Understanding NPM vulnerability - tunnel-agent - npm

So I have a vulnerability in a package named tunnel-agent. After running npm audit the packages which depend on this package are listed:
gatsby-plugin-sharp
OK great, I update this and everything is fine? NO.. Still listing as vulnerable, so now I start on the rabbit hole of looking where this leads.
Running npm list tunnel-agent I get to find out who's depending on this package.
So now the vulnerability is fixed in tunnel-agent#0.6.0but I've got one thing saying it's using tunnel-agent#0.4.3. But this is in the same package gatsby-plugin-sharp so why's it not fixed?
I head off to github issues and find that because gatsby-plugin-sharp uses imagemin-mozjpeg > caw#1.2.0 > tunnel-agent#0.4.3 I'm still stuck right?
So what I'm asking is, without relying on plugin authors to update their dependencies, how would you go about using caw#2.0.1 which then uses tunnel-agent#0.6.0 to remove this vulnerability once and for all?

This is all environment variables.
But you could fork the open pull request that have not been merged published. Then create your on npm packages that have the fixes.
https://github.com/request/tunnel-agent/pull/45
yarn negates these errors.
And ‘yarn’ doesn’t have these issue. Since it is designed for local scope.

Related

How to run Odoo with OCA repositories' modules in Odoo.sh?

I am testing Odoo.sh, trying to run an Odoo 15 Enterprise. I read all the documentation and see several webinars about it, but I am not able to run an instance with any OCA module.
To do that, I followed these steps:
In the Odoo.sh interface, I created a new branch in the Development category, forking from main branch (the one in the Production category). Note: the main branch is the one created by default by Odoo.sh, I didn't make any modification on it and in fact it works OK, I can connect to it.
Also in the Odoo.sh interface, I clicked on the button Submodule and then on Run on Odoo.sh. In the opened pop-up, I added the OCA repository l10n-spain, (version 15.0 of course). The repository works perfectly in a local server. In fact you can try with other OCA repository, the result is going to be the same.
After doing that, Odoo.sh adds the repo to the project with a new [ADD] commit, and tries to make a build of it. However, the tests always fail.
If I go to the log, first, in the install.log section, I can see errors with Pip libraries, so I open a shell and try to fix them, with pip3 check and then adjusting the versions of the libraries it complains of.
After that, when I try to connect to the new build, the odoo.log starts being filled but also with errors, particularly this one:
WARNING xxx odoo.addons.base.models.ir_cron: Tried to poll an undefined table on database xxx.
ERROR xxx odoo.sql_db: bad query:
SELECT latest_version
FROM ir_module_module
WHERE name='base'
ERROR: relation "ir_module_module" does not exist
LINE 3: FROM ir_module_module
^
This error uses to appear when you do a wrong installation of Odoo, but the installation is done by Odoo.sh, so... how can I fix this?
Does anyone experienced the same? Any ideas? May be the Python libraries are the problem?
One problem can be that the requirements file brokest the installation. odoo.sh tries to install it automatically, and because odoo.sh is using outdated python modules, the installation usually breaks.
https://github.com/OCA/l10n-spain/blob/15.0/requirements.txt
You can try to copy the required modules directly to your repository.
Well, in the end I managed to connect to the build after open a shell and writing these commands:
odoosh-restart http
odoo-update all
Still didn't check which of them did the trick.

How do I keep azure devops from treating infos and warnings as errors?

I am working on an azure devops pipeline created without YAML. In the pipeline node.js and npm is used to build some web interfaces. mkdocs is used to build web documentation.
My problem is that azure devops treats some infos and warnings as errors:
While the build does not fail it is marked as only partially successful. I prefer to have a clean build.
How do I keep azure devops from treating infos and warnings as errors? Or is it some setting I have to configure on the side of mkdocs and npm?
1.For the Info which is treated as error, you can uncheck the Fail on Standand Error option and then add 2>&1 | Write-Host to your mkdocs command, see PS About Redirection
. You should run the command via Powershell task.
2.And for the error about fsevents, it seems to be one issue starting from npm V.3.10.8. Use Node.js Tool Installer task to install the latest NPM version and run the pipeline again. If the issue persists, you can try joefiorini's workaround:
Add this script to your package.json file.
"optionalDependencies": {
"fsevents": "*"
},
It seems that the company firewall prevented npm from making ssl connections because of missing certificates or something. I added
npm set strict-ssl false
to the build pipeline which -ironically- makes the connection less secure, but it makes all errors go away which I prefer to suppressing the errors/warnings/info.
I don't know if Don't Fail on Standard Error would even do anything since the build did not fail, it was partially successful. I prefer to have it checked in case a real error occurs.
After looking at it some more I am not exactly sure the highlighting and specification of errors is correct in the pipeline results. Why would an info output be marked as error anyway?

dbt deps command results in "Unable to connect to registry hub"

When running dbt deps, I get back this error message:
Running with dbt=0.17.0
Error sending message, disabling tracking
Encountered an error:
Unable to connect to registry hub
What's happening here, and how can I work around it?
First of all, it's worth understanding what's going on here. It looks like you're trying to install a package from the dbt hub site (hub.getdbt.com) — if you open up your packages.yml file, you'll find something like this:
packages:
- hub: package-owner/package-name
version: 0.1.0
When you run dbt deps (at a high level):
dbt sends a request to hub.getdbt.com
From hub.getdbt.com, a request is sent to GitHub to download the package.
The package is copied into your project
This error occurs if dbt cannot connect to the hub site after sending a network request repeatedly. First off, we recommend you retry the dbt deps command — sometimes it's just a blip in connectivity that goes away on the second try.
If the error persists, there may be a few different reasons for it:
hub.getdbt.com might be unavailable. This happens but is relatively rare. You can navigate to hub.getdbt.com to check if this is the case. Also check the Netlify status page to see if there are any issues.
GitHub might be down — you can check this by going to the GitHub status page.
Finally, it may be that a firewall rule or antivirus software on your computer is rejecting the request. Talk to your IT team to find out if this is the case and whether that restriction can be removed.
We generally recommend using the hub syntax for packages, however if you need to work around it, you can consider using the git syntax (docs) or installing the package from a local directory (docs)

Is it possible to ignore the dependency hash validation of just one module (or registry)?

The yarn.lock file saves all the dependencies versions and the hashes of the modules. I know that I can globally disable this hash checking with the option --skip-integrity-check.
We have an internal module that is continually developed. The dependency is really of a snapshot package. When it is updated, it fails in our continuous integration environment because the updated package hash is different of the yarn.lock saved hash.
Is it possible to disable the integrity check just for a specific module?
I'll accept the answer even if it tells how to disable the check for all the modules of a specific registry.
Update: My problem is that my continuous integration server job is breaking when the dependency is updated, even if there's no modification in my code. These are spurious failings and I want to stop them.
Update 2: The accepted solution is really a hack to solve a problem in a usual development workflow. There is an issue open for Yarn in GitHub to fix this problem.
Instead of running
yarn install
You should run it like below
yarn add <specificpackage>#^<versions> --update-checksums
yarn install
This will make sure that the yarn.lock is updated with latest hash for that package and then yarn install will install the rest of the packages with integrity check
Update-1: 20-April
Another possible options is to use the preinstall hook. There are few things you can try here. You can try updating the package. But be aware that launching the yarn command again in preinstall can cause infinite loops.
So better way may be to run a grep, awk or a sed command and get ride of the package entry in the yarn.lock file. This will make sure the yarn install command has no information on the hash and a mismatch can't occur
If you don't want to use awk, sed or grep because of windows compatibility then you should just write a simple nodejs script to get rid of the package from the yarn.lock file. This will cross-os compatible. Below code shows how to do the same
yarn_remove_hash.js
const fs = require('fs')
const content = fs.readFileSync("yarn.lock", "utf-8");
const packageToDelete = "yallist"
let lines = content.split("\n")
for (let [i, line] of Object.entries(lines)) {
if (line.startsWith(packageToDelete + "#")) {
lines[i]="";
let y = i;
while (lines[++y][0] ==" "){
lines[y]= ""
}
}
}
fs.writeFileSync("yarn.lock", lines.join("\n"))
And you will update your scripts section in package.json like below
...
"preinstall": "node yarn_remove_hash.js"
...
If you want to make #Tarun Lalwani's --update-checksums more of a transparent process for you and others, you can add the following to .yarnrc:
--install.update-checksums true
Now when a user runs yarn install it will also update checksums implicitly. This was needed for me because one of my dependencies is linked to a snapshot .tar.gz that changes and NPM/Yarn would assume that it wouldn't, obviously leading us to this integrity issue. I had to move away from NPM because of this and also tried the preinstall hook (I thought I was clever but I guess you guys did the same).
At least Yarn has an option around this. Tarun's updated answer did not work for me either because yarn.lock is checked against before any hooks are ran.

Gulp error - EISDIR: illegal operation on a directory

I would like to expose my problem here because I have been struggling for several weeks to configure Gulp stably on my Raspberry server.
When I run Gulp within my project, I always have the following error lines that appear :
enter image description here
The research I conducted with this concern did not lead me to anything. I was confronted with this problem three times: the first two times, I completely reinstalled the NPM extensions by having to use the --unsafe-perm prefix. This solution worked on the moment but when I had to restart Gulp, the problem reappeared. Today, even by reinstalling Gulp and NPM modules that I use, I always get these lines of errors, no matter what solutions I try, nothing is conclusive: changing permissions etc ...
Do you have any leads to tell me?
Thanks in advance (and sorry for my English, I'm French!)