Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is the current status for dependecies? #1210

Closed
E3V3A opened this issue Mar 14, 2018 · 16 comments
Closed

What is the current status for dependecies? #1210

E3V3A opened this issue Mar 14, 2018 · 16 comments

Comments

@E3V3A
Copy link
Contributor

E3V3A commented Mar 14, 2018
edited
Loading

The README state:

Known issues
Electron seems to have some issues on certain Raspberry Pi 2's. See #145.
MagicMirror² (Electron) sometimes quits without an error after an extended period of use. See #150.

However, a current MM installation is using:

# nvers
v9.8.0
5.7.1

# npm-check-updates
[INFO]: You can also use ncu as an alias
Using /home/pi/MagicMirror/package.json
[..................] - :
 electron   1.4.15  →   1.8.3
 mocha      ^4.1.0  →  ^5.0.4
 spectron    3.7.x  →   3.8.x
 stylelint  ^8.4.0  →  ^9.1.2

The following dependencies are satisfied by their declared version range, but the installed versions are 
behind. You can install the latest versions without modifying your package file by using npm update. If 
you want to update the dependencies in your package file anyway, run ncu -a.

 colors               ^1.1.2  →   ^1.2.1
 express             ^4.16.2  →  ^4.16.3
 helmet               ^3.9.0  →  ^3.12.0
 request             ^2.83.0  →  ^2.85.0
 rrule-alt            ^2.2.7  →   ^2.2.8
 simple-git          ^1.85.0  →  ^1.92.0
 grunt-markdownlint  ^1.0.43  →   ^1.1.0

Run ncu with -u to upgrade package.json
  • What is the current dependency and compatibility status for MM?
  • Can we safely update these?
@E3V3A
Copy link
Contributor Author

E3V3A commented Mar 15, 2018
edited
Loading

This is also related to closed issues #145 and #150. If all ok, we need to update README.
and perhaps:

#1211

@MichMich
Copy link
Collaborator

We could update them, but we need to do some testing. Since I'll be releasing the next version within a few days, it's better to postpone this.

@justjim1220
Copy link

Will the next version be able to update the current version we already have installed without having to replace all our changes with modules added and such?

@MichMich
Copy link
Collaborator

Yes. One simple command without breaking changes. I release a new version every three months.

@Kiina
Copy link
Contributor

Kiina commented Mar 25, 2018

Will the update to electron 1.7 be included? The downgrade broke my module but on the dev channel the changelog lists it as change in 2.2.2 which was released without this change on the master branch.

@E3V3A
Copy link
Contributor Author

E3V3A commented Mar 26, 2018
edited
Loading

I think the biggest (and most risky) change is with electron from: 1.4.15 → 1.8.3. However, because of the very wide use of electron, I'd also be surprised if it broke something serious. I'd guess we'd have heard of it already. But then, perhaps other deps are requiring lower versions?

So if someone running MM on an RPi, and have successfully (or not) updated this already, then please let us know!

@E3V3A
Copy link
Contributor Author

E3V3A commented Mar 27, 2018

I think this should be a high priority issue, now that I see that electron has a Remote Code Execution vulnerability in it. What this means, is that we risk to turn every single MM into a bot-net, or worse, a root leverage point in the local network of anyone using it.

Basically you can gain a command shell from something like this:

<!doctype html>
<script>
  window.location = 'exodus://aaaaaaaaa" --gpu-launcher="cmd" --aaaaa='
</script>

In view of this, we should consider adding one or both of the following dependency tags, in the top README.

https://gemnasium.com/github.com/MichMich/MagicMirror
https://david-dm.org/MichMich/MagicMirror

@MichMich
Copy link
Collaborator

I’m aware of that. But keep in mind that electron (in this case) isn’t use as a browser. The only way external code could enter Electron is by a third party module. But modules can already execute commands using the node helper.

Btw, in the dev branch Electron is already (more) up to date.

@E3V3A
Copy link
Contributor Author

E3V3A commented Mar 27, 2018

Fantastic. Good to hear. But perhaps still good to know for other users?

@Kiina
Copy link
Contributor

Kiina commented Mar 27, 2018

Well the one on dev branch is affected too but I don't really see much reason why shipping the next version with 1.7.13 instead of 1.7.10 would cause any problems. Some modules use it as a browser so theoretically it could happen, but its a rather small attack vector

@MichMich
Copy link
Collaborator

Feel free to send a PR with an updated version. 👍🏻

@MichMich
Copy link
Collaborator

Merged: #1232

@MichMich MichMich reopened this Apr 1, 2018
@MichMich
Copy link
Collaborator

MichMich commented Apr 1, 2018

So ... that was "fun": #1243

@MichMich
Copy link
Collaborator

MichMich commented Apr 2, 2018

I think we need to investigate how we get the new version of Electron to work on a Pi.

@Kiina
Copy link
Contributor

Kiina commented Apr 2, 2018 via email

@MichMich
Copy link
Collaborator

MichMich commented Apr 6, 2018

De dev branch is now updated to Electron 2 beta. Hopefully Electron 2 is out of beta before the next release.

@MichMich MichMich closed this as completed Apr 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@E3V3A @MichMich @Kiina @justjim1220