Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Seems to need an update..

    Etherpad Lite
    3
    6
    970
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • robi
      robi last edited by

      hundred+ vulnerabilities via npm, various errors and warning in logs

      Dec 05 10:03:41 > dtrace-provider@0.8.8 install /app/code/node_modules/ep_cloudron/node_modules/dtrace-provider
      Dec 05 10:03:41 > node-gyp rebuild || node suppress-error.js
      Dec 05 10:03:41
      Dec 05 10:03:42 gyp WARN install got an error, rolling back install
      Dec 05 10:03:42 gyp ERR! configure error
      Dec 05 10:03:42 gyp ERR! stack Error: EROFS: read-only file system, mkdir '/home/cloudron/.cache'
      Dec 05 10:03:42 gyp ERR! System Linux 4.15.0-118-generic
      Dec 05 10:03:42 gyp ERR! command "/usr/local/node-12.16.2/bin/node" "/app/code/src/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
      Dec 05 10:03:42 gyp ERR! cwd /app/data/node_modules/ep_cloudron/node_modules/dtrace-provider
      Dec 05 10:03:42 gyp ERR! node -v v12.16.2
      Dec 05 10:03:42 gyp ERR! node-gyp -v v5.1.0
      Dec 05 10:03:42 gyp ERR! not ok
      Dec 05 10:03:43 npm WARN saveError ENOENT: no such file or directory, open '/app/code/package.json'
      Dec 05 10:03:43 npm WARN saveError EROFS: read-only file system, open '/app/code/package-lock.json.4184476571'
      Dec 05 10:03:43 npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.1.1 (node_modules/ep_etherpad-lite/node_modules/chokidar/node_modules/fsevents):
      Dec 05 10:03:43 npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
      Dec 05 10:03:43 npm WARN enoent ENOENT: no such file or directory, open '/app/code/package.json'
      Dec 05 10:03:43 npm WARN code No description
      Dec 05 10:03:43 npm WARN code No repository field.
      Dec 05 10:03:43 npm WARN code No README data
      Dec 05 10:03:43 npm WARN code No license field.
      Dec 05 10:03:43 [2020-12-05 18:03:43.486] [ERROR] console -
      ...
      Dec 05 10:03:44 [2020-12-05 18:03:44.684] [INFO] console - found 135 vulnerabilities (68 low, 21 moderate, 44 high, 2 critical)
      Dec 05 10:03:44 run `npm audit fix` to fix them, or `npm audit` for details
      Dec 05 10:03:46 [2020-12-05 18:03:46.985] [INFO] console - Restarting express server
      Dec 05 10:06:43 [2020-12-05 18:06:43.647] [INFO] access - [LEAVE] Pad "B2C4jivs3N": Author "a.bGF8CxTK613yvhbl" on client 4s_HRv2qBt0E1n82AAAA with IP "172.18.0.1" left the pad
      Dec 05 10:06:45 [2020-12-05 18:06:45.449] [INFO] access - [ENTER] Pad "B2C4jivs3N": Client -zB3_2yuV2iQAem1AAAC with IP "172.18.0.1" entered the pad
      Dec 05 10:06:45 [2020-12-05 18:06:45.450] [WARN] console - ep_themes: a default theme can be set in settings.json
      Dec 05 10:06:46 [2020-12-05 18:06:46.976] [WARN] message - Dropped message, unknown Message Type STATS
      Dec 05 10:07:16 npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
      Dec 05 10:07:17 npm WARN deprecated phantomjs-prebuilt@2.1.16: this package is now deprecated
      Dec 05 10:07:18 npm WARN deprecated har-validator@5.1.5: this library is no longer supported
      
      jdaviescoates 1 Reply Last reply Reply Quote 0
      • jdaviescoates
        jdaviescoates @robi last edited by

        @robi looks like 1.8.6 which is on Cloudron is still the latest release though

        robi 1 Reply Last reply Reply Quote 0
        • robi
          robi @jdaviescoates last edited by

          @jdaviescoates it's not the app it's the stack.. and npm dependencies

          girish 1 Reply Last reply Reply Quote 1
          • girish
            girish Staff @robi last edited by

            @robi I guess this needs to be reported upstream. Not sure what we can do, we can't update packages without knowing what they might break.

            robi 1 Reply Last reply Reply Quote 0
            • robi
              robi @girish last edited by

              @girish not sure that's true, it's only an issue because of the RO FS as npm can't update

              girish 1 Reply Last reply Reply Quote 0
              • girish
                girish Staff @robi last edited by

                @robi Should be down to two major vulnerabilities now hopefully with the latest update. Those two are in the latest release of ep as well. I checked what they are and they are those "protoype pollution" issues.

                1 Reply Last reply Reply Quote 2
                • First post
                  Last post