Tedd-Codes commented 1 month ago

Security Issue and Error when installing dependencies for the developer version when on Linux, i get warnings saying that some of the dependencies are deprecated

The reason this is a problem is that using deprecated dependencies is bad and could lead to bugs and not working at all. This is also a big security issue because it usees outdated software Some of the dependencies have been renamed and as you will see later it will be easy to fix

Min Version:

The latest version (i think). I downloaded it from the main GitHub page and downloaded/extracted the zip
Operating system:

Im on a Raspberry pi 4, with the raspberry pi Bookworm release at the latest version. (it is a Debian based Linux distro, 64bit)

Expected Behavior

The expected behavior is for it to show no errors and install the needed dependencies

Actual Behavior

It shows many warnings, When i run npm install (while in the main directory of min) i install all of the things i need but some of them are no longer being maintained. Output,

npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated are-we-there-yet@3.0.1: This package is no longer supported.
npm WARN deprecated npmlog@6.0.2: This package is no longer supported.
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated gauge@4.0.4: This package is no longer supported.
npm WARN deprecated asar@3.2.0: Please use @electron/asar moving forward.  There is no API change, just a package name change
npm WARN deprecated electron-notarize@1.2.2: Please use @electron/notarize moving forward.  There is no API change, just a package name change
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated electron-osx-sign@0.5.0: Please use @electron/osx-sign moving forward. Be aware the API is slightly different
npm WARN deprecated rimraf@2.6.3: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated npmlog@5.0.1: This package is no longer supported.
npm WARN deprecated are-we-there-yet@2.0.0: This package is no longer supported.
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated gauge@3.0.2: This package is no longer supported.
npm WARN deprecated electron-packager@15.5.2: Please use @electron/packager moving forward. There is no API change, just a package name change
npm WARN deprecated electron-rebuild@3.2.9: Please use @electron/rebuild moving forward.  There is no API change, just a package name change

To Reproduce

The steps i too to show this is download the GitHub "Min" zip and extract it to a folder (in my case min-master) and using npm install to install the needed packages for the Development of min (i would like to help with min so i followed the Development instructions)

In the npm install output is where the error was.

Full Output

username@hostname:~/Downloads/min-master $ npm install
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated are-we-there-yet@3.0.1: This package is no longer supported.
npm WARN deprecated npmlog@6.0.2: This package is no longer supported.
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated gauge@4.0.4: This package is no longer supported.
npm WARN deprecated asar@3.2.0: Please use @electron/asar moving forward.  There is no API change, just a package name change
npm WARN deprecated electron-notarize@1.2.2: Please use @electron/notarize moving forward.  There is no API change, just a package name change
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated electron-osx-sign@0.5.0: Please use @electron/osx-sign moving forward. Be aware the API is slightly different
npm WARN deprecated rimraf@2.6.3: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated npmlog@5.0.1: This package is no longer supported.
npm WARN deprecated are-we-there-yet@2.0.0: This package is no longer supported.
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated gauge@3.0.2: This package is no longer supported.
npm WARN deprecated electron-packager@15.5.2: Please use @electron/packager moving forward. There is no API change, just a package name change
npm WARN deprecated electron-rebuild@3.2.9: Please use @electron/rebuild moving forward.  There is no API change, just a package name change

> min@1.32.1 postinstall
> node ./scripts/setupDevEnv.js

added 952 packages, and audited 953 packages in 8m

133 packages are looking for funding
  run `npm fund` for details

12 vulnerabilities (6 moderate, 6 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

I will also be making a security issue because this is also a big security issue,

Npm Audit report

# npm audit report

app-builder-lib  <=24.13.1
Severity: high
Depends on vulnerable versions of @electron/universal
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only) - https://github.com/advisories/GHSA-r4pf-3v7r-hh55
fix available via `npm audit fix --force`
Will install electron-builder@24.13.3, which is a breaking change
node_modules/app-builder-lib
  dmg-builder  5.0.0 - 24.13.1
  Depends on vulnerable versions of app-builder-lib
  node_modules/dmg-builder
    electron-builder  5.6.1 - 24.13.1
    Depends on vulnerable versions of app-builder-lib
    Depends on vulnerable versions of dmg-builder
    Depends on vulnerable versions of update-notifier
    node_modules/electron-builder

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install electron-packager@17.1.2, which is a breaking change
node_modules/electron-packager/node_modules/got
node_modules/package-json/node_modules/got
  @electron/get  <=1.14.1
  Depends on vulnerable versions of got
  node_modules/electron-packager/node_modules/@electron/get
    electron-packager  14.0.0 - 15.5.2
    Depends on vulnerable versions of @electron/get
    node_modules/electron-packager
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install electron-builder@24.13.3, which is a breaking change
node_modules/dir-compare/node_modules/minimatch
  dir-compare  <=2.4.0
  Depends on vulnerable versions of minimatch
  node_modules/dir-compare
    @electron/universal  1.0.1 - 1.3.3
    Depends on vulnerable versions of dir-compare
    node_modules/@electron/universal

12 vulnerabilities (6 moderate, 6 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

PalmerAL commented 1 month ago

Hello,

I do agree that it makes sense to update dependencies more regularly. The existence of a vulnerability in a dependency does not necessarily mean that we are affected - for example, many of our dependencies are used only in development to build the code. The first vulnerability in the audit report looks potentially applicable, but since we do not use electron-builder to generate the Windows installer, I believe we are not affected (source).

I have upgraded some of the dependencies here, which addresses the top things in the list: b2c6cd7e5fda271e7f388d0cd1398fc791d9a1a5. The remaining issues identified by NPM are issues for which there doesn't seem to be an update to the top-level package available, and I don't believe we're affected by them also.

Thanks for opening the security report; it's always best to open a report if there is a potential concern, since those go to the top of my inbox. Since a) you've already posted this issue publicly with the same information, and b) I don't believe there's a specific vulnerability to address, I'm going to close it and leave further discussion in this issue.

Tedd-Codes commented 1 month ago

Thanks, im new to npm and just started working with Min yesterday. I didn't know that some of them were only used for building in dev mode so i posted a security concern because its (like you said) always good to update dependencies. Some of the dependencies have just been renamed and i think it wold be good to use the newer versions if possible. im not super sure how to do any on that tho

PalmerAL commented 1 month ago

Yup, I don't want to discourage opening security reports, it's good to do if there's any possibility of an issue.

Some of the dependencies have just been renamed and i think it wold be good to use the newer versions if possible

After my change in b2c6cd7e5fda271e7f388d0cd1398fc791d9a1a5; I don't think this is the case anymore - do you still see any where this is the case on the main branch?

minbrowser / min

Installing dependencies #2466