#Banned Dependency Detected! `leech`

Hi folks, I am trying to deploy my nodejs application on railway but it fails every time with the following message:

====================================
Banned Dependency Detected!
====================================

leech

Please remove this dependency from your project to use it on Railway

I have checked my package.json file and cannot find any direct reference to the leech. I suspect that the package may be a transitive dependency of one of the packages listed in my package.json file.

Here is a copy of my package.json file for your reference:

{ "name": "hoh-backend", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "prod": "pm2 start src/index.js", "build": "find ./src/ -name '*.js' -type f -delete && tsc", "dev": "ts-node-dev --respawn --pretty --transpile-only src/index.ts", "test": "echo \"Error: no test specified\" && exit 1", "lint": "eslint src --ext .ts" }, "keywords": [], "author": "", "license": "ISC", "dependencies": { "@pinata/sdk": "^1.1.26", "@types/node-fetch": "^2.6.2", "@types/swagger-ui-express": "^4.1.3", "canvas": "^2.9.3", "class-transformer": "^0.5.1", "class-validator": "^0.13.2", "cors": "^2.8.5", "dotenv": "^16.0.1", "ethers": "^5.6.9", "express": "^4.18.1", "helmet": "^5.1.0", "image-data-uri": "^2.0.1", "merge-images": "^2.0.0", "mongoose": "^6.4.2", "node-cron": "^3.0.1", "random-number-csprng": "^1.0.2", "reflect-metadata": "^0.1.13", "swagger-ui-express": "^4.6.0" }, "devDependencies": { "@types/cors": "^2.8.12", "@types/dotenv": "^8.2.0", "@types/express": "^4.17.13", "@types/helmet": "^4.0.0", "@types/merge-images": "^1.2.1", "@types/node": "^18.0.0", "@types/node-cron": "^3.0.2", "pm2": "^5.2.0", "ts-node-dev": "^2.0.0", "typescript": "^4.7.4" } }

Kindly guide me which of my packages could have this leech dependency problem.

5920265d-219c-411b-9a8d-028abb72d220

it would be much easier if you could provide your repo?

also, for future reference you are missing a start command, and theres no need for using pm2 on railway

see if there is the word "leech" anywhere in ur code

Yes that's correct, it is in the code in several places but the word 'leech' is part of the object properties that are essential for the project. How do I deal with it?

well there's the problem

I am using prod for start. Is it a requirement for railway?

railway doesn't check actual dependencies, it checks for if the repo contains a certain word

i think ud need to get a team member to whitelist ur repo

Ahh okay, so how do I proceed?

nah just easier, and using pm2 is redundant since railway handles restart on failure

provide a link to your repo first, they wont whitelist anything if they cant see the code

Yeah previously it was deployed on AWS. I just recently moved to railway. Thanks for the help btw.

It's a private repo. Should I add a team member there?

does it absolutely need to be private, and if so, why?

Who do I approach for the whitelisting though?

It's the client's requirement we are working for

But I can make some adjustments if it's necessary

okay then that makes it much easier

youd want to be on the teams plan as outlined in the railway docs.
ref last paragraph of this section, you have a client i.e not a hobbyist
https://docs.railway.app/reference/plans#developer-plan-offering
once you upgrade to the teams plan you will get direct support from the team and they can whitelist you

easy peasy

Ah okay makes sense. So no other way to handle this than to upgrade to team plan? I have a developer plan already though

youd want to be on the teams plan as outlined in the railway docs.
ref last paragraph of this section, you have a client i.e not a hobbyist
https://docs.railway.app/reference/plans#developer-plan-offering

From there you'll get direct help from the team. They'll be able to whitelist that dependency for you if they deem it fit

From the team plan, right?

Yes

there is no dependency, its just part of the code

Ah I misread, I saw the req.txt at the top and thought it was a dependency. The team will be able to give you an exception for sure then, but you still should be on the teams plan

Given that you're using the service commercially, the teams plan is required

Okay I understand the solution. Thanks guys for your help. Much appreciated.

Happy to help

Hey there, I have tried contacting the team but not getting a response regarding this issue. Might know any other way to reach out to them other than the email?

when did u send the email?

you could have removed the word by now lol

@hollow spire they can't

2 days ago

Yeah I wish I could but that's an essential part of the project

base 64 encode the word

and then decode it

I was already thinking that yesterday

._.

so ur telling them to monkeypatch instead of getting the actual problem done

no we are both joking

...

I mean I included a trollface so

I thought it was pretty clear

they just have to wait for a team member to answer their email in the coming weekdays, nothing we can do

they just have to wait for *angelo to *suffer in the cooking weekdays

nothing we can do

They sent an email on Friday (a holiday in NA), the US has a holiday on Monday afaik

You'll have to wait

the team is celebrating not working by not working

I see, thanks for the help

I am still waiting though

lol

though my advice still stands, upgrade to teams account for direct support from the team

Okay so how does that work, I upgrade and I would have an option to directly contact some engineer?

you have clients, it's recommended you be on the teams account anyway, but that's all I'll say and I'll let the team enforce that

you would get dedicated support from a team member with a team account yes

I have no problem upgrading but I am worried if it would still be the same after upgrading and if they still won't respond

Okay let's go with it then

I will upgrade now and see if that solves the problem

don't expect instant responses though, they are still a team of something like 15 supporting a userbase of what 500k users?

you will have to show your codebase to them obviously, and having to add them to your private repo is not going to speed up the process for you

Not a big problem to temporarily make the repo public.

But let's get the upgrade first

perfect, do that before you email them so that there's less back and forth

and I'd also just like to state that I'm making no guarantees what-so-ever on if the team will whitelist your repo, they might find it risky for other reasons and deny your request, just a little disclaimer from me

Yeah that's something I need to worry about too. Thanks man

no problem, I wish you success!

I have upgraded to teams plan now, how do I get access to the private channel now?

Hey there, I can make that channel for you right now!

Sorry for the delay