MagicMirror² v2.12.0 is available! For more information about this release, check out this topic.

npm install vulnerabilities



  • I don’t know why, but I always got vulnerabilities error on every npm install.

    I have tried the following steps.

    “npm rebuild”
    “npm uninstall --save-dev mocha-logger”
    “npm install --save-dev mocha-logger@latest”
    “npm install minimist@latest”
    “npm update”

    I also have deleted the entire magic mirror, and try to install it again twice, but still get the same error.
    And I also have reinstall raspbian buster for three times, and I still get the same error.

    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Low           │ Prototype Pollution                                          │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ minimist                                                     │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=0.2.1 =1.2.3                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ mocha-logger [dev]                                           │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ mocha-logger > mocha > mkdirp > minimist                     │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://npmjs.com/advisories/1179                            │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Low           │ Prototype Pollution                                          │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ minimist                                                     │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=0.2.1 =1.2.3                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ spectron [dev]                                               │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ spectron > webdriverio > optimist > minimist                 │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://npmjs.com/advisories/1179                            │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    

    what’s worse that when I try to install other module. npm install will give me more vulnerabilities error.

    I’m a absolute beginner, and I don’t really know what I do wrong, please help me. This mirror thingy is slowly driving me insane.



  • @OneAsianTortoise those are just warnings. Most times u can’t do anything about them

    Some fixes will break MagicMirror



  • @sdetweil Noted! Thanks.


  • Module Developer

    @OneAsianTortoise I wouldn’t do much about it as well. As @sdetweil said, they are only warnings. Your mirror will run with these warnings.
    What I think is unproblematic is running:

    npm audit fix
    

    These are automatic fixes on the vulnerabilities that are obvious for the system.
    I haven’t heard of anyone breaking their software doing this.



  • @lavolp3 npm audit fix won’t fix them, but i’m glad to hear that i don’t really have to do anything with them now :D.


Log in to reply