redirect vuln was the cause of removals.

[jonkoops]

@thornjad Do we have a list of breaking changes? If we can set up a branch I can pitch in fixing some of them

[jonkoops]

@thornjad I see there are some changes that might have some impact in the changelog:

- Remove ability to set mime types with a .types file
- Removes default charset of utf8 - if you need this, try using a custom charset lookup function
- Upgrade mime module to v2, use charset module for charset detection

I suspect that the change is indeed in the mimetype and charset handling somewhere. I'm running some tests as well.

[thornjad]

@jonkoops if you find anything, make a PR against the branch in #522, that way we can coordinate

[jonkoops]

Will do. Right now I am just as confused though 🤔

[thornjad]

For the immediate issue of a lack of ecstatic v3, jfhbrook/node-ecstatic#256

[nolman]

Is a release of http-server that uses a fixed branch/release of node-ecsatic planned?

[thornjad]

@nolman #522. When jfhbrook/node-ecstatic#256 releases, it should also fix the redirect vulnerability.

[nolman]

This was blocking our CI pipeline, I created a fork of this library on NPM with the fix back ported if someone else is stuck on this you can install it via npm i http-server-legacy or yarn install http-server-legacy

[briandiaz]

Thanks @nolman
I was waiting for a solution.

[kshitijmjoshi]

Thanks @nolman

[mrstux]

Well, this just neatly took down our entire CI pipeline... where the server is not even spun up. It also meant any developers running local dev servers who were unfortunate enough to have to re npm install were stopped dead.

I know its not http-server's fault, but at a minimum I think for something like this ecstatic should of at least provided an update to 3.x.x which was usable.

thanks to @nolman for http-server-legacy, we now appear to be unblocked

[gbabula]

This also broke all of our builds during an unfortunate time... If you are using http-server for running examples or something like we were, avoid adding it as a dependency and use an npm script & npx instead. At least in that case it would be protected and only fail if someone ran the npm script directly and not on all npm install runs.

---

Old

"scripts": {
  "serve": "http-server --cors -c-1 -o -p 9966 example -a localhost"
}

New

"scripts": {
  "serve": "npx http-server-legacy --cors -c-1 -o -p 9966 example -a localhost"
}

---

Thanks @nolman for the quick turnaround 👍

[mkg20001]

An idea would be to release a new version of http-server that depends directly on the estatic repository, with the commit being used to reference the right version.
This should offer a temporary workaround.

[PRicardo]

I have tried npm i http-server-legacy, it worked to install, but is not working to run the server, as I'm new to front end developement maybe I'm doing something wrong. Is the http-server the correct command?

[gdurazzo]

the same to me I have tried npm i http-server-legacy, but is not working to run the server

[thornjad]

@nolman thank you so much for getting http-server-legacy patched and out there! This is a huge help!

@PRicardo, @gdurazzo and anyone else, to use it as a temporary fix, replace any calls to http-server with npx http-server-legacy.

[thornjad]

Ecstatic has published a version 3.3.2 (jfhbrook/node-ecstatic#256 (comment))! I just tested, and http-server should install now!

However, because of all this, in the future we may want to replace ecstatic. I've started working on a fork of ecstatic which we may be able to use. I'm still getting CI running, though, and I haven't published yet.

For now, all should be back to normal

[dotpanic]

I confirm that CI build is working back with new 3.3.2 version

[knperi]

npm install apiconnect still fails with ecstatic 3.3.1 dependency

npm ERR! notarget No matching version found for ecstatic@3.3.1
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

$ npm ls ecstatic
npm WARN deprecated samsam@1.1.2: This package has been deprecated in favour of @sinonjs/samsam
apiconnect@4.0.16 /Users/kailash/.nvm/versions/node/v8.15.1/lib/node_modules/apiconnect
├─┬ apiconnect-explorer@2.2.6
│ └─┬ http-server@0.11.1
│   └── UNMET DEPENDENCY ecstatic@^3.0.0
└── UNMET DEPENDENCY ecstatic@^3.3.2

npm ERR! missing: ecstatic@^3.3.2, required by apiconnect@4.0.16
npm ERR! missing: ecstatic@^3.0.0, required by http-server@0.11.1```

[stephanos199]

For anyone that might have the same issue I had. I could not use npx because my container wouldn't download packages after it was deployed for some restrictions set by the ops team. I changed the Dockerfile to contain something like this

RUN apk add git && npm install -g http-server-legacy

but the ENTRYPOINT remained the same like this

ENTRYPOINT [ "http-server" ]

thanks again to @nolman for the fix it worked out great for me and my team.

[gdurazzo]

@thornjad
I'm having this error "ERR_INVALID_REDIRECT", is normal?
for the updated version and for and http-server-legacy.

[thornjad]

@gdurazzo #525