Actions
Anomalie #3810
fermépad.april.org : logs de vulnérabilités
Début:
14/07/2019
Echéance:
% réalisé:
0%
Temps estimé:
Difficulté:
2 Facile
Description
Dans etherpad-lite, suite à l'installation de plugins (delete_empty_pad et spellcheck), on peut lire dans les logs :
> juil. 13 09:58:08 pad run.sh[576]: npm WARN saveError ENOENT: no such file or directory, open '/srv/etherpad-lite/package.json' > juil. 13 09:58:08 pad run.sh[576]: npm notice created a lockfile as package-lock.json. You should commit this file. > juil. 13 09:58:08 pad run.sh[576]: npm WARN enoent ENOENT: no such file or directory, open '/srv/etherpad-lite/package.json' > juil. 13 09:58:08 pad run.sh[576]: npm WARN etherpad-lite No description > juil. 13 09:58:08 pad run.sh[576]: npm WARN etherpad-lite No repository field. > juil. 13 09:58:08 pad run.sh[576]: npm WARN etherpad-lite No README data > juil. 13 09:58:08 pad run.sh[576]: npm WARN etherpad-lite No license field. > juil. 13 09:58:08 pad run.sh[576]: [2019-07-13 09:58:08.761] [ERROR] console - > juil. 13 09:58:08 pad run.sh[576]: [2019-07-13 09:58:08.763] [INFO] console - + ep_delete_empty_pads@0.0.4 > juil. 13 09:58:08 pad run.sh[576]: added 1 package from 1 contributor and audited 7814 packages in 12.007s > juil. 13 09:58:08 pad run.sh[576]: [2019-07-13 09:58:08.764] [INFO] console - found 196 vulnerabilities (35 low, 85 moderate, 76 high) > juil. 13 09:58:08 pad run.sh[576]: run `npm audit fix` to fix them, or `npm audit` for details
La ligne inquiétante :
found 196 vulnerabilities (35 low, 85 moderate, 76 high) ».
Malheureusement :
(April) root@pad:/srv/etherpad-lite[live-1.7.0$%]# npm audit -h
Usage: npm <command>
where <command> is one of:
access, adduser, bin, bugs, c, cache, completion, config,
ddp, dedupe, deprecate, dist-tag, docs, edit, explore, get,
help, help-search, i, init, install, install-test, it, link,
list, ln, login, logout, ls, outdated, owner, pack, ping,
prefix, prune, publish, rb, rebuild, repo, restart, root,
run, run-script, s, se, search, set, shrinkwrap, star,
stars, start, stop, t, tag, team, test, tst, un, uninstall,
unpublish, unstar, up, update, v, version, view, whoami
npm <cmd> -h quick help on <cmd>
npm -l display full usage info
npm help <term> search for help on <term>
npm help npm involved overview
Specify configs in the ini-formatted file:
/root/.npmrc
or on the command line via: npm <command> --key value
Config info can be viewed via: npm help config
npm@3.10.10 /usr/lib/node_modules/npm
Questions :
- y-a-t-il véritablement un problème de vulnérabilité ?
- est-ce lié à la non mise à jour de NodeJS (voir #3809) ?
Actions