Installation and Startup Error in MagicMirror Due to Security Vulnerabilities and Configuration Syntax Error

[Hunter00712]

Description: While attempting to install and configure MagicMirror for university purposes, I encountered two issues. Firstly, during the installation process, I faced security vulnerabilities. Secondly, a syntax error in the configuration file prevented MagicMirror from starting properly.

Steps to Reproduce:

1. Tried to install MagicMirror for university use, encountering the following issue:

   # npm audit report
   
   request  *
   Severity: moderate
   Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
   Depends on vulnerable versions of tough-cookie
   No fix available
   node_modules/request
   
   tough-cookie  <4.1.3
   Severity: moderate
   tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
   No fix available
   node_modules/tough-cookie
   
   2 moderate severity vulnerabilities
   
   Some issues need review, and may require choosing
   a different dependency.

2. Despite the listed security vulnerabilities, attempted to proceed with the installation.

3. After installation, MagicMirror failed to start. The following error message was displayed:

   [2024-04-08 09:31:29.894] [INFO]  Checking file...  /home/tom/MagicMirror/config/config.js
   [2024-04-08 09:31:30.004] [ERROR] Your configuration file contains syntax errors :(
   [2024-04-08 09:31:30.007] [ERROR] Line 100 column 5: Parsing error: Unexpected token advertisePlayerTheme

Expected Behavior: I expected MagicMirror to install and start successfully without encountering security vulnerabilities or failing due to syntax errors in the configuration file.

Additional Information:

• Operating System: Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
• Node.js Version: v20.8.0
• MagicMirror Version: v2.27.0

• Configuration File (config.js):

  
  /* Config Sample
  *
  * For more information on how you can configure this file
  * see https://docs.magicmirror.builders/configuration/introduction.html
  * and https://docs.magicmirror.builders/modules/configuration.html
  *
  * You can use environment variables using a `config.js.template` file instead of `config.js`
  * which will be converted to `config.js` while starting. For more information
  * see https://docs.magicmirror.builders/configuration/introduction.html#enviromnent-variables
  */
  let config = {
      address: "localhost",   // Address to listen on, can be:
                                                      // - "localhost", "127.0.0.1", "::1" to listen on loopback in>
                                                      // - another specific IPv4/6 to listen on a specific interface
                                                      // - "0.0.0.0", "::" to listen on any interface
                                                      // Default, when address config is left out or empty, is "loc>
      port: 8080,
      basePath: "/",  // The URL path where MagicMirror² is hosted. If you are using a Reverse proxy
                                                                      // you must set the sub path here. basePath m>
      ipWhitelist: ["127.0.0.1", "::ffff:127.0.0.1", "::1"],  // Set [] to allow all IP addresses
                                                                      // or add a specific IPv4 of 192.168.1.5 :
                                                                      // ["127.0.0.1", "::ffff:127.0.0.1", "::1", ">
                                                                      // or IPv4 range of 192.168.3.0 --> 192.168.3>
                                                                      // ["127.0.0.1", "::ffff:127.0.0.1", "::1", ">
  
      useHttps: false,                        // Support HTTPS or not, default "false" will use HTTP
      httpsPrivateKey: "",    // HTTPS private key path, only require when useHttps is true
      httpsCertificate: "",   // HTTPS Certificate path, only require when useHttps is true
  
      language: "de",
      locale: "de-DE",
      logLevel: ["INFO", "LOG", "WARN", "ERROR"], // Add "DEBUG" for even more logging
      timeFormat: 24,
      units: "metric",
  
      modules: [
              {
                      module: "alert",
              },
              {
                      module: "updatenotification",
                      position: "top_bar"
              },
              {
                      module: "clock",
                      position: "top_left"
              },
              {
                      module: "calendar",
                      header: "Feiertage",
                      position: "top_left",
                      config: {
                              calendars: [
                                      {
                                              fetchInterval: 7 * 24 * 60 * 60 * 1000,
                                              symbol: "calendar-check",
                                              url: "https://www.feiertage-deutschland.de/kalender-download/ics/feie>
                                      }
                              ]
                      }
              },
              {
                      module: "compliments",
                      position: "lower_third"
              },
              {
                      module: "weather",
                      position: "top_right",
                      config: {
                              weatherProvider: "openweathermap",
                              type: "current",
                              location: "Hannover",
                              locationID: "2910831", //ID from http://bulk.openweathermap.org/sample/city.list.json>
                              apiKey: "b0ddb0920c7a43057ba96f34f58d3101"
                      }
              },
              {
                      module: "weather",
                      position: "top_right",
                      header: "Wetter Vorraussage",
                      config: {
                              weatherProvider: "openweathermap",
                              type: "forecast",
                              location: "Hannover",
                              locationID: "2910831",
                              apiKey: "b0ddb0920c7a43057ba96f34f58d3101"
                      }
              },
              {
                       /* Don't share your credentials! */
                       module: "MMM-OnSpotify",
                       position: "bottom_right", /* bottom_left, bottom_center */
                               config: {
                               clientID: "key"
                               clientSecret: "key"
                               accessToken: "key"
                               refreshToken: "key"
  
                              /* Add here your theming and behaviour configurations */
                                      // General module options [SEE BELOW]
                              advertisePlayerTheme: true,
                              displayWhenEmpty: "both",
                              userAffinityUseTracks: false,
                              prefersLargeImageSize: false,
                              hideTrackLengthAndAnimateProgress: false,
                              showDebugPalette: false,
                              userDataMaxAge: 14400,
                              userAffinityMaxAge: 36000,
                              deviceFilter: [],
                              deviceFilterExclude: false,
                              filterNoticeSubtitle: true,
                              language: config.language,
                              // Update intervals [SEE BELOW]
                              isPlaying: 1,
                              isEmpty: 2,
                              isPlayingHidden: 2,
                              isEmptyHidden: 4,
                              onReconnecting: 4,
                              onError: 8,
                              // Animations [SEE BELOW]
                              mediaAnimations: false,
                              fadeAnimations: false,
                              scrollAnimations: false,
                              textAnimations: false,
                              transitionAnimations: false,
                              spotifyVectorAnimations: false,
                              // Spotify Code (EXPERMIENTAL)
                              spotifyCodeExperimentalShow: true,
                              spotifyCodeExperimentalUseColor: true,
                              spotifyCodeExperimentalSeparateItem: true,
                              // Theming General
                              roundMediaCorners: true,
                              roundProgressBar: true,
                              showVerticalPipe: true,
                              useColorInProgressBar: true,
                              useColorInTitle: true,
                              useColorInUserData: true,
                              showBlurBackground: true,
                              blurCorrectionInFrameSide: false,
                              blurCorrectionInAllSides: false,
                              alwaysUseDefaultDeviceIcon: false,
                              experimentalCSSOverridesForMM2: false, // [SEE BELOW]
                      },
              },
      ]
  };

/ DO NOT EDIT THE LINE BELOW / if (typeof module !== "undefined") { module.exports = config; }

- What could I do to make this work

[Fabrizz]

Hi,

1 Serverside packages with issues

The vulnerabilities are on packages used on the service that you use to generate the base config, as its just a thing that you turn on once to get the access_token, and its not a pubic server its a non-issue, still, I will change the version (pr dep) to another version.

2 Configuration error

I do not recommend just copying and pasting the entire default config, as everything listed there is just default, you should use the Auth Service (as described here) to create the base config with your spotify credentials, then if you want to change a setting you just add that entry

                {
                         /* Don't share your credentials! */
                         module: "MMM-OnSpotify",
                         position: "bottom_right", /* bottom_left, bottom_center */
                                 config: {
                                 clientID: "key" /* <------------------- Missing comma here */
                                 clientSecret: "key" /* <------------------- Missing comma here */
                                 accessToken: "key" /*<------------------- Missing comma here */
                                 refreshToken: "key" /* <------------------- Missing comma here */

                                /* Add here your theming and behaviour configurations */
                                        // General module options [SEE BELOW]
                                advertisePlayerTheme: true,