Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Seems to need an update..

    Etherpad Lite
    4
    7
    2671
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • robi
      robi last edited by

      hundred+ vulnerabilities via npm, various errors and warning in logs

      Dec 05 10:03:41 > dtrace-provider@0.8.8 install /app/code/node_modules/ep_cloudron/node_modules/dtrace-provider
Dec 05 10:03:41 > node-gyp rebuild || node suppress-error.js
Dec 05 10:03:41
Dec 05 10:03:42 gyp WARN install got an error, rolling back install
Dec 05 10:03:42 gyp ERR! configure error
Dec 05 10:03:42 gyp ERR! stack Error: EROFS: read-only file system, mkdir '/home/cloudron/.cache'
Dec 05 10:03:42 gyp ERR! System Linux 4.15.0-118-generic
Dec 05 10:03:42 gyp ERR! command "/usr/local/node-12.16.2/bin/node" "/app/code/src/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
Dec 05 10:03:42 gyp ERR! cwd /app/data/node_modules/ep_cloudron/node_modules/dtrace-provider
Dec 05 10:03:42 gyp ERR! node -v v12.16.2
Dec 05 10:03:42 gyp ERR! node-gyp -v v5.1.0
Dec 05 10:03:42 gyp ERR! not ok
Dec 05 10:03:43 npm WARN saveError ENOENT: no such file or directory, open '/app/code/package.json'
Dec 05 10:03:43 npm WARN saveError EROFS: read-only file system, open '/app/code/package-lock.json.4184476571'
Dec 05 10:03:43 npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.1.1 (node_modules/ep_etherpad-lite/node_modules/chokidar/node_modules/fsevents):
Dec 05 10:03:43 npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
Dec 05 10:03:43 npm WARN enoent ENOENT: no such file or directory, open '/app/code/package.json'
Dec 05 10:03:43 npm WARN code No description
Dec 05 10:03:43 npm WARN code No repository field.
Dec 05 10:03:43 npm WARN code No README data
Dec 05 10:03:43 npm WARN code No license field.
Dec 05 10:03:43 [2020-12-05 18:03:43.486] [ERROR] console -
...
Dec 05 10:03:44 [2020-12-05 18:03:44.684] [INFO] console - found 135 vulnerabilities (68 low, 21 moderate, 44 high, 2 critical)
Dec 05 10:03:44 run `npm audit fix` to fix them, or `npm audit` for details
Dec 05 10:03:46 [2020-12-05 18:03:46.985] [INFO] console - Restarting express server
Dec 05 10:06:43 [2020-12-05 18:06:43.647] [INFO] access - [LEAVE] Pad "B2C4jivs3N": Author "a.bGF8CxTK613yvhbl" on client 4s_HRv2qBt0E1n82AAAA with IP "172.18.0.1" left the pad
Dec 05 10:06:45 [2020-12-05 18:06:45.449] [INFO] access - [ENTER] Pad "B2C4jivs3N": Client -zB3_2yuV2iQAem1AAAC with IP "172.18.0.1" entered the pad
Dec 05 10:06:45 [2020-12-05 18:06:45.450] [WARN] console - ep_themes: a default theme can be set in settings.json
Dec 05 10:06:46 [2020-12-05 18:06:46.976] [WARN] message - Dropped message, unknown Message Type STATS
Dec 05 10:07:16 npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
Dec 05 10:07:17 npm WARN deprecated phantomjs-prebuilt@2.1.16: this package is now deprecated
Dec 05 10:07:18 npm WARN deprecated har-validator@5.1.5: this library is no longer supported
      jdaviescoates 1 Reply Last reply Reply Quote 0
      • jdaviescoates
        jdaviescoates @robi last edited by

        @robi looks like 1.8.6 which is on Cloudron is still the latest release though

        robi 1 Reply Last reply Reply Quote 0
        • robi
          robi @jdaviescoates last edited by

          @jdaviescoates it's not the app it's the stack.. and npm dependencies

          girish 1 Reply Last reply Reply Quote 1
          • girish
            girish Staff @robi last edited by

            @robi I guess this needs to be reported upstream. Not sure what we can do, we can't update packages without knowing what they might break.

            robi 1 Reply Last reply Reply Quote 0
            • robi
              robi @girish last edited by

              @girish not sure that's true, it's only an issue because of the RO FS as npm can't update

              girish 1 Reply Last reply Reply Quote 0
              • girish
                girish Staff @robi last edited by

                @robi Should be down to two major vulnerabilities now hopefully with the latest update. Those two are in the latest release of ep as well. I checked what they are and they are those "protoype pollution" issues.

                1 Reply Last reply Reply Quote 2
                • nebulon
                  nebulon Staff last edited by

                  Since I just looked into this, the errors (or rather warnings) from npm are for one thing, that etherpad does not have a package.json file in the root folder, but relies on the node_modules folder for listing. Also npm by default attempts to check for update of itself, which fails and it should not update on its own, since we only test against specific versions.

                  The vulnerabilities are indeed an issue, however as @girish mentioned we cannot blindly update them, so all those have to be ideally reported upstream with all the relevant plugins even.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post