Seems to need an update..

robi

hundred+ vulnerabilities via npm, various errors and warning in logs

Dec 05 10:03:41 > dtrace-provider@0.8.8 install /app/code/node_modules/ep_cloudron/node_modules/dtrace-provider
Dec 05 10:03:41 > node-gyp rebuild || node suppress-error.js
Dec 05 10:03:41
Dec 05 10:03:42 gyp WARN install got an error, rolling back install
Dec 05 10:03:42 gyp ERR! configure error
Dec 05 10:03:42 gyp ERR! stack Error: EROFS: read-only file system, mkdir '/home/cloudron/.cache'
Dec 05 10:03:42 gyp ERR! System Linux 4.15.0-118-generic
Dec 05 10:03:42 gyp ERR! command "/usr/local/node-12.16.2/bin/node" "/app/code/src/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
Dec 05 10:03:42 gyp ERR! cwd /app/data/node_modules/ep_cloudron/node_modules/dtrace-provider
Dec 05 10:03:42 gyp ERR! node -v v12.16.2
Dec 05 10:03:42 gyp ERR! node-gyp -v v5.1.0
Dec 05 10:03:42 gyp ERR! not ok
Dec 05 10:03:43 npm WARN saveError ENOENT: no such file or directory, open '/app/code/package.json'
Dec 05 10:03:43 npm WARN saveError EROFS: read-only file system, open '/app/code/package-lock.json.4184476571'
Dec 05 10:03:43 npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.1.1 (node_modules/ep_etherpad-lite/node_modules/chokidar/node_modules/fsevents):
Dec 05 10:03:43 npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
Dec 05 10:03:43 npm WARN enoent ENOENT: no such file or directory, open '/app/code/package.json'
Dec 05 10:03:43 npm WARN code No description
Dec 05 10:03:43 npm WARN code No repository field.
Dec 05 10:03:43 npm WARN code No README data
Dec 05 10:03:43 npm WARN code No license field.
Dec 05 10:03:43 [2020-12-05 18:03:43.486] [ERROR] console -
...
Dec 05 10:03:44 [2020-12-05 18:03:44.684] [INFO] console - found 135 vulnerabilities (68 low, 21 moderate, 44 high, 2 critical)
Dec 05 10:03:44 run `npm audit fix` to fix them, or `npm audit` for details
Dec 05 10:03:46 [2020-12-05 18:03:46.985] [INFO] console - Restarting express server
Dec 05 10:06:43 [2020-12-05 18:06:43.647] [INFO] access - [LEAVE] Pad "B2C4jivs3N": Author "a.bGF8CxTK613yvhbl" on client 4s_HRv2qBt0E1n82AAAA with IP "172.18.0.1" left the pad
Dec 05 10:06:45 [2020-12-05 18:06:45.449] [INFO] access - [ENTER] Pad "B2C4jivs3N": Client -zB3_2yuV2iQAem1AAAC with IP "172.18.0.1" entered the pad
Dec 05 10:06:45 [2020-12-05 18:06:45.450] [WARN] console - ep_themes: a default theme can be set in settings.json
Dec 05 10:06:46 [2020-12-05 18:06:46.976] [WARN] message - Dropped message, unknown Message Type STATS
Dec 05 10:07:16 npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
Dec 05 10:07:17 npm WARN deprecated phantomjs-prebuilt@2.1.16: this package is now deprecated
Dec 05 10:07:18 npm WARN deprecated har-validator@5.1.5: this library is no longer supported

jdaviescoates

@robi looks like 1.8.6 which is on Cloudron is still the latest release though

robi

@jdaviescoates it's not the app it's the stack.. and npm dependencies

girish

@robi I guess this needs to be reported upstream. Not sure what we can do, we can't update packages without knowing what they might break.

robi

@girish not sure that's true, it's only an issue because of the RO FS as npm can't update

girish

@robi Should be down to two major vulnerabilities now hopefully with the latest update. Those two are in the latest release of ep as well. I checked what they are and they are those "protoype pollution" issues.