You are not logged in.
- Topics: Active | Unanswered
#1 2020-07-01 06:10:28
- Zibi1981
- Member
- From: Poland
- Registered: 2008-01-31
- Posts: 707
Node.js vulnerabilities that cannot be automatically fixed?
When up-grading my Tutanota e-mail Linux client, I've found some errors, possible vulneralbilities.
added 912 packages from 511 contributors and audited 985 packages in 26.881s
16 packages are looking for funding
run `npm fund` for details
found 81 vulnerabilities (79 low, 2 high)
run `npm audit fix` to fix them, or `npm audit` for detailsI'm not very familiar with Node.js, so I just tried to use the above commands
npm audit
npm ERR! code EAUDITNOPJSON
npm ERR! audit No package.json found: Cannot audit a project without a package.json
npm ERR! A complete log of this run can be found in:
npm ERR! /home/zbyszek/.npm/_logs/2020-07-01T06_05_55_221Z-debug.lognpm audit fix
npm ERR! code EAUDITNOPJSON
npm ERR! audit No package.json found: Cannot audit a project without a package.json
npm ERR! A complete log of this run can be found in:
npm ERR! /home/zbyszek/.npm/_logs/2020-07-01T06_00_14_635Z-debug.logThe above mentioned debug log contains this
0 info it worked if it ends with ok
1 verbose cli [ '/usr/bin/node', '/usr/bin/npm', 'audit', 'fix' ]
2 info using npm@6.14.5
3 info using node@v14.5.0
4 verbose config Skipping project config: /home/zbyszek/.npmrc. (matches userconfig)
5 verbose npm-session ea92819d9b8544c0
6 verbose stack Error: No package.json found: Cannot audit a project without a package.json
6 verbose stack at /usr/lib/node_modules/npm/lib/audit.js:164:19
6 verbose stack at tryCatcher (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
6 verbose stack at Promise._settlePromiseFromHandler (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:514:35)
6 verbose stack at Promise._settlePromise (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:574:18)
6 verbose stack at Promise._settlePromise0 (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:619:10)
6 verbose stack at Promise._settlePromises (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:699:18)
6 verbose stack at Promise._fulfill (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:643:18)
6 verbose stack at PromiseArray._resolve (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise_array.js:126:19)
6 verbose stack at PromiseArray._promiseFulfilled (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise_array.js:144:14)
6 verbose stack at PromiseArray._iterate (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise_array.js:114:31)
6 verbose stack at PromiseArray.init [as _init] (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise_array.js:78:10)
6 verbose stack at Promise._settlePromise (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:571:21)
6 verbose stack at Promise._settlePromise0 (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:619:10)
6 verbose stack at Promise._settlePromises (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:699:18)
6 verbose stack at Promise._fulfill (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:643:18)
6 verbose stack at PromiseArray._resolve (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise_array.js:126:19)
7 verbose cwd /home/zbyszek
8 verbose Linux 5.7.6-arch1-1
9 verbose argv "/usr/bin/node" "/usr/bin/npm" "audit" "fix"
10 verbose node v14.5.0
11 verbose npm v6.14.5
12 error code EAUDITNOPJSON
13 error audit No package.json found: Cannot audit a project without a package.json
14 verbose exit [ 1, true ]Is it something I should be worried with oraz just skip it?
Last edited by Zibi1981 (2020-07-01 06:10:58)
"... being a Linux user is sort of like living in a house inhabited by a large family of carpenters and architects. Every morning when you wake up, the house is a little different. Maybe there is a new turret, or some walls have moved. Or perhaps someone has temporarily removed the floor under your bed."
MSI Raider GE78HX 13VI-032PL
Offline
#2 2020-07-01 09:37:20
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 23,923
Re: Node.js vulnerabilities that cannot be automatically fixed?
The error message is quite clear on what the issue is. And so no you probably can't do much here, if the Tutanota depend on vulnerable libs they depend on vulnerable libs, they have to bump accordingly and test again themselves.
Offline
#3 2020-07-08 20:53:43
- Zibi1981
- Member
- From: Poland
- Registered: 2008-01-31
- Posts: 707
Re: Node.js vulnerabilities that cannot be automatically fixed?
OK, thanks for clarification.
"... being a Linux user is sort of like living in a house inhabited by a large family of carpenters and architects. Every morning when you wake up, the house is a little different. Maybe there is a new turret, or some walls have moved. Or perhaps someone has temporarily removed the floor under your bed."
MSI Raider GE78HX 13VI-032PL
Offline