Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Node Module Security Updates needed #8

Open
intrepidsilence opened this issue Jan 7, 2025 · 5 comments
Open

Node Module Security Updates needed #8

intrepidsilence opened this issue Jan 7, 2025 · 5 comments

Comments

@intrepidsilence
Copy link

When installing the required npm modules, you get:

root@roon-volume:~/roon-extension-denon# npm install
npm WARN skipping integrity check for git dependency ssh://[email protected]/roonlabs/node-roon-api-volume-control.git
npm WARN skipping integrity check for git dependency ssh://[email protected]/roonlabs/node-roon-api-status.git
npm WARN skipping integrity check for git dependency ssh://[email protected]/roonlabs/node-roon-api-source-control.git
npm WARN skipping integrity check for git dependency ssh://[email protected]/roonlabs/node-roon-api-settings.git
npm WARN skipping integrity check for git dependency ssh://[email protected]/roonlabs/node-roon-api.git
npm WARN deprecated [email protected]: Use uuid module instead

added 21 packages, and audited 22 packages in 1s

1 package is looking for funding
  run `npm fund` for details

3 vulnerabilities (1 moderate, 2 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

Then when running the audit fix:

root@roon-volume:~/roon-extension-denon# npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating fast-xml-parser to 4.5.1, which is a SemVer major change.
npm WARN audit No fix available for node-roon-api@

changed 1 package, and audited 22 packages in 4s

1 package is looking for funding
  run `npm fund` for details

# npm audit report

ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
No fix available
node_modules/ip
  node-roon-api
  Depends on vulnerable versions of ip
  node_modules/node-roon-api

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.
@docbobo
Copy link
Owner

docbobo commented Jan 17, 2025

Actually, I don't believe this is fixed by #10. There is no newer version of node-roon-api available that fixes the vulnerability. Maybe that needs to be reported over there.

@docbobo
Copy link
Owner

docbobo commented Jan 17, 2025

The only thing that we can fix here is the fast-xml-parser change.

@jcharr1 is there any chance you can give that a try on your end? According to the version number, it could be breaking and I don't have any means to verify this. I could also prepare the change in a separate branch if that helps. LMK.

@jcharr1
Copy link
Collaborator

jcharr1 commented Jan 17, 2025

I bumped fast-xml-parser and it seems to be working fine. You can test it out with my fork or my docker image: ghcr.io/jcharr1/roon-extension-denon:master

I also tried forking the node-roon-api and bumping ip to the most recent version but npm install still gives the same warning. So apparently it's not fixed on their end yet.

@docbobo
Copy link
Owner

docbobo commented Jan 17, 2025

Bumping fast-xml-parser would at least be sufficient to get rid of the one security alert we have on the project - do you want to create a PR for this?

@docbobo
Copy link
Owner

docbobo commented Jan 17, 2025

Okay, the fast-xml-parser issue should be fixed by #12.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants