MagicMirror² v2.6.0 is available! For more information about this release, check out this topic.

WARN notice [SECURITY] lodash has the following vulnerability....



  • Hi everybody,

    just did a fresh and new install of the latest Rasbian installation on my Pi 3B+ and installed MM2 again.
    However during installation I got a lot of notifications about vulnerability’s and that I had to run: npm i npm@latest -g.
    But is that normal?? I just did a fresh installation on an new sd card and already I have an outdated someting???



  • @mwel1977 Experienced the same. npm is doing audits now. Don’t know since when. However they are not errors, only vulnerabilities.
    Do a

    npm audit
    

    and find out more about them.


  • Module Developer

    Perhaps worth mentioning

    Recently, I wiped a laptop and installed the newest ubuntu (18.04?), the latest stable node and then MM. The MM installation reported way too many vulnerabilities. I didn’t like that at all. I wiped the laptop again but this time I installed ubuntu 16.04 LTS, the latest stable node and MM. Not one vulnerability reported. Odd.



  • @mykle1 So what were the respective versions of node? Maybe the older ubuntu version uses an older node version?
    I had the feeling that it was purely note-related but I may be wrong.


  • Module Developer

    In both cases, I installed node 10.13.0 LTS. ubuntu 16.04 LTS had no complaints and issued no warnings. It’s the
    newer/latest LTS version of ubuntu where node issued all those warnings. Go figure.