minbrowser
Installing dependencies
Security Issue and Error when installing dependencies for the developer version when on Linux, i get warnings saying that some of the dependencies are deprecated
The reason this is a problem is that using deprecated dependencies is bad and could lead to bugs and not working at all. This is also a big security issue because it usees outdated software Some of the dependencies have been renamed and as you will see later it will be easy to fix
Min Version:
- The latest version (i think). I downloaded it from the main GitHub page and downloaded/extracted the zip
Operating system:
- Im on a Raspberry pi 4, with the raspberry pi Bookworm release at the latest version. (it is a Debian based Linux distro, 64bit)
Expected Behavior
The expected behavior is for it to show no errors and install the needed dependencies
Actual Behavior
It shows many warnings,
When i run npm install (while in the main directory of min) i install all of the things i need but some of them are no longer being maintained.
Output,
npm WARN deprecated @npmcli/[email protected]: This functionality has been moved to @npmcli/fs
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: Please use @electron/asar moving forward. There is no API change, just a package name change
npm WARN deprecated [email protected]: Please use @electron/notarize moving forward. There is no API change, just a package name change
npm WARN deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm WARN deprecated [email protected]: Please use @electron/osx-sign moving forward. Be aware the API is slightly different
npm WARN deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: Please use @electron/packager moving forward. There is no API change, just a package name change
npm WARN deprecated [email protected]: Please use @electron/rebuild moving forward. There is no API change, just a package name change
To Reproduce
The steps i too to show this is download the GitHub "Min" zip and extract it to a folder (in my case min-master) and using npm install to install the needed packages for the Development of min (i would like to help with min so i followed the Development instructions)
In the npm install output is where the error was.
Full Output
username@hostname:~/Downloads/min-master $ npm install
npm WARN deprecated @npmcli/[email protected]: This functionality has been moved to @npmcli/fs
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: Please use @electron/asar moving forward. There is no API change, just a package name change
npm WARN deprecated [email protected]: Please use @electron/notarize moving forward. There is no API change, just a package name change
npm WARN deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm WARN deprecated [email protected]: Please use @electron/osx-sign moving forward. Be aware the API is slightly different
npm WARN deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm WARN deprecated [email protected]: This package is no longer supported.
npm WARN deprecated [email protected]: Please use @electron/packager moving forward. There is no API change, just a package name change
npm WARN deprecated [email protected]: Please use @electron/rebuild moving forward. There is no API change, just a package name change
> [email protected] postinstall
> node ./scripts/setupDevEnv.js
added 952 packages, and audited 953 packages in 8m
133 packages are looking for funding
run `npm fund` for details
12 vulnerabilities (6 moderate, 6 high)
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
I will also be making a security issue because this is also a big security issue,
Npm Audit report
# npm audit report
app-builder-lib <=24.13.1
Severity: high
Depends on vulnerable versions of @electron/universal
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only) - https://github.com/advisories/GHSA-r4pf-3v7r-hh55
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/app-builder-lib
dmg-builder 5.0.0 - 24.13.1
Depends on vulnerable versions of app-builder-lib
node_modules/dmg-builder
electron-builder 5.6.1 - 24.13.1
Depends on vulnerable versions of app-builder-lib
Depends on vulnerable versions of dmg-builder
Depends on vulnerable versions of update-notifier
node_modules/electron-builder
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/electron-packager/node_modules/got
node_modules/package-json/node_modules/got
@electron/get <=1.14.1
Depends on vulnerable versions of got
node_modules/electron-packager/node_modules/@electron/get
electron-packager 14.0.0 - 15.5.2
Depends on vulnerable versions of @electron/get
node_modules/electron-packager
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dir-compare/node_modules/minimatch
dir-compare <=2.4.0
Depends on vulnerable versions of minimatch
node_modules/dir-compare
@electron/universal 1.0.1 - 1.3.3
Depends on vulnerable versions of dir-compare
node_modules/@electron/universal
12 vulnerabilities (6 moderate, 6 high)
To address all issues (including breaking changes), run:
npm audit fix --force
Hello,
I do agree that it makes sense to update dependencies more regularly. The existence of a vulnerability in a dependency does not necessarily mean that we are affected - for example, many of our dependencies are used only in development to build the code. The first vulnerability in the audit report looks potentially applicable, but since we do not use electron-builder to generate the Windows installer, I believe we are not affected (source).
I have upgraded some of the dependencies here, which addresses the top things in the list: b2c6cd7e5fda271e7f388d0cd1398fc791d9a1a5. The remaining issues identified by NPM are issues for which there doesn't seem to be an update to the top-level package available, and I don't believe we're affected by them also.
Thanks for opening the security report; it's always best to open a report if there is a potential concern, since those go to the top of my inbox. Since a) you've already posted this issue publicly with the same information, and b) I don't believe there's a specific vulnerability to address, I'm going to close it and leave further discussion in this issue.
Thanks, im new to npm and just started working with Min yesterday. I didn't know that some of them were only used for building in dev mode so i posted a security concern because its (like you said) always good to update dependencies. Some of the dependencies have just been renamed and i think it wold be good to use the newer versions if possible. im not super sure how to do any on that tho
Yup, I don't want to discourage opening security reports, it's good to do if there's any possibility of an issue.
Some of the dependencies have just been renamed and i think it wold be good to use the newer versions if possible
After my change in b2c6cd7e5fda271e7f388d0cd1398fc791d9a1a5; I don't think this is the case anymore - do you still see any where this is the case on the main branch?