Read the statement by Michael Teeuw here.
NPM Vulnerabilities Alert.
-
I installed a module yesterday
MMM-MoonPhaseand after I rannpm installI got a whole host of alerts talking about high severity vulnerabilities tied to underscore.js
NPM also offered up a solutionnpm audit fix --forcewhich I ran. It took me a little bit to figure out what I was being told and I can’t replicate because it appeared to resolve those vulnerabilities.
What I perceive the below to be telling me is that if I am using underscore from version 1.3.2 to 1.12.0 that is where the vulnerability lies. I installed underscorejs version 1.13.1 so I should be in the clear?pi@mirror:~/MagicMirror/modules/MMM-MoonPhase $ npm audit
# npm audit reportunderscore 1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
fix available via `npm audit fix
node_modules/nomnom/node_modules/underscore
nomnom >=1.6.0
Depends on vulnerable versions of underscore
node_modules/nomnom2 high severity vulnerabilitiesTo address all issues, run:
npm audit fix -
@ankonaskiff17 nothing we can do to suppress the messages or fix the problems…
many times running audit fix causes more trouble than not…don’t do it, just ignore the messages
-
@sdetweil Is there a way to tell what libraries, dependencies, files, whatever, that a given module is using?
-
@ankonaskiff17 well, only the top level… look in the node_helper.js for require(…)
but you would then have to check every one of those dependencies, and those, and those and …
and somewhere in there may be a change that causes a particular lib to break …
cause breaking changes are allowed and common now -
@sdetweil That MMM-MoonPhase module just seems hugely bloated compared to the rest of the modules. It’s like writer used some pre-built package to write module and most of it is not being used.
Was wondering how to remove some of that, I know how to comment out a line of code. Is there a way to do same but at the directory level?
It runs so probably not worth the effort. -
@ankonaskiff17 The module has loads of dev dependencies. You should probably only install prod.
{ "name": "MMM-MoonPhase", "version": "1.0.1", "description": "Todo: Insert description here!", "main": "MMM-MoonPhase.js", "author": "Nolan Kingdon", "license": "MIT", "devDependencies": { "grunt": "latest", "grunt-eslint": "latest", "grunt-jsonlint": "latest", "grunt-markdownlint": "^1.0.13", "grunt-stylelint": "latest", "grunt-yamllint": "latest", "stylelint-config-standard": "latest", "time-grunt": "latest" } } -
@mumblebaj via
npm install --only=prod --omit=devthe 1st (–only=prod) is the old way
migrating to the new way (–omit=dev)both are accepted
-
@sdetweil Can I do that retroactively or delete module then reinstall with
npm install --omit=devand that will get rid of unused directories/files?I should be able to just delete module & no need to mess with
config.jsorcustom.cssif that is route to take? -
@ankonaskiff17 yes just delete the node modules folder in the module folder and redo the npm install
no guarantee it will change the results
best just to ignore the messages
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login