owncast
owncast copied to clipboard
owncast
Outdated frontend dependencies
Share your bug report, feature request, or comment.
The dependency graph for the project is quite the mess right now. There's a lot of conflicting dependencies (mostly on react) and a few dependencies that are either unmaintained or deprecated.
I'll add install and audit logs in commens below.
I suggest removing one-off and unnecessary dependencies first, migrating to the latest React + NextJS versions, and then re-reviewing the audit results.
npm i gives:
ERESOLVE overriding peer dependency
npm WARN While resolving: [email protected]
npm WARN Found: [email protected]
npm WARN node_modules/react
npm WARN react@"17.0.2" from the root project
npm WARN 98 more (@ant-design/icons, @ant-design/react-slick, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react@"^16.8.6" from [email protected]
npm WARN node_modules/react-toggle-component
npm WARN react-toggle-component@"^3.0.8" from [email protected]
npm WARN node_modules/addon-screen-reader
npm WARN
npm WARN Conflicting peer dependency: [email protected]
npm WARN node_modules/react
npm WARN peer react@"^16.8.6" from [email protected]
npm WARN node_modules/react-toggle-component
npm WARN react-toggle-component@"^3.0.8" from [email protected]
npm WARN node_modules/addon-screen-reader
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: [email protected]
npm WARN Found: [email protected]
npm WARN node_modules/react-dom
npm WARN react-dom@"17.0.2" from the root project
npm WARN 80 more (@ant-design/icons, @design-systems/utils, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react-dom@"^16.8.6" from [email protected]
npm WARN node_modules/react-toggle-component
npm WARN react-toggle-component@"^3.0.8" from [email protected]
npm WARN node_modules/addon-screen-reader
npm WARN
npm WARN Conflicting peer dependency: [email protected]
npm WARN node_modules/react-dom
npm WARN peer react-dom@"^16.8.6" from [email protected]
npm WARN node_modules/react-toggle-component
npm WARN react-toggle-component@"^3.0.8" from [email protected]
npm WARN node_modules/addon-screen-reader
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: [email protected]
npm WARN Found: [email protected]
npm WARN node_modules/react
npm WARN react@"17.0.2" from the root project
npm WARN 98 more (@ant-design/icons, @ant-design/react-slick, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react@"^16.8.0" from [email protected]
npm WARN node_modules/react-toggle-component/node_modules/react-use
npm WARN react-use@"^13.2.1" from [email protected]
npm WARN node_modules/react-toggle-component
npm WARN
npm WARN Conflicting peer dependency: [email protected]
npm WARN node_modules/react
npm WARN peer react@"^16.8.0" from [email protected]
npm WARN node_modules/react-toggle-component/node_modules/react-use
npm WARN react-use@"^13.2.1" from [email protected]
npm WARN node_modules/react-toggle-component
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: [email protected]
npm WARN Found: [email protected]
npm WARN node_modules/react-dom
npm WARN react-dom@"17.0.2" from the root project
npm WARN 80 more (@ant-design/icons, @design-systems/utils, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react-dom@"^16.8.0" from [email protected]
npm WARN node_modules/react-toggle-component/node_modules/react-use
npm WARN react-use@"^13.2.1" from [email protected]
npm WARN node_modules/react-toggle-component
npm WARN
npm WARN Conflicting peer dependency: [email protected]
npm WARN node_modules/react-dom
npm WARN peer react-dom@"^16.8.0" from [email protected]
npm WARN node_modules/react-toggle-component/node_modules/react-use
npm WARN react-use@"^13.2.1" from [email protected]
npm WARN node_modules/react-toggle-component
npm audit gives:
# npm audit report
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @storybook/[email protected], which is a breaking change
node_modules/cpy/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/@storybook/builder-webpack4/node_modules/watchpack
node_modules/@storybook/core-common/node_modules/watchpack
node_modules/@storybook/core-server/node_modules/webpack/node_modules/watchpack
node_modules/@storybook/manager-webpack4/node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/@storybook/builder-webpack4/node_modules/webpack
node_modules/@storybook/core-common/node_modules/webpack
node_modules/@storybook/core-server/node_modules/webpack
node_modules/@storybook/manager-webpack4/node_modules/webpack
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/cpy/node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/cpy/node_modules/globby
cpy 7.0.0 - 8.1.2
Depends on vulnerable versions of globby
node_modules/cpy
@storybook/core-server <=7.0.0-alpha.6
Depends on vulnerable versions of @storybook/csf-tools
Depends on vulnerable versions of cpy
node_modules/@storybook/core-server
@storybook/core >=6.2.0-alpha.0
Depends on vulnerable versions of @storybook/core-server
node_modules/@storybook/core
@storybook/react 6.2.0-alpha.0 - 6.5.11-alpha.1
Depends on vulnerable versions of @storybook/core
node_modules/@storybook/react
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
@storybook/cli *
Depends on vulnerable versions of @storybook/codemod
Depends on vulnerable versions of @storybook/csf-tools
Depends on vulnerable versions of update-notifier
node_modules/@storybook/cli
sb >=5.1.11
Depends on vulnerable versions of @storybook/cli
node_modules/sb
trim <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/trim
remark-parse <=8.0.3
Depends on vulnerable versions of trim
node_modules/remark-parse
@mdx-js/mdx <=1.6.22
Depends on vulnerable versions of remark-mdx
Depends on vulnerable versions of remark-parse
node_modules/@mdx-js/mdx
@storybook/codemod >=5.2.0-alpha.0
Depends on vulnerable versions of @mdx-js/mdx
Depends on vulnerable versions of @storybook/csf-tools
node_modules/@storybook/codemod
@storybook/mdx1-csf *
Depends on vulnerable versions of @mdx-js/mdx
node_modules/@storybook/mdx1-csf
@storybook/addon-docs >=6.5.0-alpha.1
Depends on vulnerable versions of @storybook/mdx1-csf
node_modules/@storybook/addon-docs
@storybook/addon-essentials >=6.5.0-alpha.1
Depends on vulnerable versions of @storybook/addon-docs
node_modules/@storybook/addon-essentials
@storybook/csf-tools 6.5.0-alpha.1 - 6.5.11-alpha.1
Depends on vulnerable versions of @storybook/mdx1-csf
node_modules/@storybook/csf-tools
remark-mdx <=1.6.22
Depends on vulnerable versions of remark-parse
node_modules/remark-mdx
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
28 vulnerabilities (5 moderate, 23 high)
As a first step I'll force updates to all the packages in the webv2 branch that are pending in the Dependency Dashboard:
https://github.com/owncast/owncast/issues/1761
Unfortunately I wasn't able to figure out what's to blame. We already keep the packages more or less up to date (except huge breaking changes such as #2077), so I wasn't able to find anything that stood out that is causing problems.
Good First Issue
This item was marked as a good first issue because of the following:
- It's self contained as a single feature or change.
- Is clear when it's complete.
- You do not need deep knowledge of Owncast to accomplish it.
Next Steps
- Comment on this issue before starting work so it can be assigned to you. Also, this issue may have been filed with limited detail or changes may have occured that are worth sharing with you before you start work.
- Drop by our community chat if you'd like to be involved in more real-time discussion around Owncast to talk about this change.
- Make sure you can build and run the project from source.
Notes
- Current web work is taking place in the
webv2branch and it is very much work in progress. Read the README for this branch to get the web project running. But it's mostly just anpm installandnpm run dev. - We use Storybook for testing and developing React components.
npm run storybook. - If you need to install the Go programming language to run the Owncast backend it's simple from here.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
As I was trying to pick at dependencies in #2198, I came across the idea that vulnerabilities in devDependencies won't be shipped to a production build. We can exclude those using npm audit --omit=dev. The storybook stuff is really for development use only, so we bumped @storybook/react over to devDependencies.
Currently it's looking much better, but as far as my npm-newbie self can tell, there's no version of video.js that doesn't have (or depend on something that has) a vulnerability. 🙃
% npm audit --omit=dev
# npm audit report
@xmldom/xmldom <0.8.3
Severity: moderate
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom - https://github.com/advisories/GHSA-9pgh-qqpf-7wqj
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@xmldom/xmldom
mpd-parser >=0.19.0
Depends on vulnerable versions of @xmldom/xmldom
node_modules/mpd-parser
@videojs/http-streaming >=2.10.2
Depends on vulnerable versions of mpd-parser
node_modules/@videojs/http-streaming
video.js >=7.15.3
Depends on vulnerable versions of @videojs/http-streaming
Depends on vulnerable versions of mpd-parser
node_modules/video.js
4 moderate severity vulnerabilities
There still is a lot of the original output from npm install, though.
Closing this in favor of future specific actionable items. As packages require upgrading they can be filed.