search

TimboKZ / discord-spoiler-bot

🗣️🛑 Spoiler support for Discord
https://www.npmjs.com/package/discord-spoiler-bot
MIT License
61 stars 19 forks source link

update package versions to fix windows-hosted instances #31

Closed XenHat closed 1 year ago

XenHat commented 5 years ago

Fixes #30. See https://github.com/Automattic/node-canvas/issues/997 for details on the canvas constructor change.

XenHat commented 5 years ago

I'm not too sure what snyk is on about, and I don't have access to it.

TimboKZ commented 5 years ago

Snyk is complaining about a vulnerable package in the dependency tree, try running npm audit locally to see what's up. I'll sort that out and merge this PR at some point soon.

XenHat commented 5 years ago

Interesting!

>npm audit

Usage: npm <command>

where <command> is one of:
    access, adduser, bin, bugs, c, cache, completion, config,
    ddp, dedupe, deprecate, dist-tag, docs, doctor, edit,
    explore, get, help, help-search, i, init, install,
    install-test, it, link, list, ln, login, logout, ls,
    outdated, owner, pack, ping, prefix, profile, prune,
    publish, rb, rebuild, repo, restart, root, run, run-script,
    s, se, search, set, shrinkwrap, star, stars, start, stop, t,
    team, test, token, tst, un, uninstall, unpublish, unstar,
    up, update, v, version, view, whoami

npm <command> -h     quick help on <command>
npm -l           display full usage info
npm help <term>  search for help on <term>
npm help npm     involved overview

Specify configs in the ini-formatted file:
    C:\Users\xenhat\.npmrc
or on the command line via: npm <command> --key value
Config info can be viewed via: npm help config

npm@5.6.0 c:\Program Files\nodejs\node_modules\npm

Did you mean this?
    edit

D:\code\discord\bots\discord-spoiler-bot>npm install npm@latest -g
C:\Users\xenhat\AppData\Roaming\npm\npm -> C:\Users\xenhat\AppData\Roaming\npm\node_modules\npm\bin\npm-cli.js
C:\Users\xenhat\AppData\Roaming\npm\npx -> C:\Users\xenhat\AppData\Roaming\npm\node_modules\npm\bin\npx-cli.js
+ npm@6.4.1
added 387 packages in 10.534s

D:\code\discord\bots\discord-spoiler-bot>npm audit
npm ERR! Invalid Version: github:woor/discord.io#2d3bcc80d1a835740b2e8c8563a7db519bb28720

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\xenhat\AppData\Roaming\npm-cache\_logs\2018-11-06T16_41_23_766Z-debug.log

D:\code\discord\bots\discord-spoiler-bot>npm install discord.io@latest
npm WARN discord.js@11.4.2 requires a peer of bufferutil@^3.0.3 but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of erlpack@discordapp/erlpack but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of node-opus@^0.2.7 but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of opusscript@^0.0.6 but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of sodium@^2.0.3 but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of libsodium-wrappers@^0.7.3 but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of uws@^9.14.0 but none is installed. You must install peer dependencies yourself.

+ discord.io@2.5.3
removed 1 package, updated 1 package and audited 548 packages in 4.476s
found 2 vulnerabilities (1 low, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

D:\code\discord\bots\discord-spoiler-bot>npm audit fix
npm WARN discord.js@11.4.2 requires a peer of bufferutil@^3.0.3 but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of erlpack@discordapp/erlpack but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of node-opus@^0.2.7 but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of opusscript@^0.0.6 but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of sodium@^2.0.3 but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of libsodium-wrappers@^0.7.3 but none is installed. You must install peer dependencies yourself.
npm WARN discord.js@11.4.2 requires a peer of uws@^9.14.0 but none is installed. You must install peer dependencies yourself.

up to date in 0.833s
fixed 0 of 2 vulnerabilities in 548 scanned packages
  1 package update for 2 vulns involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)

D:\code\discord\bots\discord-spoiler-bot>npm audit

                       === npm audit security report ===

# Run  npm install --save-dev mocha@5.2.0  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   mocha [dev]

  Path            mocha > debug

  More info       https://nodesecurity.io/advisories/534

  Critical        Command Injection

  Package         growl

  Dependency of   mocha [dev]

  Path            mocha > growl

  More info       https://nodesecurity.io/advisories/146

found 2 vulnerabilities (1 low, 1 critical) in 548 scanned packages
  2 vulnerabilities require semver-major dependency updates.
XenHat commented 5 years ago

Snyk please?

npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 541 scanned packages

I even tried this, lol.

npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 541 scanned packages

D:\code\discord\bots\discord-spoiler-bot>cd ..

D:\code\discord\bots>git clone discord-spoiler-bot spoiler-bot-reclone
Cloning into 'spoiler-bot-reclone'...
done.

D:\code\discord\bots>cd spoiler-bot-reclone\

D:\code\discord\bots\spoiler-bot-reclone>npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 541 scanned packages

D:\code\discord\bots\spoiler-bot-reclone>npm install

> canvas@2.0.1 install D:\code\discord\bots\spoiler-bot-reclone\node_modules\canvas
> node-pre-gyp install --fallback-to-build

node-pre-gyp WARN Using needle for node-pre-gyp https download
[canvas] Success: "D:\code\discord\bots\spoiler-bot-reclone\node_modules\canvas\build\Release\canvas-prebuilt.node" is installed via remote
added 211 packages from 604 contributors and audited 541 packages in 9.261s
found 0 vulnerabilities

D:\code\discord\bots\spoiler-bot-reclone>npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 541 scanned packages
XenHat commented 5 years ago

Attachments don't appear to have gone through the github notification system

TimboKZ commented 5 years ago

See below.

fe03a7b4-5ad7-45c1-a3b8-e817351f7ac3

XenHat commented 5 years ago

Okay. I'll do some research.

XenHat commented 5 years ago

https://github.com/isaacs/chownr/issues/14#issuecomment-421662375 Somewhat concerning, and no real fix besides running containerized or with hardened permissions.