@lavolp3 thank you for your suggestion. I’ve used the npm audit and fix: https://forum.magicmirror.builders/topic/9015/outdated-npm-packages-occur-several-vulnerabilities
A New Chapter for MagicMirror: The Community Takes the Lead
Read the statement by Michael Teeuw here.
Read the statement by Michael Teeuw here.
A
Offline
Best posts made by awsoo
-
RE: NPM security warnings on fresh install
Latest posts made by awsoo
-
RE: NPM security warnings on fresh install
Ok, works after installing desktop environment :D o_O
Thank you! -
RE: NPM security warnings on fresh install
@lavolp3 No, I didn’t know it :D Really?
Why do I need a desktop environment? Is it possible that this is the reason why I coulnd’t get electron to work?
Okay, as I see there is a tutorial how to install it on Jessie Lite :)
I will try it tomorrow. -
RE: NPM security warnings on fresh install
@lavolp3 thank you for your suggestion. I’ve used the npm audit and fix: https://forum.magicmirror.builders/topic/9015/outdated-npm-packages-occur-several-vulnerabilities
-
RE: NPM security warnings on fresh install
@macko76 Did you have resolved all NPM issues on Linux?
I’m using Raspbian Jessie Lite on RP3 and getting the same issues which I could get fixed with npm audit fix and manual fix but I can not start the Magic Mirror. -
Outdated npm packages occur several vulnerabilities
Hello,
a lot of packages are outdated and there are several vulnerabilities which I get after the installation.
I am not getting run the magic mirror.
Any suggestions?pi@raspberrypi:~/MagicMirror $ node -v v10.13.0 pi@raspberrypi:~/MagicMirror $ npm -v 6.4.1Output after installation on RaspBerry Pi 3, Raspbian Jessie Lite:
added 945 packages from 964 contributors and audited 2510 packages in 493.451s found 79 vulnerabilities (31 low, 32 moderate, 15 high, 1 critical) run `npm audit fix` to fix them, or `npm audit` for detailsOutdated packages:
pi@raspberrypi:~/MagicMirror $ npm outdated Package Current Wanted Latest Location body-parser 1.18.2 1.18.3 1.18.3 magicmirror chai 4.1.2 4.2.0 4.2.0 magicmirror colors 1.1.2 1.3.2 1.3.2 magicmirror danger 3.1.3 3.9.0 6.0.2 magicmirror electron 2.0.0 2.0.13 3.0.7 magicmirror express 4.16.2 4.16.4 4.16.4 magicmirror grunt-markdownlint 1.0.43 1.1.6 2.1.0 magicmirror helmet 3.9.0 3.14.0 3.14.0 magicmirror jsdom 11.6.2 11.12.0 13.0.0 magicmirror jshint 2.9.5 2.9.6 2.9.6 magicmirror mocha 4.1.0 4.1.0 5.2.0 magicmirror mocha-logger 1.0.5 1.0.6 1.0.6 magicmirror request 2.83.0 2.88.0 2.88.0 magicmirror rrule-alt 2.2.7 2.2.8 2.2.8 magicmirror simple-git 1.85.0 1.106.0 1.106.0 magicmirror socket.io 2.0.4 2.1.1 2.1.1 magicmirror spectron 3.7.2 3.7.3 5.0.0 magicmirror stylelint 8.4.0 8.4.0 9.7.1 magicmirrornpm audit fix:
> phantomjs-prebuilt@2.1.16 install /home/pi/MagicMirror/node_modules/phantomjs-prebuilt > node install.js PhantomJS not found on PATH Unexpected platform or architecture: linux/arm It seems there is no binary available for your platform/architecture Try to install PhantomJS globally npm WARN acorn-jsx@5.0.0 requires a peer of acorn@^6.0.0 but none is installed. You must install peer dependencies yourself. npm WARN grunt-stylelint@0.10.1 requires a peer of stylelint@^9.0.0 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: phantomjs-prebuilt@2.1.16 (node_modules/phantomjs-prebuilt): npm WARN optional SKIPPING OPTIONAL DEPENDENCY: phantomjs-prebuilt@2.1.16 install: `node install.js` npm WARN optional SKIPPING OPTIONAL DEPENDENCY: Exit status 1 + socket.io@2.1.1 + jshint@2.9.6 + request@2.88.0 + mocha-logger@1.0.6 added 30 packages from 33 contributors, removed 32 packages, updated 37 packages and moved 1 package in 65.581s fixed 37 of 79 vulnerabilities in 2510 scanned packages 1 vulnerability required manual review and could not be updated 3 package updates for 41 vulns involved breaking changes (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)after npm update list of outdated packages:
Package Current Wanted Latest Location danger 3.9.0 3.9.0 6.0.2 magicmirror electron 2.0.13 2.0.13 3.0.7 magicmirror grunt-markdownlint 1.1.6 1.1.6 2.1.0 magicmirror jsdom 11.12.0 11.12.0 13.0.0 magicmirror mocha 4.1.0 4.1.0 5.2.0 magicmirror spectron 3.7.3 3.8.0 5.0.0 magicmirror stylelint 8.4.0 8.4.0 9.7.1 magicmirrorAfter all updates and upgrades the list of npm audit:
pi@raspberrypi:~/MagicMirror $ npm audit === npm audit security report === # Run npm install spectron@5.0.0 to resolve 3 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ spectron │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ spectron > electron-chromedriver > electron-download > │ │ │ nugget > request > http-signature > sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/606 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ spectron │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ spectron > request > http-signature > sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/606 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ spectron │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ spectron > webdriverio > request > http-signature > sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/606 │ └───────────────┴──────────────────────────────────────────────────────────────┘ # Run npm install --save-dev stylelint@9.7.1 to resolve 4 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ stylelint [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ stylelint > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/577 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ stylelint [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ stylelint > postcss-reporter > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/577 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ stylelint [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ stylelint > table > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/577 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Cryptographically Weak PRNG │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ randomatic │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ stylelint [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ stylelint > micromatch > braces > expand-range > fill-range │ │ │ > randomatic │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/157 │ └───────────────┴──────────────────────────────────────────────────────────────┘ # Run npm update sshpk --depth 6 to resolve 5 vulnerabilities ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ electron │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ electron > electron-download > nugget > request > │ │ │ http-signature > sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/606 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ request │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ request > http-signature > sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/606 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ jsdom │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ jsdom > request > http-signature > sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/606 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ jshint │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ jshint > phantom > phantomjs-prebuilt > request > │ │ │ http-signature > sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/606 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ jshint │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ jshint > phantomjs-prebuilt > request > http-signature > │ │ │ sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/606 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.17.5 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ express-ipfilter │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ express-ipfilter > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/577 │One of the suggestions is occurs this:
pi@raspberrypi:~/MagicMirror $ npm install --save-dev stylelint@9.7.1 npm WARN checkPermissions Missing write access to /home/pi/MagicMirror/node_modules/sshpk npm WARN acorn-jsx@5.0.0 requires a peer of acorn@^6.0.0 but none is installed. You must install peer dependencies yourself. npm ERR! path /home/pi/MagicMirror/node_modules/sshpk npm ERR! code EACCES npm ERR! errno -13 npm ERR! syscall access npm ERR! Error: EACCES: permission denied, access '/home/pi/MagicMirror/node_modules/sshpk' npm ERR! { [Error: EACCES: permission denied, access '/home/pi/MagicMirror/node_modules/sshpk'] npm ERR! stack: npm ERR! 'Error: EACCES: permission denied, access \'/home/pi/MagicMirror/node_modules/sshpk\'', npm ERR! errno: -13, npm ERR! code: 'EACCES', npm ERR! syscall: 'access', npm ERR! path: '/home/pi/MagicMirror/node_modules/sshpk' } npm ERR! npm ERR! The operation was rejected by your operating system. npm ERR! It is likely you do not have the permissions to access this file as the current user npm ERR! npm ERR! If you believe this might be a permissions issue, please double-check the npm ERR! permissions of the file and its containing directories, or try running npm ERR! the command again as root/Administrator (though this is not recommended). npm ERR! A complete log of this run can be found in: npm ERR! /home/pi/.npm/_logs/2018-11-01T21_58_27_349Z-debug.logSome of the packages need sudo to get updated successfully o_O
Alter all :
sudo npm install --save-dev spectron@5.0.0 mocha@5.2.0 jsdom@13.0.0 grunt-markdownlint@2.1.0 electron@3.0.7 danger@6.0.2output:
pi@raspberrypi:~/MagicMirror $ npm outdated Package Current Wanted Latest Location electron MISSING 3.0.7 3.0.7 magicmirrorso I tried to install electron again:
pi@raspberrypi:~/MagicMirror $ npm install electron@latest -g npm WARN checkPermissions Missing write access to /usr/lib/node_modules npm ERR! path /usr/lib/node_modules npm ERR! code EACCES npm ERR! errno -13 npm ERR! syscall access npm ERR! Error: EACCES: permission denied, access '/usr/lib/node_modules' npm ERR! { [Error: EACCES: permission denied, access '/usr/lib/node_modules'] npm ERR! stack: npm ERR! 'Error: EACCES: permission denied, access \'/usr/lib/node_modules\'', npm ERR! errno: -13, npm ERR! code: 'EACCES', npm ERR! syscall: 'access', npm ERR! path: '/usr/lib/node_modules' } npm ERR! npm ERR! The operation was rejected by your operating system. npm ERR! It is likely you do not have the permissions to access this file as the current user npm ERR! npm ERR! If you believe this might be a permissions issue, please double-check the npm ERR! permissions of the file and its containing directories, or try running npm ERR! the command again as root/Administrator (though this is not recommended). npm ERR! A complete log of this run can be found in: npm ERR! /home/pi/.npm/_logs/2018-11-01T22_32_58_797Z-debug.logseems to be a bad idea to install electron as sudo.
npm install electron@latestAfter all the installation and upgrades as you can see the audit:
pi@raspberrypi:~/MagicMirror $ npm outdated pi@raspberrypi:~/MagicMirror $ npm audit npm ERR! code ELOCKVERIFY npm ERR! Errors were found in your package-lock.json, run npm install to fix them. npm ERR! Missing: danger@^6.0.2 npm ERR! Missing: grunt-markdownlint@^2.1.0 npm ERR! Missing: jsdom@^13.0.0 npm ERR! Missing: mocha@^5.2.0 npm ERR! Missing: spectron@^5.0.0now i tried to start:
pi@raspberrypi:~/MagicMirror $ DISPLAY=:0 nohup npm start & [1] 3939 pi@raspberrypi:~/MagicMirror $ nohup: ignoring input and appending output to 'nohup.out'content of the file nohup.out:
> magicmirror@2.5.0 start /home/pi/MagicMirror > sh run-start.sh /home/pi/MagicMirror/node_modules/electron/dist/electron: error while loading shared libraries: libgtk-3.so.0: cannot open shared object file: No such file or directory npm ERR! file sh npm ERR! code ELIFECYCLE npm ERR! errno ENOENT npm ERR! syscall spawn npm ERR! magicmirror@2.5.0 start: `sh run-start.sh` npm ERR! spawn ENOENT npm ERR! npm ERR! Failed at the magicmirror@2.5.0 start script. npm ERR! This is probably not a problem with npm. There is likely additional logging output above. npm ERR! A complete log of this run can be found in: npm ERR! /home/pi/.npm/_logs/2018-11-01T22_49_36_884Z-debug.loglog file 2018-11-01T22_49_36_884Z-debug.log
0 info it worked if it ends with ok 1 verbose cli [ '/usr/bin/node', '/usr/bin/npm', 'start' ] 2 info using npm@6.4.1 3 info using node@v10.13.0 4 verbose run-script [ 'prestart', 'start', 'poststart' ] 5 info lifecycle magicmirror@2.5.0~prestart: magicmirror@2.5.0 6 info lifecycle magicmirror@2.5.0~start: magicmirror@2.5.0 7 verbose lifecycle magicmirror@2.5.0~start: unsafe-perm in lifecycle true 8 verbose lifecycle magicmirror@2.5.0~start: PATH: /usr/lib/node_modules/npm/node_modules/npm-lifecycle/node-gyp-bin:/home/pi/MagicMirror/node_modules/.bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games 9 verbose lifecycle magicmirror@2.5.0~start: CWD: /home/pi/MagicMirror 10 silly lifecycle magicmirror@2.5.0~start: Args: [ '-c', 'sh run-start.sh' ] 11 info lifecycle magicmirror@2.5.0~start: Failed to exec start script 12 verbose stack Error: magicmirror@2.5.0 start: `sh run-start.sh` 12 verbose stack spawn ENOENT 12 verbose stack at ChildProcess.<anonymous> (/usr/lib/node_modules/npm/node_modules/npm-lifecycle/lib/spawn.js:48:18) 12 verbose stack at ChildProcess.emit (events.js:182:13) 12 verbose stack at maybeClose (internal/child_process.js:962:16) 12 verbose stack at Process.ChildProcess._handle.onexit (internal/child_process.js:251:5) 13 verbose pkgid magicmirror@2.5.0 14 verbose cwd /home/pi/MagicMirror 15 verbose Linux 4.14.71-v7+ 16 verbose argv "/usr/bin/node" "/usr/bin/npm" "start" 17 verbose node v10.13.0 18 verbose npm v6.4.1 19 error file sh 20 error code ELIFECYCLE 21 error errno ENOENT 22 error syscall spawn 23 error magicmirror@2.5.0 start: `sh run-start.sh` 23 error spawn ENOENT 24 error Failed at the magicmirror@2.5.0 start script. 24 error This is probably not a problem with npm. There is likely additional logging output above. 25 verbose exit [ 1, true ]There are no Permission errors.
sudo chown -R $(whoami) ~/../../usr/lib/node_modules/ sudo chown -R $(whoami) ~/.npm/Any suggestions?
I had to install the desktop environment to get it work.
Best way is to follow the constructions here:
https://github.com/MichMich/MagicMirror/wiki/Jessie-Lite-Installation-GuideThanks to @lavolp3 https://forum.magicmirror.builders/post/46231
After the installation of desktop enviroenment I could run the magic mirror without errors. “Launched application.” But nothing could be seen. I removed all began a fresh installation but ended with the same problems and new issiues.
I think this project is out of the date and needs a lot of time and work to get worked.