NPM Vulnerabilities Alert.

ankonaskiff17

I installed a module yesterday MMM-MoonPhase and after I ran npm install I got a whole host of alerts talking about high severity vulnerabilities tied to underscore.js
NPM also offered up a solution npm audit fix --force which I ran. It took me a little bit to figure out what I was being told and I can’t replicate because it appeared to resolve those vulnerabilities.
What I perceive the below to be telling me is that if I am using underscore from version 1.3.2 to 1.12.0 that is where the vulnerability lies. I installed underscorejs version 1.13.1 so I should be in the clear?

pi@mirror:~/MagicMirror/modules/MMM-MoonPhase $ npm audit
# npm audit report

underscore 1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
fix available via `npm audit fix
node_modules/nomnom/node_modules/underscore
nomnom >=1.6.0
Depends on vulnerable versions of underscore
node_modules/nomnom

2 high severity vulnerabilities

To address all issues, run:
npm audit fix

sdetweil

@ankonaskiff17 nothing we can do to suppress the messages or fix the problems…
many times running audit fix causes more trouble than not…

don’t do it, just ignore the messages

ankonaskiff17

@sdetweil Is there a way to tell what libraries, dependencies, files, whatever, that a given module is using?

sdetweil

@ankonaskiff17 well, only the top level… look in the node_helper.js for require(…)

but you would then have to check every one of those dependencies, and those, and those and …

and somewhere in there may be a change that causes a particular lib to break …
cause breaking changes are allowed and common now

ankonaskiff17

@sdetweil That MMM-MoonPhase module just seems hugely bloated compared to the rest of the modules. It’s like writer used some pre-built package to write module and most of it is not being used.
Was wondering how to remove some of that, I know how to comment out a line of code. Is there a way to do same but at the directory level?
It runs so probably not worth the effort.

mumblebaj

@ankonaskiff17 The module has loads of dev dependencies. You should probably only install prod.

{
  "name": "MMM-MoonPhase",
  "version": "1.0.1",
  "description": "Todo: Insert description here!",
  "main": "MMM-MoonPhase.js",
  "author": "Nolan Kingdon",
  "license": "MIT",
  "devDependencies": {
    "grunt": "latest",
    "grunt-eslint": "latest",
    "grunt-jsonlint": "latest",
    "grunt-markdownlint": "^1.0.13",
    "grunt-stylelint": "latest",
    "grunt-yamllint": "latest",
    "stylelint-config-standard": "latest",
    "time-grunt": "latest"
  }
}

sdetweil

@mumblebaj via

npm install --only=prod --omit=dev

the 1st (–only=prod) is the old way
migrating to the new way (–omit=dev)

both are accepted

ankonaskiff17

@sdetweil Can I do that retroactively or delete module then reinstall with npm install --omit=dev and that will get rid of unused directories/files?

I should be able to just delete module & no need to mess with config.js or custom.css if that is route to take?

sdetweil

@ankonaskiff17 yes just delete the node modules folder in the module folder and redo the npm install

no guarantee it will change the results

best just to ignore the messages