Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Security Issue in cloudron CLI's dependency

Security Issue in cloudron CLI's dependency

Scheduled Pinned Locked Moved Solved Support
cli
2 Posts 2 Posters 439 Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • njN Offline
      njN Offline
      nj
      wrote on last edited by girish
      #1

      @girish @nebulon While installing the cloudron cli, I got this message. Is this something that we should worry about? Please confirm and fix if required. Thanks!

      nj@mac% npm install cloudron 
      
      up to date, audited 114 packages in 583ms
      
      15 packages are looking for funding
        run `npm fund` for details
      
      2 high severity vulnerabilities
      
      To address all issues (including breaking changes), run:
        npm audit fix --force
      
      Run `npm audit` for details.
      
      nj@mac% npm audit
      # npm audit report
      
      tar-fs  <1.16.2
      Severity: high
      Improper Input Validation in tar-fs - 
      
      https://github.com/advisories/GHSA-x2mc-8fgj-3wmr
      
      fix available via `npm audit fix --force`
      Will install cloudron@0.9.4, which is a breaking change
      node_modules/tar-fs
        cloudron  >=0.9.5
        Depends on vulnerable versions of tar-fs
        node_modules/cloudron
      
      2 high severity vulnerabilities
      
      To address all issues (including breaking changes), run:
        npm audit fix --force
      
      

      Founder / Coder • My Apps

      1 Reply Last reply
      1
      • mehdiM Offline
        mehdiM Offline
        mehdi
        App Dev
        wrote on last edited by
        #2

        Hardened node developer here : long story short, nothing to worry about.

        NPM security warnings are completely broken, they have a near 100% false positive rate (technically, the "vulnerable" dependency is here, but the flaw is, in literally all instances I have seen, not exploitable). An interesting read about this if you want : https://overreacted.io/npm-audit-broken-by-design/

        1 Reply Last reply
        4
        • girishG girish marked this topic as a question on
        • girishG girish has marked this topic as solved on
        Reply
        • Reply as topic
        Log in to reply
        • Oldest to Newest
        • Newest to Oldest
        • Most Votes


          • Login

          • Don't have an account? Register

          • Login or register to search.
          • First post
            Last post
          0
          • Categories
          • Recent
          • Tags
          • Popular
          • Bookmarks
          • Search