`npm install --no-save --omit dev` gives vulnerability warning (node-fetch)
-
The
node-fetch
package, which is used by Reactor for several purposes, was reported to have a security vulnerability, and when you update packages (as is required for the recent 22021 release), you get a warning about it.NIST currently reports that all versions of
node-fetch
prior to 3.1.1 are vulnerable, but since the 2.x and 3.x release paths are incompatible, I cannot easily or quickly update Reactor to use 3.1.1. Further, the author of the package now reports that version 2.6.7 is patched against the vulnerability. It may take some time before NIST lists this fact on their web site andnpm
's audit info is also updated. His patch was made a week ago, so it's clearly not an instantaneous process.If you do
npm ls
in your Reactor install directory (bare metal users only), you will see what version you currently have installed.DO NOT run
npm audit fix
as recommended bynpm
. This will just break your Reactor installation by installing the incompatible 3.1.1 version. If you do this, you can undo it by runningnpm install --no-save --omit dev
again. If that doesn't do it, delete your entirenode_modules
subdirectory and anypackage-lock.json
file in the Reactor install directory, and run the command again. -
T toggledbits referenced this topic on
-
T toggledbits referenced this topic on
-
T toggledbits referenced this topic on
-
T toggledbits referenced this topic on
-
The
node-fetch
package, which is used by Reactor for several purposes, was reported to have a security vulnerability, and when you update packages (as is required for the recent 22021 release), you get a warning about it.NIST currently reports that all versions of
node-fetch
prior to 3.1.1 are vulnerable, but since the 2.x and 3.x release paths are incompatible, I cannot easily or quickly update Reactor to use 3.1.1. Further, the author of the package now reports that version 2.6.7 is patched against the vulnerability. It may take some time before NIST lists this fact on their web site andnpm
's audit info is also updated. His patch was made a week ago, so it's clearly not an instantaneous process.If you do
npm ls
in your Reactor install directory (bare metal users only), you will see what version you currently have installed.DO NOT run
npm audit fix
as recommended bynpm
. This will just break your Reactor installation by installing the incompatible 3.1.1 version. If you do this, you can undo it by runningnpm install --no-save --omit dev
again. If that doesn't do it, delete your entirenode_modules
subdirectory and anypackage-lock.json
file in the Reactor install directory, and run the command again. -
Good news. Following instructions when installing 22022 no longer gives a vulnerability warning for me, Ubuntu bare metal.
npm i --no-save --omit dev up to date, audited 90 packages in 566ms 12 packages are looking for funding run `npm fund` for details found 0 vulnerabilities --- npm ls reactor-multi-system@1.0.3-22022 ├── @influxdata/influxdb-client@1.22.0 ├── @mdi/font@5.9.55 ├── body-parser@1.19.1 ├── bootstrap-icons@1.5.0 ├── bootstrap@4.6.0 ├── cookie@0.4.1 ├── digest-fetch@1.2.1 ├── diskusage-ng@1.0.2 ├── express@4.17.2 ├── feather-icons@4.28.0 ├── font-awesome@4.7.0 ├── gridstack@5.0.0 ├── jquery-ui-dist@1.12.1 ├── jquery@3.6.0 ├── js-yaml@3.14.1 ├── node-fetch@2.6.7 ├── nodemailer@6.7.2 ├── qs@6.10.3 ├── serve-static@1.14.2 ├── uuid@8.3.2 └── ws@7.5.6
-
T toggledbits referenced this topic on
-
T toggledbits locked this topic on