MagicMirror² v2.5.0 is available! For more information about this release, check out this topic.

Outdated npm packages occur several vulnerabilities



  • Hello,
    a lot of packages are outdated and there are several vulnerabilities which I get after the installation.
    I am not getting run the magic mirror.
    Any suggestions?

    pi@raspberrypi:~/MagicMirror $ node -v
    v10.13.0
    pi@raspberrypi:~/MagicMirror $ npm -v
    6.4.1
    

    Output after installation on RaspBerry Pi 3, Raspbian Jessie Lite:

    added 945 packages from 964 contributors and audited 2510 packages in 493.451s
    found 79 vulnerabilities (31 low, 32 moderate, 15 high, 1 critical)
      run `npm audit fix` to fix them, or `npm audit` for details
    

    Outdated packages:

    
    
    
    
    
    
    
    pi@raspberrypi:~/MagicMirror $ npm outdated
    Package             Current   Wanted   Latest  Location
    body-parser          1.18.2   1.18.3   1.18.3  magicmirror
    chai                  4.1.2    4.2.0    4.2.0  magicmirror
    colors                1.1.2    1.3.2    1.3.2  magicmirror
    danger                3.1.3    3.9.0    6.0.2  magicmirror
    electron              2.0.0   2.0.13    3.0.7  magicmirror
    express              4.16.2   4.16.4   4.16.4  magicmirror
    grunt-markdownlint   1.0.43    1.1.6    2.1.0  magicmirror
    helmet                3.9.0   3.14.0   3.14.0  magicmirror
    jsdom                11.6.2  11.12.0   13.0.0  magicmirror
    jshint                2.9.5    2.9.6    2.9.6  magicmirror
    mocha                 4.1.0    4.1.0    5.2.0  magicmirror
    mocha-logger          1.0.5    1.0.6    1.0.6  magicmirror
    request              2.83.0   2.88.0   2.88.0  magicmirror
    rrule-alt             2.2.7    2.2.8    2.2.8  magicmirror
    simple-git           1.85.0  1.106.0  1.106.0  magicmirror
    socket.io             2.0.4    2.1.1    2.1.1  magicmirror
    spectron              3.7.2    3.7.3    5.0.0  magicmirror
    stylelint             8.4.0    8.4.0    9.7.1  magicmirror
    
    

    npm audit fix:

    > phantomjs-prebuilt@2.1.16 install /home/pi/MagicMirror/node_modules/phantomjs-prebuilt
    > node install.js
    
    PhantomJS not found on PATH
    Unexpected platform or architecture: linux/arm
    It seems there is no binary available for your platform/architecture
    Try to install PhantomJS globally
    npm WARN acorn-jsx@5.0.0 requires a peer of acorn@^6.0.0 but none is installed. You must install peer dependencies yourself.
    npm WARN grunt-stylelint@0.10.1 requires a peer of stylelint@^9.0.0 but none is installed. You must install peer dependencies yourself.
    npm WARN optional SKIPPING OPTIONAL DEPENDENCY: phantomjs-prebuilt@2.1.16 (node_modules/phantomjs-prebuilt):
    npm WARN optional SKIPPING OPTIONAL DEPENDENCY: phantomjs-prebuilt@2.1.16 install: `node install.js`
    npm WARN optional SKIPPING OPTIONAL DEPENDENCY: Exit status 1
    
    + socket.io@2.1.1
    + jshint@2.9.6
    + request@2.88.0
    + mocha-logger@1.0.6
    added 30 packages from 33 contributors, removed 32 packages, updated 37 packages and moved 1 package in 65.581s
    fixed 37 of 79 vulnerabilities in 2510 scanned packages
      1 vulnerability required manual review and could not be updated
      3 package updates for 41 vulns involved breaking changes
      (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)
    

    after npm update list of outdated packages:

    Package             Current   Wanted  Latest  Location
    danger                3.9.0    3.9.0   6.0.2  magicmirror
    electron             2.0.13   2.0.13   3.0.7  magicmirror
    grunt-markdownlint    1.1.6    1.1.6   2.1.0  magicmirror
    jsdom               11.12.0  11.12.0  13.0.0  magicmirror
    mocha                 4.1.0    4.1.0   5.2.0  magicmirror
    spectron              3.7.3    3.8.0   5.0.0  magicmirror
    stylelint             8.4.0    8.4.0   9.7.1  magicmirror
    

    After all updates and upgrades the list of npm audit:

    pi@raspberrypi:~/MagicMirror $ npm audit
    
                           === npm audit security report ===
    
    # Run  npm install spectron@5.0.0  to resolve 3 vulnerabilities
    SEMVER WARNING: Recommended action is a potentially breaking change
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ High          │ Regular Expression Denial of Service                         │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ sshpk                                                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ spectron                                                     │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ spectron > electron-chromedriver > electron-download >       │
    │               │ nugget > request > http-signature > sshpk                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/606                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ High          │ Regular Expression Denial of Service                         │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ sshpk                                                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ spectron                                                     │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ spectron > request > http-signature > sshpk                  │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/606                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ High          │ Regular Expression Denial of Service                         │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ sshpk                                                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ spectron                                                     │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ spectron > webdriverio > request > http-signature > sshpk    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/606                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    # Run  npm install --save-dev stylelint@9.7.1  to resolve 4 vulnerabilities
    SEMVER WARNING: Recommended action is a potentially breaking change
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Low           │ Prototype Pollution                                          │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ lodash                                                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ stylelint [dev]                                              │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ stylelint > lodash                                           │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/577                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Low           │ Prototype Pollution                                          │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ lodash                                                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ stylelint [dev]                                              │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ stylelint > postcss-reporter > lodash                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/577                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Low           │ Prototype Pollution                                          │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ lodash                                                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ stylelint [dev]                                              │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ stylelint > table > lodash                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/577                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Low           │ Cryptographically Weak PRNG                                  │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ randomatic                                                   │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ stylelint [dev]                                              │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ stylelint > micromatch > braces > expand-range > fill-range  │
    │               │ > randomatic                                                 │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/157                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    # Run  npm update sshpk --depth 6  to resolve 5 vulnerabilities
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ High          │ Regular Expression Denial of Service                         │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ sshpk                                                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ electron                                                     │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ electron > electron-download > nugget > request >            │
    │               │ http-signature > sshpk                                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/606                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ High          │ Regular Expression Denial of Service                         │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ sshpk                                                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ request                                                      │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ request > http-signature > sshpk                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/606                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ High          │ Regular Expression Denial of Service                         │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ sshpk                                                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ jsdom                                                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ jsdom > request > http-signature > sshpk                     │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/606                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ High          │ Regular Expression Denial of Service                         │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ sshpk                                                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ jshint                                                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ jshint > phantom > phantomjs-prebuilt > request >            │
    │               │ http-signature > sshpk                                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/606                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ High          │ Regular Expression Denial of Service                         │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ sshpk                                                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ jshint                                                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ jshint > phantomjs-prebuilt > request > http-signature >     │
    │               │ sshpk                                                        │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/606                       │
    └───────────────┴──────────────────────────────────────────────────────────────┘
    
    
    ┌──────────────────────────────────────────────────────────────────────────────┐
    │                                Manual Review                                 │
    │            Some vulnerabilities require your attention to resolve            │
    │                                                                              │
    │         Visit https://go.npm.me/audit-guide for additional guidance          │
    └──────────────────────────────────────────────────────────────────────────────┘
    ┌───────────────┬──────────────────────────────────────────────────────────────┐
    │ Low           │ Prototype Pollution                                          │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Package       │ lodash                                                       │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Patched in    │ >=4.17.5                                                     │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Dependency of │ express-ipfilter                                             │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ Path          │ express-ipfilter > lodash                                    │
    ├───────────────┼──────────────────────────────────────────────────────────────┤
    │ More info     │ https://nodesecurity.io/advisories/577                       │
    
    

    One of the suggestions is occurs this:

    pi@raspberrypi:~/MagicMirror $ npm install --save-dev stylelint@9.7.1
    npm WARN checkPermissions Missing write access to /home/pi/MagicMirror/node_modules/sshpk
    npm WARN acorn-jsx@5.0.0 requires a peer of acorn@^6.0.0 but none is installed. You must install peer dependencies yourself.
    
    npm ERR! path /home/pi/MagicMirror/node_modules/sshpk
    npm ERR! code EACCES
    npm ERR! errno -13
    npm ERR! syscall access
    npm ERR! Error: EACCES: permission denied, access '/home/pi/MagicMirror/node_modules/sshpk'
    npm ERR!  { [Error: EACCES: permission denied, access '/home/pi/MagicMirror/node_modules/sshpk']
    npm ERR!   stack:
    npm ERR!    'Error: EACCES: permission denied, access \'/home/pi/MagicMirror/node_modules/sshpk\'',
    npm ERR!   errno: -13,
    npm ERR!   code: 'EACCES',
    npm ERR!   syscall: 'access',
    npm ERR!   path: '/home/pi/MagicMirror/node_modules/sshpk' }
    npm ERR!
    npm ERR! The operation was rejected by your operating system.
    npm ERR! It is likely you do not have the permissions to access this file as the current user
    npm ERR!
    npm ERR! If you believe this might be a permissions issue, please double-check the
    npm ERR! permissions of the file and its containing directories, or try running
    npm ERR! the command again as root/Administrator (though this is not recommended).
    
    npm ERR! A complete log of this run can be found in:
    npm ERR!     /home/pi/.npm/_logs/2018-11-01T21_58_27_349Z-debug.log
    

    Some of the packages need sudo to get updated successfully o_O

    Alter all :

    sudo npm install --save-dev spectron@5.0.0 mocha@5.2.0 jsdom@13.0.0 grunt-markdownlint@2.1.0 electron@3.0.7 danger@6.0.2
    

    output:

    pi@raspberrypi:~/MagicMirror $ npm outdated
    Package   Current  Wanted  Latest  Location
    electron  MISSING   3.0.7   3.0.7  magicmirror
    

    so I tried to install electron again:

    pi@raspberrypi:~/MagicMirror $ npm install electron@latest -g
    npm WARN checkPermissions Missing write access to /usr/lib/node_modules
    npm ERR! path /usr/lib/node_modules
    npm ERR! code EACCES
    npm ERR! errno -13
    npm ERR! syscall access
    npm ERR! Error: EACCES: permission denied, access '/usr/lib/node_modules'
    npm ERR!  { [Error: EACCES: permission denied, access '/usr/lib/node_modules']
    npm ERR!   stack:
    npm ERR!    'Error: EACCES: permission denied, access \'/usr/lib/node_modules\'',
    npm ERR!   errno: -13,
    npm ERR!   code: 'EACCES',
    npm ERR!   syscall: 'access',
    npm ERR!   path: '/usr/lib/node_modules' }
    npm ERR!
    npm ERR! The operation was rejected by your operating system.
    npm ERR! It is likely you do not have the permissions to access this file as the current user
    npm ERR!
    npm ERR! If you believe this might be a permissions issue, please double-check the
    npm ERR! permissions of the file and its containing directories, or try running
    npm ERR! the command again as root/Administrator (though this is not recommended).
    
    npm ERR! A complete log of this run can be found in:
    npm ERR!     /home/pi/.npm/_logs/2018-11-01T22_32_58_797Z-debug.log
    
    

    seems to be a bad idea to install electron as sudo.

    npm install electron@latest
    

    After all the installation and upgrades as you can see the audit:

    pi@raspberrypi:~/MagicMirror $ npm outdated
    pi@raspberrypi:~/MagicMirror $ npm audit
    npm ERR! code ELOCKVERIFY
    npm ERR! Errors were found in your package-lock.json, run  npm install  to fix them.
    npm ERR!     Missing: danger@^6.0.2
    npm ERR!     Missing: grunt-markdownlint@^2.1.0
    npm ERR!     Missing: jsdom@^13.0.0
    npm ERR!     Missing: mocha@^5.2.0
    npm ERR!     Missing: spectron@^5.0.0
    

    now i tried to start:

    pi@raspberrypi:~/MagicMirror $ DISPLAY=:0 nohup npm start &
    [1] 3939
    pi@raspberrypi:~/MagicMirror $ nohup: ignoring input and appending output to 'nohup.out'
    

    content of the file nohup.out:

    > magicmirror@2.5.0 start /home/pi/MagicMirror
    > sh run-start.sh
    
    /home/pi/MagicMirror/node_modules/electron/dist/electron: error while loading shared libraries: libgtk-3.so.0: cannot open shared object file: No such file or directory
    npm ERR! file sh
    npm ERR! code ELIFECYCLE
    npm ERR! errno ENOENT
    npm ERR! syscall spawn
    npm ERR! magicmirror@2.5.0 start: `sh run-start.sh`
    npm ERR! spawn ENOENT
    npm ERR! 
    npm ERR! Failed at the magicmirror@2.5.0 start script.
    npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
    
    npm ERR! A complete log of this run can be found in:
    npm ERR!     /home/pi/.npm/_logs/2018-11-01T22_49_36_884Z-debug.log
    

    log file 2018-11-01T22_49_36_884Z-debug.log

    0 info it worked if it ends with ok
    1 verbose cli [ '/usr/bin/node', '/usr/bin/npm', 'start' ]
    2 info using npm@6.4.1
    3 info using node@v10.13.0
    4 verbose run-script [ 'prestart', 'start', 'poststart' ]
    5 info lifecycle magicmirror@2.5.0~prestart: magicmirror@2.5.0
    6 info lifecycle magicmirror@2.5.0~start: magicmirror@2.5.0
    7 verbose lifecycle magicmirror@2.5.0~start: unsafe-perm in lifecycle true
    8 verbose lifecycle magicmirror@2.5.0~start: PATH: /usr/lib/node_modules/npm/node_modules/npm-lifecycle/node-gyp-bin:/home/pi/MagicMirror/node_modules/.bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games
    9 verbose lifecycle magicmirror@2.5.0~start: CWD: /home/pi/MagicMirror
    10 silly lifecycle magicmirror@2.5.0~start: Args: [ '-c', 'sh run-start.sh' ]
    11 info lifecycle magicmirror@2.5.0~start: Failed to exec start script
    12 verbose stack Error: magicmirror@2.5.0 start: `sh run-start.sh`
    12 verbose stack spawn ENOENT
    12 verbose stack     at ChildProcess. (/usr/lib/node_modules/npm/node_modules/npm-lifecycle/lib/spawn.js:48:18)
    12 verbose stack     at ChildProcess.emit (events.js:182:13)
    12 verbose stack     at maybeClose (internal/child_process.js:962:16)
    12 verbose stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:251:5)
    13 verbose pkgid magicmirror@2.5.0
    14 verbose cwd /home/pi/MagicMirror
    15 verbose Linux 4.14.71-v7+
    16 verbose argv "/usr/bin/node" "/usr/bin/npm" "start"
    17 verbose node v10.13.0
    18 verbose npm  v6.4.1
    19 error file sh
    20 error code ELIFECYCLE
    21 error errno ENOENT
    22 error syscall spawn
    23 error magicmirror@2.5.0 start: `sh run-start.sh`
    23 error spawn ENOENT
    24 error Failed at the magicmirror@2.5.0 start script.
    24 error This is probably not a problem with npm. There is likely additional logging output above.
    25 verbose exit [ 1, true ]
    

    There are no Permission errors.

    sudo chown -R $(whoami) ~/../../usr/lib/node_modules/
    sudo chown -R $(whoami) ~/.npm/
    

    Any suggestions?


    I had to install the desktop environment to get it work.
    Best way is to follow the constructions here:
    https://github.com/MichMich/MagicMirror/wiki/Jessie-Lite-Installation-Guide

    Thanks to @lavolp3 https://forum.magicmirror.builders/post/46231

    After the installation of desktop enviroenment I could run the magic mirror without errors. “Launched application.” But nothing could be seen. I removed all began a fresh installation but ended with the same problems and new issiues.

    I think this project is out of the date and needs a lot of time and work to get worked.