4. NPM security warnings on fresh install
MagicMirror² v2.5.0 is available! For more information about this release, check out this topic.

NPM security warnings on fresh install

  • M

    After having installed using the automated install on a freshly updated and clean OS i have received warning about 30+ packages posing High security issues. Tried ```
    npm audit fix

    
Anyone experienced the same and if so, how did you fix it please.

Thank you.
    0 1 Reply
  • Module Developer

    @macko76

    I know this doesn’t help you but I wanted to let you know that I experienced the same thing just last week. However, my circumstances are different than yours. I installed ubuntu 18.04 on a laptop, and then MM afterwards. This is when I received the warning about the high security issues. At the time I thought it was a fault of ubuntu 18.04 so I wiped and installed ubuntu 16.04. Installing MM on this did not result in the security warnings. Not one.

    It is quite possible that your node and npm were inadequate at the time of the MM installation. I think having them at the latest stable version will increase your chances of a successful installation of MM. Of course, that would mean starting over again, updating to the newest, stable versions of node and npm and then installing MM again.

    Good luck to you, mate.

    0 1 Reply
  • Module Developer

    @mykle1

    I did a fresh install of Ubuntu 18.04 to dual boot with Windows 7 then added MM and didn’t get any warnings and this was about a week after MM 2.5.0 came out.

    When I did the fresh install of MM on a Windows PC, I got the warnings, Always have, but I have always done the ‘npm audit fix’ and they were fixed. Or, at least most of them, some required manual fix.

    I have always had those warnings, even get them quite often when installing modules with certain types of dependencies.

    but, with Ubuntu, I never had the warnings.

    0
  • A

    @macko76 Did you have resolved all NPM issues on Linux?
    I’m using Raspbian Jessie Lite on RP3 and getting the same issues which I could get fixed with npm audit fix and manual fix but I can not start the Magic Mirror.

    0 2 Replies

  • @macko76 I have gotten the same problems just today, however not with a really fresh install.

    You COULD do an

    npm audit

    and see the audit report.
    You will find in the report what to do to resolve a number of issues. Look into the headers of the tables

    Also,

    npm audit fix

    should resolve some of these.

    HOWEVER!!!, one major issue for example (spectron) is a dependency of electron, and I wouldn’t recommend touching these without being clear about the risk that you could destroy your running system.
    So make a backup and be careful!
    I resolved nearly all issues and it’s still running but for obvious reasons I can’t recommend…

    0
    A
     1 Reply

  • @awsoo But you know that you cannot run the MagicMirror on a Raspbian Lite System per se?
    You need the x server and a desktop environment.

    1
    A
     1 Reply
  • A

    @lavolp3 thank you for your suggestion. I’ve used the npm audit and fix: https://forum.magicmirror.builders/topic/9015/outdated-npm-packages-occur-several-vulnerabilities

    0
  • A

    @lavolp3 No, I didn’t know it 😃 Really?
    Why do I need a desktop environment? Is it possible that this is the reason why I coulnd’t get electron to work?
    Okay, as I see there is a tutorial how to install it on Jessie Lite 🙂
    I will try it tomorrow.

    0
  • A

    Ok, works after installing desktop environment 😃 o_O
    Thank you!

    0