`npm install --no-save --omit dev` gives vulnerability warning (node-fetch)
- 
The node-fetchpackage, which is used by Reactor for several purposes, was reported to have a security vulnerability, and when you update packages (as is required for the recent 22021 release), you get a warning about it.NIST currently reports that all versions of node-fetchprior to 3.1.1 are vulnerable, but since the 2.x and 3.x release paths are incompatible, I cannot easily or quickly update Reactor to use 3.1.1. Further, the author of the package now reports that version 2.6.7 is patched against the vulnerability. It may take some time before NIST lists this fact on their web site andnpm's audit info is also updated. His patch was made a week ago, so it's clearly not an instantaneous process.If you do npm lsin your Reactor install directory (bare metal users only), you will see what version you currently have installed.DO NOT run npm audit fixas recommended bynpm. This will just break your Reactor installation by installing the incompatible 3.1.1 version. If you do this, you can undo it by runningnpm install --no-save --omit devagain. If that doesn't do it, delete your entirenode_modulessubdirectory and anypackage-lock.jsonfile in the Reactor install directory, and run the command again.
- 
 T toggledbits referenced this topic on T toggledbits referenced this topic on
- 
 T toggledbits referenced this topic on T toggledbits referenced this topic on
- 
 T toggledbits referenced this topic on T toggledbits referenced this topic on
- 
 T toggledbits referenced this topic on T toggledbits referenced this topic on
- 
The node-fetchpackage, which is used by Reactor for several purposes, was reported to have a security vulnerability, and when you update packages (as is required for the recent 22021 release), you get a warning about it.NIST currently reports that all versions of node-fetchprior to 3.1.1 are vulnerable, but since the 2.x and 3.x release paths are incompatible, I cannot easily or quickly update Reactor to use 3.1.1. Further, the author of the package now reports that version 2.6.7 is patched against the vulnerability. It may take some time before NIST lists this fact on their web site andnpm's audit info is also updated. His patch was made a week ago, so it's clearly not an instantaneous process.If you do npm lsin your Reactor install directory (bare metal users only), you will see what version you currently have installed.DO NOT run npm audit fixas recommended bynpm. This will just break your Reactor installation by installing the incompatible 3.1.1 version. If you do this, you can undo it by runningnpm install --no-save --omit devagain. If that doesn't do it, delete your entirenode_modulessubdirectory and anypackage-lock.jsonfile in the Reactor install directory, and run the command again.
- 
Good news. Following instructions when installing 22022 no longer gives a vulnerability warning for me, Ubuntu bare metal. npm i --no-save --omit dev up to date, audited 90 packages in 566ms 12 packages are looking for funding run `npm fund` for details found 0 vulnerabilities --- npm ls reactor-multi-system@1.0.3-22022 ├── @influxdata/influxdb-client@1.22.0 ├── @mdi/font@5.9.55 ├── body-parser@1.19.1 ├── bootstrap-icons@1.5.0 ├── bootstrap@4.6.0 ├── cookie@0.4.1 ├── digest-fetch@1.2.1 ├── diskusage-ng@1.0.2 ├── express@4.17.2 ├── feather-icons@4.28.0 ├── font-awesome@4.7.0 ├── gridstack@5.0.0 ├── jquery-ui-dist@1.12.1 ├── jquery@3.6.0 ├── js-yaml@3.14.1 ├── node-fetch@2.6.7 ├── nodemailer@6.7.2 ├── qs@6.10.3 ├── serve-static@1.14.2 ├── uuid@8.3.2 └── ws@7.5.6
- 
 T toggledbits referenced this topic on T toggledbits referenced this topic on
- 
 T toggledbits locked this topic on T toggledbits locked this topic on
 














