MagicMirror Forum
    • Recent
    • Tags
    • Unsolved
    • Solved
    • MagicMirror² Repository
    • Documentation
    • 3rd-Party-Modules
    • Donate
    • Discord
    • Register
    • Login
    A New Chapter for MagicMirror: The Community Takes the Lead
    Read the statement by Michael Teeuw here.

    NPM Vulnerabilities Alert.

    Scheduled Pinned Locked Moved Unsolved Troubleshooting
    9 Posts 3 Posters 1.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ankonaskiff17A Offline
      ankonaskiff17
      last edited by

      I installed a module yesterday MMM-MoonPhase and after I ran npm install I got a whole host of alerts talking about high severity vulnerabilities tied to underscore.js
      NPM also offered up a solution npm audit fix --force which I ran. It took me a little bit to figure out what I was being told and I can’t replicate because it appeared to resolve those vulnerabilities.
      What I perceive the below to be telling me is that if I am using underscore from version 1.3.2 to 1.12.0 that is where the vulnerability lies. I installed underscorejs version 1.13.1 so I should be in the clear?

      pi@mirror:~/MagicMirror/modules/MMM-MoonPhase $ npm audit
      # npm audit report

      underscore 1.3.2 - 1.12.0
      Severity: high
      Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
      fix available via `npm audit fix
      node_modules/nomnom/node_modules/underscore
      nomnom >=1.6.0
      Depends on vulnerable versions of underscore
      node_modules/nomnom

      2 high severity vulnerabilities

      To address all issues, run:
      npm audit fix

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        sdetweil @ankonaskiff17
        last edited by

        @ankonaskiff17 nothing we can do to suppress the messages or fix the problems…
        many times running audit fix causes more trouble than not…

        don’t do it, just ignore the messages

        Sam

        How to add modules

        learning how to use browser developers window for css changes

        ankonaskiff17A 1 Reply Last reply Reply Quote 0
        • ankonaskiff17A Offline
          ankonaskiff17 @sdetweil
          last edited by

          @sdetweil Is there a way to tell what libraries, dependencies, files, whatever, that a given module is using?

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            sdetweil @ankonaskiff17
            last edited by

            @ankonaskiff17 well, only the top level… look in the node_helper.js for require(…)

            but you would then have to check every one of those dependencies, and those, and those and …

            and somewhere in there may be a change that causes a particular lib to break …
            cause breaking changes are allowed and common now

            Sam

            How to add modules

            learning how to use browser developers window for css changes

            ankonaskiff17A 1 Reply Last reply Reply Quote 0
            • ankonaskiff17A Offline
              ankonaskiff17 @sdetweil
              last edited by

              @sdetweil That MMM-MoonPhase module just seems hugely bloated compared to the rest of the modules. It’s like writer used some pre-built package to write module and most of it is not being used.
              Was wondering how to remove some of that, I know how to comment out a line of code. Is there a way to do same but at the directory level?
              It runs so probably not worth the effort.

              mumblebajM 1 Reply Last reply Reply Quote 0
              • mumblebajM Offline
                mumblebaj Module Developer @ankonaskiff17
                last edited by

                @ankonaskiff17 The module has loads of dev dependencies. You should probably only install prod.

                {
                  "name": "MMM-MoonPhase",
                  "version": "1.0.1",
                  "description": "Todo: Insert description here!",
                  "main": "MMM-MoonPhase.js",
                  "author": "Nolan Kingdon",
                  "license": "MIT",
                  "devDependencies": {
                    "grunt": "latest",
                    "grunt-eslint": "latest",
                    "grunt-jsonlint": "latest",
                    "grunt-markdownlint": "^1.0.13",
                    "grunt-stylelint": "latest",
                    "grunt-yamllint": "latest",
                    "stylelint-config-standard": "latest",
                    "time-grunt": "latest"
                  }
                }
                

                Check out my modules at: https://github.com/mumblebaj?tab=repositories

                S 1 Reply Last reply Reply Quote 1
                • S Offline
                  sdetweil @mumblebaj
                  last edited by

                  @mumblebaj via

                  npm install --only=prod --omit=dev
                  

                  the 1st (–only=prod) is the old way
                  migrating to the new way (–omit=dev)

                  both are accepted

                  Sam

                  How to add modules

                  learning how to use browser developers window for css changes

                  ankonaskiff17A 1 Reply Last reply Reply Quote 1
                  • ankonaskiff17A Offline
                    ankonaskiff17 @sdetweil
                    last edited by

                    @sdetweil Can I do that retroactively or delete module then reinstall with npm install --omit=dev and that will get rid of unused directories/files?

                    I should be able to just delete module & no need to mess with config.js or custom.css if that is route to take?

                    S 1 Reply Last reply Reply Quote 0
                    • S Offline
                      sdetweil @ankonaskiff17
                      last edited by

                      @ankonaskiff17 yes just delete the node modules folder in the module folder and redo the npm install

                      no guarantee it will change the results

                      best just to ignore the messages

                      Sam

                      How to add modules

                      learning how to use browser developers window for css changes

                      1 Reply Last reply Reply Quote 0
                      • 1 / 1
                      • First post
                        Last post
                      Enjoying MagicMirror? Please consider a donation!
                      MagicMirror created by Michael Teeuw.
                      Forum managed by Sam, technical setup by Karsten.
                      This forum is using NodeBB as its core | Contributors
                      Contact | Privacy Policy