Project

General

Profile

Anomalie #3810

pad.april.org : logs de vulnérabilités

Added by Christian P. Momon 3 months ago. Updated about 1 month ago.

Status:
Rejeté
Priority:
Élevée
Assignee:
-
Category:
-
Target version:
Start date:
07/14/2019
Due date:
% Done:

0%

Difficulté:
2 Facile

Description

Dans etherpad-lite, suite à l'installation de plugins (delete_empty_pad et spellcheck), on peut lire dans les logs :

> juil. 13 09:58:08 pad run.sh[576]: npm WARN saveError ENOENT: no such file or directory, open '/srv/etherpad-lite/package.json'
> juil. 13 09:58:08 pad run.sh[576]: npm notice created a lockfile as package-lock.json. You should commit this file.
> juil. 13 09:58:08 pad run.sh[576]: npm WARN enoent ENOENT: no such file or directory, open '/srv/etherpad-lite/package.json'
> juil. 13 09:58:08 pad run.sh[576]: npm WARN etherpad-lite No description
> juil. 13 09:58:08 pad run.sh[576]: npm WARN etherpad-lite No repository field.
> juil. 13 09:58:08 pad run.sh[576]: npm WARN etherpad-lite No README data
> juil. 13 09:58:08 pad run.sh[576]: npm WARN etherpad-lite No license field.
> juil. 13 09:58:08 pad run.sh[576]: [2019-07-13 09:58:08.761] [ERROR] console -
> juil. 13 09:58:08 pad run.sh[576]: [2019-07-13 09:58:08.763] [INFO] console - + ep_delete_empty_pads@0.0.4
> juil. 13 09:58:08 pad run.sh[576]: added 1 package from 1 contributor and audited 7814 packages in 12.007s
> juil. 13 09:58:08 pad run.sh[576]: [2019-07-13 09:58:08.764] [INFO] console - found 196 vulnerabilities (35 low, 85 moderate, 76 high)
> juil. 13 09:58:08 pad run.sh[576]:   run `npm audit fix` to fix them, or `npm audit` for details

La ligne inquiétante :

found 196 vulnerabilities (35 low, 85 moderate, 76 high) ».

Malheureusement :

(April) root@pad:/srv/etherpad-lite[live-1.7.0$%]# npm audit -h

Usage: npm <command>

where <command> is one of:
    access, adduser, bin, bugs, c, cache, completion, config,
    ddp, dedupe, deprecate, dist-tag, docs, edit, explore, get,
    help, help-search, i, init, install, install-test, it, link,
    list, ln, login, logout, ls, outdated, owner, pack, ping,
    prefix, prune, publish, rb, rebuild, repo, restart, root,
    run, run-script, s, se, search, set, shrinkwrap, star,
    stars, start, stop, t, tag, team, test, tst, un, uninstall,
    unpublish, unstar, up, update, v, version, view, whoami

npm <cmd> -h     quick help on <cmd>
npm -l           display full usage info
npm help <term>  search for help on <term>
npm help npm     involved overview

Specify configs in the ini-formatted file:
    /root/.npmrc
or on the command line via: npm <command> --key value
Config info can be viewed via: npm help config

npm@3.10.10 /usr/lib/node_modules/npm

Questions :
  • y-a-t-il véritablement un problème de vulnérabilité ?
  • est-ce lié à la non mise à jour de NodeJS (voir #3809) ?

Related issues

Duplicates Admins - Demande #3812: pad.april.org : migrer nodejs de 6.x en 10.x Fermé 07/14/2019

History

#1 Updated by Loïc Dachary about 1 month ago

  • Status changed from Nouveau to Rejeté

#2 Updated by Loïc Dachary about 1 month ago

  • Duplicates Demande #3812: pad.april.org : migrer nodejs de 6.x en 10.x added

#3 Updated by Loïc Dachary about 1 month ago

Les vulnérabilités nodejs et/ou etherpad sont corrigées par des mises à jour de l'un ou l'autre

Also available in: Atom PDF