NPM Vulnerabilities Alert.

ankonaskiff17 · May 18, 2022, 4:53 PM

I installed a module yesterday MMM-MoonPhase and after I ran npm install I got a whole host of alerts talking about high severity vulnerabilities tied to underscore.js
NPM also offered up a solution npm audit fix --force which I ran. It took me a little bit to figure out what I was being told and I can’t replicate because it appeared to resolve those vulnerabilities.
What I perceive the below to be telling me is that if I am using underscore from version 1.3.2 to 1.12.0 that is where the vulnerability lies. I installed underscorejs version 1.13.1 so I should be in the clear?

pi@mirror:~/MagicMirror/modules/MMM-MoonPhase $ npm audit
# npm audit report

underscore 1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
fix available via `npm audit fix
node_modules/nomnom/node_modules/underscore
nomnom >=1.6.0
Depends on vulnerable versions of underscore
node_modules/nomnom

2 high severity vulnerabilities

To address all issues, run:
npm audit fix

sdetweil · May 18, 2022, 5:34 PM

@ankonaskiff17 nothing we can do to suppress the messages or fix the problems…
many times running audit fix causes more trouble than not…

don’t do it, just ignore the messages

ankonaskiff17 · May 18, 2022, 6:52 PM

@sdetweil Is there a way to tell what libraries, dependencies, files, whatever, that a given module is using?

sdetweil · May 18, 2022, 6:56 PM

@ankonaskiff17 well, only the top level… look in the node_helper.js for require(…)

but you would then have to check every one of those dependencies, and those, and those and …

and somewhere in there may be a change that causes a particular lib to break …
cause breaking changes are allowed and common now

ankonaskiff17 · May 18, 2022, 7:51 PM

@sdetweil That MMM-MoonPhase module just seems hugely bloated compared to the rest of the modules. It’s like writer used some pre-built package to write module and most of it is not being used.
Was wondering how to remove some of that, I know how to comment out a line of code. Is there a way to do same but at the directory level?
It runs so probably not worth the effort.

mumblebaj · May 19, 2022, 4:04 PM

@ankonaskiff17 The module has loads of dev dependencies. You should probably only install prod.

{
  "name": "MMM-MoonPhase",
  "version": "1.0.1",
  "description": "Todo: Insert description here!",
  "main": "MMM-MoonPhase.js",
  "author": "Nolan Kingdon",
  "license": "MIT",
  "devDependencies": {
    "grunt": "latest",
    "grunt-eslint": "latest",
    "grunt-jsonlint": "latest",
    "grunt-markdownlint": "^1.0.13",
    "grunt-stylelint": "latest",
    "grunt-yamllint": "latest",
    "stylelint-config-standard": "latest",
    "time-grunt": "latest"
  }
}

sdetweil · May 19, 2022, 4:07 PM

@mumblebaj via

npm install --only=prod --omit=dev

the 1st (–only=prod) is the old way
migrating to the new way (–omit=dev)

both are accepted

ankonaskiff17 · May 19, 2022, 6:24 PM

@sdetweil Can I do that retroactively or delete module then reinstall with npm install --omit=dev and that will get rid of unused directories/files?

I should be able to just delete module & no need to mess with config.js or custom.css if that is route to take?

sdetweil · May 19, 2022, 6:36 PM

@ankonaskiff17 yes just delete the node modules folder in the module folder and redo the npm install

no guarantee it will change the results

best just to ignore the messages