general question about node_modules and security - npm

Can't find anything on this online and might be a non-issue, but I figured I'd ask here to make sure.
We run the Wordfence security plugin on a bunch of WordPress sites and have recently seen this "critical issue" reported:
Filename: wp-content/themes/theme-name/node_modules/webpack-assets-manifest/test/fixtures/client.js
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity.
If you know about this file you can choose to ignore it to exclude it from future scans.
The matched text in this file is: require('./Ginger.jpg');
The issue type is: Backdoor:PHP/req_img.3645
Description: A backdoor known as req_img
Now first of all that doesn't look like a backdoor to me, especially since node_modules contents aren't executed unless I run npm (or yarn), as far as I understand. Is this more serious than I think?
Secondly, when running npm/yarn on the server, the node_modules folder has chmod 775 (drwxrwxr-x) by default. Is it okay to leave it like that or should we take any action?

Related

React Native Xcode 13.2 Error no such file or directory for NativeVibration.js

After creating the project with react-native init, i found this issue in terminal as well as in xcode. After digging deep, i found that this particular file is showing missing in project node modules.
Here are example of error codes showing in xcode & terminal-
Error: ENOENT: no such file or directory,
/ios/Pods/../../node_modules/react-native/React/FBReactNativeSpec/../../Libraries/Vibration/NativeVibration.js
I've learned the hard way when programming in react native (for cross platform/hybrid application development), many unknown issues will be caused if you deviate from native OS clustering. Make sure you don't make the same mistakes as I have.
I have more specific help for you, apart from the obi wan style in my previously semi-answer.
Another guy had an issue with this a few years back, he asked and was answered,"delete your node_modules and app from simulator. Then re-install everything back, clear cache and see if it start bundler from root directory.
Before doing that, you can try 'react-native start' from your root directory.
I have seen that error message a lot, specifically with jest. But that's a different fix. I realize you are not using jest to test your reactjs, but it is jest tests runner that is the problem that causes the same outcome as you have come to- solution there is to disable the jest runner from running in the background while installing new packages.
I wonder if there isn't a similar solution here - only applicable to xcode - although you see it in terminal, that's probably just the cmdline not recognizing the path to the directory or at least that file.
Should be easy to figure out with terminal--
Go to $HOME~ type dir or ls, to see your directory folders, if you see the project listed, cd into it or, just search for the directory apt-get search [package] or apt, pkg, pip, pacman, snap etc etc whatever your flavor if OS terminal is, or search for the file-- $find / -iname [query] or even search for all paths containing the phrase: $locate [query]... If you created it, it exists. Just because xcode can't find it, and initial attempts in term produced nada, don't believe it is not in your system. just a matter of where, what, and why a process or dependancy is missing or malfunctioning in attempt to retrieve the file & open it.
You can definitely find it - i don't know jack about xcode, but terminal -- I can get anything from anywhere on cmdline-- you can too. I have to go, but I'm curious if you have figured it out. Let us know yeah? Best of luck to you. Cheers QwaziRidwanhasib.
-Cujo

npm run script invoking Rollup does nothing but open config file

We have a script "build": "rollup -c rollup.js --environment production", which when called by some of our team (who use Windows) will on occasion spontaneously not run as normal, but instead just open up the rollup.js config file in an editor. Unfortunately I don't really know where to start with this because I've never been able to replicate it. No logfile is being produced and as far as I've been told ignore-scripts is not set, which are the only other things I've seen related to this behaviour on SO.
Is this a known thing that there's a simple fix for? Or if not, where should I go to find more info about this? Would this be an issue with npm, or with rollup?
I encunter the same sutiation on Windows.
I bypass it by using WSL.
Through some investigating I've tracked this down to what I believe to be a rollup bug with regards to how they're processing their config files. I feel as though I should open a ticket with them regarding this but I've been acting on behalf of a team member and don't have the ability to replicate it on my own, so... I suppose I'll try and coerce them into doing it.
But anyways, so from what I can tell looking at rollup's source, if a rollup config file has a plain .js extension, then it looks as though rollup is running itself on the config to convert it into a CommonJS format, which it will then import and use on the actual build step. Somewhere in this process on Windows something goes awry and the result is that the config file just ends up getting opened with whatever the default handler is for JS files. So basically the solution is to change the file extension.
Our original config was set up using ES6 import/export, and I'm unclear at this point whether changing the extension to .mjs will skip or otherwise change this conversion step, it seems to have worked as such when people have tried it but I can't vouch for it. What I did was to instead go through the config and manually convert all the ES6 import/exports to CommonJS require() and then change the file extension to .cjs (hence our config changed from rollup.js to rollup.cjs) and now it appears to be working consistently across the board.

VQmod not working for open cart admin

I am having the most frustrating issue with VQmod. I moved my OpenCart store from a Godaddy VPS to Rackspace's Cloud Sites. The move went fine and everything works properly except the VQmod's on the admin panel. None of them load. No errors in the log files, no admin cache files in the cache dir, no php errors.
Things I have tried:
Cleared all cache Changed admin folder to 755
reinstalled VQmod tried both manually and using the installer with fresh index.php files
Removed all XML files and tried to load only one at a time
Cursed loudly at my computer repeatedly.
Please Help! OC version 1.5.6 VQmod 2.5.1
For those that want the solution to this, the issue was that the config.php files were both using relative paths instead of the full paths for OpenCart's various directories. They should always be full paths, or resolved with realpath() in the config.php files themselves
My case was a bit different. I checked the permissions, paths, all the regular stuff that comes to mind first. I even walked step by step through the manual installation guide.
The Opencart copy in question is shared across several environments using git. Long story short, the mods.cache and checked.cache were not added to .gitignore right away, and when I finally did that, I emptied both of them just to make sure Opencart will write new content based on my current environment. Turns out, since mods.cache was empty, Opencart believed there are no mods available.
Solution: delete both vqmod/mods.cache and vqmod/checked.cache.
Update: here are some similar issues:
https://github.com/vqmod/vqmod/issues/32
https://github.com/vqmod/vqmod/issues/3
The vqmod/vqmod/wiki/Troubleshooting guide, as of now, does not make it obvious the files should've been deleted, neither does the vqmod/vqmod/wiki/Installing-vQmod-on-OpenCart, and there doesn't seem to be any way to contirbute. vQmod fails silently, without producing any notifications, warnings, or simply detecting the issue and rebuilding the cache files. I've spent few hours trying to figure out what's wrong.

What is stored in Packages/User directory?

How to save/restore Sublime Text 2 configs/plugins to migrate to another computer? states that, to backup a Sublime Text 2 installation, a user should preserve the ~/Packages/User directory (from the user's local data folder on whatever OS they're using).
However, http://andrew.hedges.name/blog/2012/01/19/sublime-text-2-more-sublime-with-a-drop-of-dropbox and most other walkthroughs for using Dropbox to sync Sublime's settings specify three directories: ~/Packages, ~/Installed Packages and ~/Pristine Packages.
What is the functional difference between backing up just ~/Packages/User, and the other 3 directories?
I think that Packages/User is the one in which you are supposed to put settings (according to Sublime's official and unofficial documentation). However, some people put them in the other folders from time to time.
The Dropbox advice may be a hedge against poor practice.
From here:
Installed Packages is:
You will find this directory in the data directory. It contains a copy
of every sublime-package installed. Used to restore Packages.
These are the packages installed as sublime-packages. I don't think package control uses this, but if you install something as a sublime-package maybe you want to keep it?
Pristine Packages is:
You will find this directoy in the data directory. It contains a copy
of every shipped and core package. Used to restore Packages.
So essentially a list of .sublime-package files used to restore if you break something.
Packages is:
The packages used by Sublime Text, either installed as part of sublime, or the plugins.
User is:
The user directory is your personal directory, containing configurations, additional snippets, etc.
Below are my personal views on what to save, so feel free to ignore it if you would like.
I would have to agree with the post saying just save the User directory, as Package Control will grab all of the plugins in the list if they aren't already installed. I didn't see this mentioned in that post, but you can also add repositories (by specifying a URL) to Package Control, which allows you to install Packages outside of those submitted to Package Control, but still hosted somewhere. One of the arguments I can see to saving the Packages directory completely is if you are using plugins that aren't hosted anywhere (though these could probably be moved to the Packages directory without any problems).
The Installed Packages and Pristine Packages are used to restore packages, so I wouldn't think these would be needed, but I'm sure there is some use case where it is.
Anyways, realize I got off topic a bit at the end there, but hope everything before that helps clarify.

WIX: Saving off user data files during major upgrade

My application runs as a Windows service. During normal execution, some data files are generated in a "data" directory that I create with my WIX install. During an upgrade, I would like to move/migrate those files to the same data dir in the upgraded installation. However, I am running into issues. I am using the "MajorUpgrade" tag as follows:
I tried scheduling later in the process(afterInstallFinalize), but that runs into issues with the service having locks on files during the upgrade. I have combed Stack Overflow and google, and it seems that no one else is describing my scenario. Others have default *.ini files, that the user can potentially edit. However, in my case, it should always be safe to migrate the files, as there are no defaults. They are simply data files that need to be migrated.
I thought I could possibly do this via a custom action, but was not sure how to do it.
Any suggestions would be very much appreciated.
Edit: Apparently using "afterInstallFinalize" works fine for me, i.e. data files are migrated, as long as the user does not change the path during upgrade. If I change the path during upgrade, I get warnings about files being locked, and asking to stop the app using the files. However, it ends up not migrating the files in that case.
Ultimately, I solved my own issue by simply overriding the default dialog behavior, and changing the flow such that on upgrade, I skip over the "InstallDirDlg".