Seems to need an update..
-
hundred+ vulnerabilities via npm, various errors and warning in logs
Dec 05 10:03:41 > dtrace-provider@0.8.8 install /app/code/node_modules/ep_cloudron/node_modules/dtrace-provider Dec 05 10:03:41 > node-gyp rebuild || node suppress-error.js Dec 05 10:03:41 Dec 05 10:03:42 gyp WARN install got an error, rolling back install Dec 05 10:03:42 gyp ERR! configure error Dec 05 10:03:42 gyp ERR! stack Error: EROFS: read-only file system, mkdir '/home/cloudron/.cache' Dec 05 10:03:42 gyp ERR! System Linux 4.15.0-118-generic Dec 05 10:03:42 gyp ERR! command "/usr/local/node-12.16.2/bin/node" "/app/code/src/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild" Dec 05 10:03:42 gyp ERR! cwd /app/data/node_modules/ep_cloudron/node_modules/dtrace-provider Dec 05 10:03:42 gyp ERR! node -v v12.16.2 Dec 05 10:03:42 gyp ERR! node-gyp -v v5.1.0 Dec 05 10:03:42 gyp ERR! not ok Dec 05 10:03:43 npm WARN saveError ENOENT: no such file or directory, open '/app/code/package.json' Dec 05 10:03:43 npm WARN saveError EROFS: read-only file system, open '/app/code/package-lock.json.4184476571' Dec 05 10:03:43 npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.1.1 (node_modules/ep_etherpad-lite/node_modules/chokidar/node_modules/fsevents): Dec 05 10:03:43 npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"}) Dec 05 10:03:43 npm WARN enoent ENOENT: no such file or directory, open '/app/code/package.json' Dec 05 10:03:43 npm WARN code No description Dec 05 10:03:43 npm WARN code No repository field. Dec 05 10:03:43 npm WARN code No README data Dec 05 10:03:43 npm WARN code No license field. Dec 05 10:03:43 [2020-12-05 18:03:43.486] [ERROR] console - ... Dec 05 10:03:44 [2020-12-05 18:03:44.684] [INFO] console - found 135 vulnerabilities (68 low, 21 moderate, 44 high, 2 critical) Dec 05 10:03:44 run `npm audit fix` to fix them, or `npm audit` for details Dec 05 10:03:46 [2020-12-05 18:03:46.985] [INFO] console - Restarting express server Dec 05 10:06:43 [2020-12-05 18:06:43.647] [INFO] access - [LEAVE] Pad "B2C4jivs3N": Author "a.bGF8CxTK613yvhbl" on client 4s_HRv2qBt0E1n82AAAA with IP "172.18.0.1" left the pad Dec 05 10:06:45 [2020-12-05 18:06:45.449] [INFO] access - [ENTER] Pad "B2C4jivs3N": Client -zB3_2yuV2iQAem1AAAC with IP "172.18.0.1" entered the pad Dec 05 10:06:45 [2020-12-05 18:06:45.450] [WARN] console - ep_themes: a default theme can be set in settings.json Dec 05 10:06:46 [2020-12-05 18:06:46.976] [WARN] message - Dropped message, unknown Message Type STATS Dec 05 10:07:16 npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 Dec 05 10:07:17 npm WARN deprecated phantomjs-prebuilt@2.1.16: this package is now deprecated Dec 05 10:07:18 npm WARN deprecated har-validator@5.1.5: this library is no longer supported
-
@robi looks like 1.8.6 which is on Cloudron is still the latest release though
-
@jdaviescoates it's not the app it's the stack.. and npm dependencies
-
@robi I guess this needs to be reported upstream. Not sure what we can do, we can't update packages without knowing what they might break.
-
@girish not sure that's true, it's only an issue because of the RO FS as npm can't update
-
@robi Should be down to two major vulnerabilities now hopefully with the latest update. Those two are in the latest release of ep as well. I checked what they are and they are those "protoype pollution" issues.