"1 high severity vulnerability" related to npm during installation

[paulsp]

Installing MagicMirror per https://docs.magicmirror.builders/getting-started/installation.html#manual-installation , I received the security warning below regarding the npm.

What changes are need in the installation procedure?

> [email protected] prepare
> [ -f node_modules/.bin/husky ] && husky install || echo no husky installed.

no husky installed.

added 265 packages, and audited 266 packages in 1m

20 packages are looking for funding
  run `npm fund` for details

1 high severity vulnerability

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
npm notice 
npm notice New minor version of npm available! 8.5.5 -> 8.11.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v8.11.0
npm notice Run npm install -g [email protected] to update!
npm notice 
pi@raspberrypi:~/MagicMirror $ 

[sdetweil]

please ignore the messages. nothing we can do about them. the audit fix causes more trouble than it fixes.

we haven't tested w npm 8.

next mm release July 1

also mm is not an incoming web server where almost all the vulnerabilities live

[paulsp]

I request an update to the documentation to ignore the message, as most will apply the security fix.

[rejas]

You are welcome to open a PR for this. "Requesting" stuff from a opensource project just like this is (in my opinion at least) not very polite.

[paulsp]

See note on pull request ask why site does not reflect the merge? https://github.com/MichMich/MagicMirror-Documentation/pull/116#issuecomment-1146006095

[rejas]

I dont know, maybe @MichMich has to trigger a deployment?

[MichMich]

The automated build process seems to give an error. Not sure what causes this. Need to take a look at it after this weekend:

Wed Jun 1 12:45:01 CEST 2022

[Laravel Forge] Your server is running an older version of Ubuntu (16.04).
We recommend that you provision a new server and manually migrate your sites and resources.
You should not attempt to upgrade a server as this may have unintended side effects.

From github.com:MichMich/MagicMirror-Documentation
 * branch            master     -> FETCH_HEAD
Already up-to-date.
yarn install v1.21.1
warning package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json.
[1/4] Resolving packages...
[2/4] Fetching packages...
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The CPU architecture "x64" is incompatible with this module.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The CPU architecture "x64" is incompatible with this module.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The CPU architecture "x64" is incompatible with this module.
info [email protected]: The CPU architecture "x64" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The CPU architecture "x64" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The CPU architecture "x64" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The CPU architecture "x64" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The CPU architecture "x64" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The CPU architecture "x64" is incompatible with this module.
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
info [email protected]: The CPU architecture "x64" is incompatible with this module.
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 4.93s.
wait Extracting site metadata...
tip Apply local theme at /home/forge/docs.magicmirror.builders/.vuepress/theme...
tip Apply theme local (extends @vuepress/theme-default) ...
tip Apply plugin container (i.e. "vuepress-plugin-container") ...
tip Apply plugin @vuepress/last-updated (i.e. "@vuepress/plugin-last-updated") ...
tip Apply plugin @vuepress/register-components (i.e. "@vuepress/plugin-register-components") ...
tip Apply plugin @vuepress/active-header-links (i.e. "@vuepress/plugin-active-header-links") ...
tip Apply plugin @vuepress/search (i.e. "@vuepress/plugin-search") ...
tip Apply plugin @vuepress/nprogress (i.e. "@vuepress/plugin-nprogress") ...
tip Apply plugin @vuepress/back-to-top (i.e. "@vuepress/plugin-back-to-top") ...
tip Apply plugin @vuepress/google-analytics (i.e. "@vuepress/plugin-google-analytics") ...
ℹ Compiling Client
ℹ Compiling Server
node:internal/crypto/hash:67
  this[kHandle] = new _Hash(algorithm, xofLen);
                  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:135:10)
    at module.exports (/usr/local/lib/node_modules/vuepress/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/usr/local/lib/node_modules/vuepress/node_modules/webpack/lib/NormalModule.js:417:16)
    at handleParseError (/usr/local/lib/node_modules/vuepress/node_modules/webpack/lib/NormalModule.js:471:10)
    at /usr/local/lib/node_modules/vuepress/node_modules/webpack/lib/NormalModule.js:503:5
    at /usr/local/lib/node_modules/vuepress/node_modules/webpack/lib/NormalModule.js:358:12
    at /usr/local/lib/node_modules/vuepress/node_modules/loader-runner/lib/LoaderRunner.js:373:3
    at iterateNormalLoaders (/usr/local/lib/node_modules/vuepress/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
    at Array.<anonymous> (/usr/local/lib/node_modules/vuepress/node_modules/loader-runner/lib/LoaderRunner.js:205:4)
    at Storage.finished (/usr/local/lib/node_modules/vuepress/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:55:16)
    at /usr/local/lib/node_modules/vuepress/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:91:9
    at /usr/local/lib/node_modules/vuepress/node_modules/graceful-fs/graceful-fs.js:115:16
    at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/fs/read_file_context:68:3) {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}

Node.js v17.7.2
HEAD is now at 7e775cf Merge pull request #116 from paulsp/patch-1

[khassel]

maybe this is helpful ...

[sdetweil]

[Laravel Forge] Your server is running an older version of Ubuntu (16.04).

need to migrate the base test platform

[sdetweil]

2.21.0 adds new parms to install to turn off audit messages

[khassel]

there is new documentation with new release v2.21.0, should be closed @paulsp @MichMich