search

mrafiqk / html-pdf-node

187 stars 119 forks source link

Can't fix severe vulnerabilities #71

Open welehman opened 2 years ago

welehman commented 2 years ago

Fresh install results in 10 high-severity (and unfixable) vulnerabilities, due to dependency on vulnerable version of puppeteer. Would really appreciate if someone could give instructions to update the dependency locally (and hope it still works!) while waiting for an official fix. :)

GrassPelt commented 1 year ago

I found two methods that worked for me at least. You can do which ever one works better for your situation.

  1. With the dependency installed, go to your node modules folder in your working project directory and find the folder called "html-pdf-node." Open the package.json file in that folder, and update your packages to the latest version manually (an npm update will only upgrade minor versions, such as 10.4.1 to 10.5.2 for example). As of writing this, these versions were the latest, and I haven't run into any problems yet. "dependencies": { "bluebird": "^3.7.2", "handlebars": "^4.7.7", "inline-css": "^4.0.1", "puppeteer": "^15.5.0" }, "devDependencies": { "chai": "^4.3.6", "mocha": "^10.0.0" }, Then, while still in the "html-pdf-node" folder, in your command prompt/terminal, run "npm update." this will install the latest versioned dependencies in your project. With that done, you should now be able to run/develop your project and this dependency will still work. The only downside with this method is, if you update your projects' base dependencies with "npm update," this will undo this fix because it's fetching the latest version from this repository, which has the old dependency versions. So you can use this method and just not update this package when you do package updates, or you can try the other method:

  2. Fork this project to your own github repository. I created another branch for the package updates above, and created a commit with those updates. Then in your project, remove the original "html-pdf-node" dependency. Go to your package.json and add the html-pdf-node version for your forked github repository. It'll look something like this: "html-pdf-node": "github:Username/html-pdf-node#branch" Username is your github username, html-pdf-node is the repository name (you can rename it if you want to), and branch represents the branch name (main one is often called "master" or "main," but use the one you put the package updates in). If you renamed the repository, you can also rename the package name in your package.json, but you don't have to. Then run an "npm install" in your command prompt/terminal, and it should show up as all vulnerabilites resolved upon successfully installing.

Hopefully this helps.

theooog commented 1 year ago

Thanks @GrassPelt, that helped me!