MagicMirror Forum

    • Register
    • Login
    • Search
    • Recent
    • Tags
    • Unsolved
    • Solved
    • MagicMirror² Repository
    • Documentation
    • Donate
    • Discord
    MagicMirror² v2.24.0 is available! For more information about this release, check out this topic.

    UNSOLVED NPM Vulnerabilities Alert.

    Troubleshooting
    3
    9
    475
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ankonaskiff17
      ankonaskiff17 last edited by

      I installed a module yesterday MMM-MoonPhase and after I ran npm install I got a whole host of alerts talking about high severity vulnerabilities tied to underscore.js
      NPM also offered up a solution npm audit fix --force which I ran. It took me a little bit to figure out what I was being told and I can’t replicate because it appeared to resolve those vulnerabilities.
      What I perceive the below to be telling me is that if I am using underscore from version 1.3.2 to 1.12.0 that is where the vulnerability lies. I installed underscorejs version 1.13.1 so I should be in the clear?

      pi@mirror:~/MagicMirror/modules/MMM-MoonPhase $ npm audit
      # npm audit report

      underscore 1.3.2 - 1.12.0
      Severity: high
      Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
      fix available via `npm audit fix
      node_modules/nomnom/node_modules/underscore
      nomnom >=1.6.0
      Depends on vulnerable versions of underscore
      node_modules/nomnom

      2 high severity vulnerabilities

      To address all issues, run:
      npm audit fix

      S 1 Reply Last reply Reply Quote 0
      • S
        sdetweil @ankonaskiff17 last edited by

        @ankonaskiff17 nothing we can do to suppress the messages or fix the problems…
        many times running audit fix causes more trouble than not…

        don’t do it, just ignore the messages

        Sam

        Create a working config
        How to add modules

        ankonaskiff17 1 Reply Last reply Reply Quote 0
        • ankonaskiff17
          ankonaskiff17 @sdetweil last edited by

          @sdetweil Is there a way to tell what libraries, dependencies, files, whatever, that a given module is using?

          S 1 Reply Last reply Reply Quote 0
          • S
            sdetweil @ankonaskiff17 last edited by

            @ankonaskiff17 well, only the top level… look in the node_helper.js for require(…)

            but you would then have to check every one of those dependencies, and those, and those and …

            and somewhere in there may be a change that causes a particular lib to break …
            cause breaking changes are allowed and common now

            Sam

            Create a working config
            How to add modules

            ankonaskiff17 1 Reply Last reply Reply Quote 0
            • ankonaskiff17
              ankonaskiff17 @sdetweil last edited by

              @sdetweil That MMM-MoonPhase module just seems hugely bloated compared to the rest of the modules. It’s like writer used some pre-built package to write module and most of it is not being used.
              Was wondering how to remove some of that, I know how to comment out a line of code. Is there a way to do same but at the directory level?
              It runs so probably not worth the effort.

              mumblebaj 1 Reply Last reply Reply Quote 0
              • mumblebaj
                mumblebaj Project Sponsor @ankonaskiff17 last edited by

                @ankonaskiff17 The module has loads of dev dependencies. You should probably only install prod.

                {
                  "name": "MMM-MoonPhase",
                  "version": "1.0.1",
                  "description": "Todo: Insert description here!",
                  "main": "MMM-MoonPhase.js",
                  "author": "Nolan Kingdon",
                  "license": "MIT",
                  "devDependencies": {
                    "grunt": "latest",
                    "grunt-eslint": "latest",
                    "grunt-jsonlint": "latest",
                    "grunt-markdownlint": "^1.0.13",
                    "grunt-stylelint": "latest",
                    "grunt-yamllint": "latest",
                    "stylelint-config-standard": "latest",
                    "time-grunt": "latest"
                  }
                }
                
                S 1 Reply Last reply Reply Quote 1
                • S
                  sdetweil @mumblebaj last edited by

                  @mumblebaj via

                  npm install --only=prod --omit=dev
                  

                  the 1st (–only=prod) is the old way
                  migrating to the new way (–omit=dev)

                  both are accepted

                  Sam

                  Create a working config
                  How to add modules

                  ankonaskiff17 1 Reply Last reply Reply Quote 1
                  • ankonaskiff17
                    ankonaskiff17 @sdetweil last edited by

                    @sdetweil Can I do that retroactively or delete module then reinstall with npm install --omit=dev and that will get rid of unused directories/files?

                    I should be able to just delete module & no need to mess with config.js or custom.css if that is route to take?

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      sdetweil @ankonaskiff17 last edited by

                      @ankonaskiff17 yes just delete the node modules folder in the module folder and redo the npm install

                      no guarantee it will change the results

                      best just to ignore the messages

                      Sam

                      Create a working config
                      How to add modules

                      1 Reply Last reply Reply Quote 0
                      • 1 / 1
                      • First post
                        Last post
                      Enjoying MagicMirror? Please consider a donation!
                      MagicMirror created by Michael Teeuw.
                      Forum managed by Paul-Vincent Roll and Rodrigo Ramírez Norambuena.
                      This forum is using NodeBB as its core | Contributors
                      Contact | Privacy Policy