server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon spacebarchat

Vulnerabilities Warning then npm install

Open ChristianWieden opened this issue 11 months ago • 2 comments

Describe the bug Tried installing a spacebar instance for the first time, and followed https://docs.spacebar.chat/setup/server/#setup guide. In the npm i step i get a ton of security vulnerabilities so that i don't proceeded further with the guide.

To Reproduce Steps to reproduce the behavior:

  1. Installed a fresh Ubuntu 24.04 LTS Server
  2. installed nodejs v20 LTS (via curl -fsSL https://deb.nodesource.com/setup_20.x, inspected the script and then executed it)
  3. add a user spacebar with home directory
  4. forbid ssh login for spacebar user
  5. su to spacebar user
  6. then follow the setup guid up to npm i

Expected behavior No Security Vulnerabilities if possible

Console Logs

~/server$ npm i npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: Please upgrade to consolidate v1.0.0+ as it has been modernized with several long-awaited fixes implemented. Maintenance is supported by Forward Email at https://forwardemail.net ; follow/watch https://github.com/ladjs/consolidate for updates and release changelog npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm. npm warn deprecated [email protected]: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net npm warn deprecated @npmcli/[email protected]: This functionality has been moved to @npmcli/fs npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: This package is no longer supported. npm warn deprecated [email protected]: This package is no longer supported.

[email protected] postinstall npx patch-package

Need to install the following packages: [email protected] Ok to proceed? (y) y

npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported patch-package 8.0.0 Applying patches... [email protected][email protected][email protected][email protected]

[email protected] prepare husky install

install command is DEPRECATED

added 919 packages, and audited 920 packages in 39s

118 packages are looking for funding run npm fund for details

14 vulnerabilities (5 moderate, 6 high, 3 critical)

To address issues that do not require attention, run: npm audit fix

Some issues need review, and may require choosing a different dependency.

Run npm audit for details. npm notice npm notice New major version of npm available! 10.8.2 -> 11.0.0 npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.0.0 npm notice To update run: npm install -g [email protected] npm notice

System Information (please complete the following information):

  • OS: Ubuntu
  • Version Ubunutu 24.04 LTS
  • Node Version: 20.18.1
  • Python 3 Version: 3.12.e

Env and Software info

  • Release: [e.g. 0.1.0]
  • Branch (if release is not applicable): [e.g Staging]
  • Commit Hash (if release is not applicable): [e.g 401eda069a3ced17f1c43294d19765663cb8dcb7]
  • Database: [e.g Postgres 14]
  • Reverse Proxy: nginx
  • Thread Count: [e.g 1]

Additional context Add any other context about the problem here.

ChristianWieden avatar Jan 19 '25 13:01 ChristianWieden

Same, I've used the dockerfile from https://github.com/spacebarchat/docker to build my own docker container, but get the following output in the git-runner log.

#16 39.01 npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
#16 42.54 npm warn deprecated [email protected]: This package is no longer supported.
#16 47.07 npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
#16 47.75 npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
#16 52.00 npm warn deprecated [email protected]: Please upgrade to consolidate v1.0.0+ as it has been modernized with several long-awaited fixes implemented. Maintenance is supported by Forward Email at https://forwardemail.net ; follow/watch https://github.com/ladjs/consolidate for updates and release changelog
#16 52.40 npm warn deprecated [email protected]: This package is no longer supported.
#16 52.85 npm warn deprecated [email protected]: This package is no longer supported.
#16 61.56 npm warn deprecated @npmcli/[email protected]: This functionality has been moved to @npmcli/fs
#16 61.93 npm warn deprecated [email protected]: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.
#16 68.03 npm warn deprecated [email protected]: Please upgrade to v9.0.0+ as we have fixed a public vulnerability with formidable dependency. Note that v9.0.0+ requires Node.js v14.18.0+. See https://github.com/ladjs/superagent/pull/1800 for insight. This project is supported and maintained by the team at Forward Email @ https://forwardemail.net
#16 68.22 npm warn deprecated [email protected]: This package is no longer supported.
#16 68.22 npm warn deprecated [email protected]: This package is no longer supported.
#16 71.24 npm warn deprecated [email protected]: This package is no longer supported.
#16 166.5 npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
#16 166.8 npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
#16 166.9 npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported

liamthexpl0rer avatar Mar 11 '25 20:03 liamthexpl0rer

These are transitive dependencies, I don't think we can fix anything here ourselves?

TheArcaneBrony avatar Apr 09 '25 13:04 TheArcaneBrony