You are not logged in.

#1 2020-07-01 06:10:28

Zibi1981
Member
From: Poland
Registered: 2008-01-31
Posts: 628

Node.js vulnerabilities that cannot be automatically fixed?

When up-grading my Tutanota e-mail Linux client, I've found some errors, possible vulneralbilities.

added 912 packages from 511 contributors and audited 985 packages in 26.881s

16 packages are looking for funding
  run `npm fund` for details

found 81 vulnerabilities (79 low, 2 high)
  run `npm audit fix` to fix them, or `npm audit` for details

I'm not very familiar with Node.js, so I just tried to use the above commands

npm audit
npm ERR! code EAUDITNOPJSON
npm ERR! audit No package.json found: Cannot audit a project without a package.json

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/zbyszek/.npm/_logs/2020-07-01T06_05_55_221Z-debug.log
npm audit fix
npm ERR! code EAUDITNOPJSON
npm ERR! audit No package.json found: Cannot audit a project without a package.json

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/zbyszek/.npm/_logs/2020-07-01T06_00_14_635Z-debug.log

The above mentioned debug log contains this

0 info it worked if it ends with ok
1 verbose cli [ '/usr/bin/node', '/usr/bin/npm', 'audit', 'fix' ]
2 info using npm@6.14.5
3 info using node@v14.5.0
4 verbose config Skipping project config: /home/zbyszek/.npmrc. (matches userconfig)
5 verbose npm-session ea92819d9b8544c0
6 verbose stack Error: No package.json found: Cannot audit a project without a package.json
6 verbose stack     at /usr/lib/node_modules/npm/lib/audit.js:164:19
6 verbose stack     at tryCatcher (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
6 verbose stack     at Promise._settlePromiseFromHandler (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:514:35)
6 verbose stack     at Promise._settlePromise (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:574:18)
6 verbose stack     at Promise._settlePromise0 (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:619:10)
6 verbose stack     at Promise._settlePromises (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:699:18)
6 verbose stack     at Promise._fulfill (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:643:18)
6 verbose stack     at PromiseArray._resolve (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise_array.js:126:19)
6 verbose stack     at PromiseArray._promiseFulfilled (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise_array.js:144:14)
6 verbose stack     at PromiseArray._iterate (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise_array.js:114:31)
6 verbose stack     at PromiseArray.init [as _init] (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise_array.js:78:10)
6 verbose stack     at Promise._settlePromise (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:571:21)
6 verbose stack     at Promise._settlePromise0 (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:619:10)
6 verbose stack     at Promise._settlePromises (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:699:18)
6 verbose stack     at Promise._fulfill (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:643:18)
6 verbose stack     at PromiseArray._resolve (/usr/lib/node_modules/npm/node_modules/bluebird/js/release/promise_array.js:126:19)
7 verbose cwd /home/zbyszek
8 verbose Linux 5.7.6-arch1-1
9 verbose argv "/usr/bin/node" "/usr/bin/npm" "audit" "fix"
10 verbose node v14.5.0
11 verbose npm  v6.14.5
12 error code EAUDITNOPJSON
13 error audit No package.json found: Cannot audit a project without a package.json
14 verbose exit [ 1, true ]

Is it something I should be worried with oraz just skip it?

Last edited by Zibi1981 (2020-07-01 06:10:58)


"... being a Linux user is sort of like living in a house inhabited by a large family of carpenters and architects. Every morning when you wake up, the house is a little different. Maybe there is a new turret, or some walls have moved. Or perhaps someone has temporarily removed the floor under your bed."

MSI Raider GE78HX 13VI-032PL

Offline

#2 2020-07-01 09:37:20

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,425

Re: Node.js vulnerabilities that cannot be automatically fixed?

The error message is quite clear on what the issue is. And so no you probably can't do much here, if the Tutanota depend on vulnerable libs they depend on vulnerable libs, they have to bump accordingly and test again themselves.

Offline

#3 2020-07-08 20:53:43

Zibi1981
Member
From: Poland
Registered: 2008-01-31
Posts: 628

Re: Node.js vulnerabilities that cannot be automatically fixed?

OK, thanks for clarification.


"... being a Linux user is sort of like living in a house inhabited by a large family of carpenters and architects. Every morning when you wake up, the house is a little different. Maybe there is a new turret, or some walls have moved. Or perhaps someone has temporarily removed the floor under your bed."

MSI Raider GE78HX 13VI-032PL

Offline

Board footer

Powered by FluxBB