povdocs / webvr-starter-kit Goto Github PK

What do you guys think about having the rotate operations accept degrees instead of radians? This could break existing content but would be much easier for people to use.

WS-2019-0019 - Medium Severity Vulnerability

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

path: /tmp/git/webvr-starter-kit/node_modules/anymatch/node_modules/braces/package.json

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Dependency Hierarchy:

• main-bower-files-2.13.1.tgz (Root Library)
  • vinyl-fs-2.4.4.tgz
    • glob-stream-5.3.5.tgz
      • micromatch-2.3.11.tgz
        • ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2019-03-25

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

Step up your Open Source Security Game with WhiteSource here

Hi Brian!
Trying to make an object 'flutter in the wind' by rotating it back and forth along x-axis. Right now I count amount of calls to rotateX and swap direction of the rotation based on that. But I noticed it is not consistent and will instead need to use the actual rotation of the object as deciding factor for when to swap direction. So my question is how I read out the current rotation of the object.

Thanks
Simon

This library is really great, thank you so much!

I'm wondering if you have an example of loading an object (.obj) file and material with it. There doesn't seem to be any out of the box functionality to do that, so would you still need to use Three's OBJLoader?

It'd be really useful to be able to do something like:

VR.load({
  path: 'path-to-obj-file'
});

WS-2017-0330 - Medium Severity Vulnerability

Vulnerable Library - mime-1.3.6.tgz

A comprehensive library for mime-type mapping

path: /tmp/git/webvr-starter-kit/node_modules/mime/package.json

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.6.tgz

Dependency Hierarchy:

• url-loader-0.5.9.tgz (Root Library)
  • ❌ mime-1.3.6.tgz (Vulnerable Library)

Vulnerability Details

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-2.4.2.tgz

lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: /tmp/git/webvr-starter-kit/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

path: /tmp/git/webvr-starter-kit/node_modules/rcloader/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

• jshint-loader-0.8.4.tgz (Root Library)
  • rcloader-0.1.2.tgz
    • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Step up your Open Source Security Game with WhiteSource here

Console message on IE11/Windows 8.1
SourceMap http://povdocs.github.io/webvr-starter-kit/build/vr.js.map read failed: Error reading string. Unexpected token: StartObject. Path 'names[1191]', line 1, position 18677.'iexplore.exe' (Script): Unloaded 'http://povdocs.github.io/webvr-starter-kit/build/vr.js'

    //make a box, using brick-tiles material. Move it up and over.
    VR.box()
      .setMaterial('brick-tiles')
      .moveTo(-2, 1, 0.5);

    //make a sphere, using shiny, metal material. make it a bit bigger and move it up
    VR.sphere()
      .setMaterial('metal')
      .setScale(1.4)
      .moveTo(0, 1, 0);

    //make a torus, using wood material. Move it up and over
    VR.torus()
      .setMaterial('wood')
      .moveTo(2, 1, 0.5);
</script>

When I try to open panorama example with my mi4i the whole screen is show only black color.

I am developing a webpage which utilizes a User Interface(HUDs, divs, spans, paragrpahs, text menus, drop downs, etc...) as an overlay on the scene, which are written in HTML. When interacting with the UI elements, the scene is being effected. (IE: mousedown on a menu/moving a dialog window(jquery), results in teh scene's camera being manipulated as well!)
How can seperate the scene/canvas from the UI/overlay??

thank you in advance! :D

Console message reads:

"main.min.js:15 THREE.WebGLRenderer 72dev
main.min.js:15 Uncaught TypeError: Failed to execute 'setPosition' on 'AudioListener': The provided float value is non-finite."

Chrome: Version 45.0.2454.93 (64-bit)
Mac OSX: 10.8.5

hi, im trying to make a game that supports physics and collision without needing any other external libraries, and im stuck on getting the objects position... heres some example code so you can see what im trying to do...

    var sphere = VR.sphere()
      .setMaterial('metal')
      .setScale(1.4)
      .moveTo(1, 9, 2);

    var spherePosX = sphere.x //get X position of sphere 
    var spherePosY = sphere.y //get Y position of sphere
    var spherePosZ = sphere.z //get Z position of sphere

i know the above code is wrong, but idk what to put in place of 'sphere.x', 'sphere.y', and 'sphere.z' please help me!

WS-2018-0210 - Low Severity Vulnerability

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-2.4.2.tgz

lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: /tmp/git/webvr-starter-kit/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

path: /tmp/git/webvr-starter-kit/node_modules/rcloader/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

• jshint-loader-0.8.4.tgz (Root Library)
  • rcloader-0.1.2.tgz
    • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Vulnerability Details

In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Publish Date: 2018-11-25

URL: WS-2018-0210

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: lodash/lodash@90e6199

Release Date: 2018-08-31

Fix Resolution: Replace or update the following files: lodash.js, test.js

Step up your Open Source Security Game with WhiteSource here

Mute all sounds

Hi,
I'm having a problem that some of the transparent images that I add to the scene are "flickering" between transparency and opaque when I look around in the scene.

Its visible on the print icon and the speach bubbles in this scene:
http://www.migrantjourneys.com/Intro/

Any advice would be appreciated!

Thanks.

Closed

Guessing something is wrong here, since this conditional is never entered:

http://jsbin.com/vafiyaniga/edit?js,output

lookat and lookaway events are useful but only fire when looking directly at object (or not). @simonhultgren requested events that fire whether an object is in view at all. This is a good idea.

I added text in the panoramic scene, it renders the text with a black background. an png image with alpha channel also renders black.
https://output.jsbin.com/hugubez

CVE-2017-16138 - High Severity Vulnerability

Vulnerable Library - mime-1.3.6.tgz

A comprehensive library for mime-type mapping

path: /tmp/git/webvr-starter-kit/node_modules/mime/package.json

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.6.tgz

Dependency Hierarchy:

• url-loader-0.5.9.tgz (Root Library)
  • ❌ mime-1.3.6.tgz (Vulnerable Library)

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Tried to run the sound.html example file on an iPhone (via a web connection). The audio does not play.

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-1.0.2.tgz, lodash-2.4.2.tgz

lodash-1.0.2.tgz

A utility library delivering consistency, customization, performance, and extras.

path: /tmp/git/webvr-starter-kit/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ lodash-1.0.2.tgz (Vulnerable Library)

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

path: /tmp/git/webvr-starter-kit/node_modules/rcloader/node_modules/lodash/package.json

Library home page: http://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Dependency Hierarchy:

• jshint-loader-0.8.4.tgz (Root Library)
  • rcloader-0.1.2.tgz
    • ❌ lodash-2.4.2.tgz (Vulnerable Library)

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Step up your Open Source Security Game with WhiteSource here

Is it possible in the current framework to project an image/video on to a hemisphere for 180 footage?

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Libraries - minimatch-0.2.14.tgz, minimatch-2.0.10.tgz

minimatch-0.2.14.tgz

a glob matcher in javascript

path: /tmp/git/webvr-starter-kit/node_modules/globule/node_modules/minimatch/package.json

Library home page: http://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-watcher-0.0.6.tgz
      • gaze-0.5.2.tgz
        • globule-0.1.0.tgz
          • ❌ minimatch-0.2.14.tgz (Vulnerable Library)

minimatch-2.0.10.tgz

a glob matcher in javascript

path: /tmp/git/webvr-starter-kit/node_modules/minimatch/package.json

Library home page: http://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Dependency Hierarchy:

• gulp-3.9.1.tgz (Root Library)
  • vinyl-fs-0.3.14.tgz
    • glob-stream-3.1.18.tgz
      • ❌ minimatch-2.0.10.tgz (Vulnerable Library)

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Step up your Open Source Security Game with WhiteSource here

Hello,
I use webVR to play video 360 but I also wan't use it for normal video.
How can I disable movement (head and finger) ?
There is a vr.video mode to display flat video ?
Best regards,

http://webaudioapi.com/samples/audio-tag/

WS-2019-0032 - Medium Severity Vulnerability

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

path: /tmp/git/webvr-starter-kit/node_modules/js-yaml/package.json

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Dependency Hierarchy:

• css-loader-0.22.0.tgz (Root Library)
  • cssnano-3.10.0.tgz
    • postcss-svgo-2.1.6.tgz
      • svgo-0.7.2.tgz
        • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-26

URL: WS-2019-0032

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-26

Fix Resolution: 3.13.0

Step up your Open Source Security Game with WhiteSource here

Hi,
First of all, thanks for this project, it is amazing!

I want to contribute to the project so I cloned the repo, npm and bower installed dependencies and run gulp. It throws lots of errors and warnings. For example

ERROR in ./src/objects/video.js
jshint results in errors
  Incompatible values for the 'strict' and 'globalstrict' linting options. (7% scanned). @ line 20 char 54
    undefined

How can I sort this out? Is it a problem on my environment or is something you didn't push yet.

Thanks again!

Even thought textAlign is set to left, a string if shorter than 1 full line, is rendered center-aligned.

The attached image is how you get if declared as below:

var tempRender = container.text({ wrap: textWrapFactor, font: fontSize + 'pt Roboto', textAlign: 'left', fillStyle : '#333333', text : str });

https://community.renderman.pixar.com/article/114/library-pixar-one-twenty-eight.html

So I'm trying to get the camera towards where I am looking at. There is a method that easily allows me to do this, built into three.js:

VR.camera.object.translateZ(delta);

This works fine when I put it in the animate function, but obviously I am going backwards. When I try to make delta negative the frames start to go strange and the whole thing breaks.

VR.camera.object.translateZ(-delta);

I know that the camera object isn't really meant to be manipulated but this is really strange.

WS-2018-0107 - High Severity Vulnerability

Vulnerable Library - open-0.0.5.tgz

open a file or url in the user's preferred application

path: /tmp/git/webvr-starter-kit/node_modules/open/package.json

Library home page: http://registry.npmjs.org/open/-/open-0.0.5.tgz

Dependency Hierarchy:

• webpack-dev-server-1.16.5.tgz (Root Library)
  • ❌ open-0.0.5.tgz (Vulnerable Library)

Vulnerability Details

All versions of open are vulnerable to command injection when unsanitized user input is passed in.

Publish Date: 2018-05-16

URL: WS-2018-0107

CVSS 2 Score Details (10.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/663

Release Date: 2018-05-16

Fix Resolution: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.

Step up your Open Source Security Game with WhiteSource here

Should break it down into more usable/configurable methods for looking around.

• VR mode:
  • Always full screen
  • Render two eyes
  • Disable mouse/touch control
  • Automatically pick HMD or devicemotion
  • Disable if neither HMD or devicemotion is available
• Non-VR mode (default)
  • single camera view only
  • mouse/touch control always on (set mouse pointer)
  • manually toggle full-screen if available
  • manually toggle devicemotion if available (in case HDD MacBook has it)

Whenever we're in full-screen (VR or not), need a button to exit. Normally invisible, but revealed for a few seconds by any mousemove or touch event.

Hi ,
I try to add own "< div >" in your example , but I think your VR object z-axis is max , can I know how to set the z-index in this example?

Hi,
I'm trying to figure out the best way to add a link on one of the objects in the scene. Should I be using document.createElement, or is there a better way? And in case createElement is the way to go, how do I tie it to an object that I have created using the webvr-engine?

Best Regards
Simon

Get a low-poly model of a person that people can place in.

• What do about gender? color?
• Solve all problems of diversity in society.

could you provide an example code for using jsBin to pull an image from the internet and use it in a VR.image object or a VR.video object