Seems to need an update..

robi

hundred+ vulnerabilities via npm, various errors and warning in logs

Dec 05 10:03:41 > dtrace-provider@0.8.8 install /app/code/node_modules/ep_cloudron/node_modules/dtrace-provider
Dec 05 10:03:41 > node-gyp rebuild || node suppress-error.js
Dec 05 10:03:41
Dec 05 10:03:42 gyp WARN install got an error, rolling back install
Dec 05 10:03:42 gyp ERR! configure error
Dec 05 10:03:42 gyp ERR! stack Error: EROFS: read-only file system, mkdir '/home/cloudron/.cache'
Dec 05 10:03:42 gyp ERR! System Linux 4.15.0-118-generic
Dec 05 10:03:42 gyp ERR! command "/usr/local/node-12.16.2/bin/node" "/app/code/src/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
Dec 05 10:03:42 gyp ERR! cwd /app/data/node_modules/ep_cloudron/node_modules/dtrace-provider
Dec 05 10:03:42 gyp ERR! node -v v12.16.2
Dec 05 10:03:42 gyp ERR! node-gyp -v v5.1.0
Dec 05 10:03:42 gyp ERR! not ok
Dec 05 10:03:43 npm WARN saveError ENOENT: no such file or directory, open '/app/code/package.json'
Dec 05 10:03:43 npm WARN saveError EROFS: read-only file system, open '/app/code/package-lock.json.4184476571'
Dec 05 10:03:43 npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.1.1 (node_modules/ep_etherpad-lite/node_modules/chokidar/node_modules/fsevents):
Dec 05 10:03:43 npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
Dec 05 10:03:43 npm WARN enoent ENOENT: no such file or directory, open '/app/code/package.json'
Dec 05 10:03:43 npm WARN code No description
Dec 05 10:03:43 npm WARN code No repository field.
Dec 05 10:03:43 npm WARN code No README data
Dec 05 10:03:43 npm WARN code No license field.
Dec 05 10:03:43 [2020-12-05 18:03:43.486] [ERROR] console -
...
Dec 05 10:03:44 [2020-12-05 18:03:44.684] [INFO] console - found 135 vulnerabilities (68 low, 21 moderate, 44 high, 2 critical)
Dec 05 10:03:44 run `npm audit fix` to fix them, or `npm audit` for details
Dec 05 10:03:46 [2020-12-05 18:03:46.985] [INFO] console - Restarting express server
Dec 05 10:06:43 [2020-12-05 18:06:43.647] [INFO] access - [LEAVE] Pad "B2C4jivs3N": Author "a.bGF8CxTK613yvhbl" on client 4s_HRv2qBt0E1n82AAAA with IP "172.18.0.1" left the pad
Dec 05 10:06:45 [2020-12-05 18:06:45.449] [INFO] access - [ENTER] Pad "B2C4jivs3N": Client -zB3_2yuV2iQAem1AAAC with IP "172.18.0.1" entered the pad
Dec 05 10:06:45 [2020-12-05 18:06:45.450] [WARN] console - ep_themes: a default theme can be set in settings.json
Dec 05 10:06:46 [2020-12-05 18:06:46.976] [WARN] message - Dropped message, unknown Message Type STATS
Dec 05 10:07:16 npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
Dec 05 10:07:17 npm WARN deprecated phantomjs-prebuilt@2.1.16: this package is now deprecated
Dec 05 10:07:18 npm WARN deprecated har-validator@5.1.5: this library is no longer supported

jdaviescoates

@robi looks like 1.8.6 which is on Cloudron is still the latest release though

robi

@jdaviescoates it's not the app it's the stack.. and npm dependencies

girish

@robi I guess this needs to be reported upstream. Not sure what we can do, we can't update packages without knowing what they might break.

robi

@girish not sure that's true, it's only an issue because of the RO FS as npm can't update

girish

@robi Should be down to two major vulnerabilities now hopefully with the latest update. Those two are in the latest release of ep as well. I checked what they are and they are those "protoype pollution" issues.

nebulon

Since I just looked into this, the errors (or rather warnings) from npm are for one thing, that etherpad does not have a package.json file in the root folder, but relies on the node_modules folder for listing. Also npm by default attempts to check for update of itself, which fails and it should not update on its own, since we only test against specific versions.

The vulnerabilities are indeed an issue, however as @girish mentioned we cannot blindly update them, so all those have to be ideally reported upstream with all the relevant plugins even.