search

hydra-synth / atom-hydra

78 stars 29 forks source link

Add step to installation & remove 2 critical vulnerabilities #55

Closed jordan-gillard closed 1 year ago

jordan-gillard commented 1 year ago

Summary

User's who set up atom-hydra via npm link need to manually install package.json dependencies since they are no longer handled by the Atom IDE. This PR adds the npm install step to the root-level README file to improve accessibility.

Resolves: #51, #50

Also, I ran npm audit fix to remove 2 critical vulnerabilities. Here are the results. Before audit:

❯ npm install
npm WARN deprecated dgram@1.0.1: npm is holding this package for security reasons. As it's a core Node module, we will not transfer it over to other users. You may safely remove the package from your dependencies.

added 63 packages, and audited 64 packages in 3s

6 vulnerabilities (4 moderate, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Auditing:

❯ npm audit fix

changed 6 packages, and audited 64 packages in 5s

# npm audit report

jquery  <=3.4.1
Severity: moderate
Cross-Site Scripting (XSS) in jquery - https://github.com/advisories/GHSA-rmxg-73gg-4p98
XSS in jQuery as used in Drupal, Backdrop CMS, and other products - https://github.com/advisories/GHSA-6c3j-c64m-qhgq
Potential XSS vulnerability in jQuery - https://github.com/advisories/GHSA-gxr4-xjj5-5px2
Potential XSS vulnerability in jQuery - https://github.com/advisories/GHSA-jpcq-cgw6-v4j6
fix available via `npm audit fix --force`
Will install atom-message-panel@1.2.4, which is a breaking change
node_modules/jquery
  space-pen  >=5.1.0
  Depends on vulnerable versions of jquery
  node_modules/space-pen
    atom-space-pen-views  >=2.1.1
    Depends on vulnerable versions of space-pen
    node_modules/atom-space-pen-views
      atom-message-panel  >=1.2.5
      Depends on vulnerable versions of atom-space-pen-views
      node_modules/atom-message-panel

4 moderate severity vulnerabilities

Installing after:

❯ npm install
npm WARN deprecated dgram@1.0.1: npm is holding this package for security reasons. As it's a core Node module, we will not transfer it over to other users. You may safely remove the package from your dependencies.

added 63 packages, and audited 64 packages in 2s

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

P.S. lmk if you'd like to rebuild this plugin for VSCode or WebStorm. I'd be happy to lend a hand :)

jordan-gillard commented 1 year ago

P.P.S. I joined the Discord but can't comment or see channels?

ojack commented 1 year ago

not sure about the discord thing!!! will look into it?