themaximalist / thinkmachine Goto Github PK
View Code? Open in Web Editor NEWMultidimensional mind mapper on the web and desktop
Home Page: https://thinkmachine.com
License: MIT License
thinkmachine's People
Contributors
Stargazers
Watchers
thinkmachine's Issues
Security vulnerabilities (debug <4.3.0) (phin <3.7.1) (got <11.8.5)
Local npm install of electron on Linux mint came up with these warnings that are pretty serious, and "npm audit fix" doesn't help:
10 vulnerabilities (6 moderate, 4 high)
# npm audit report
debug <=2.6.8
**Severity: high**
debug Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-9vvw-cc9w-f27h
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
No fix available
node_modules/aframe/node_modules/debug
aframe >=0.6.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of three-bmfont-text
node_modules/aframe
3d-force-graph-vr >=1.4.3
Depends on vulnerable versions of aframe
node_modules/3d-force-graph-vr
react-force-graph *
Depends on vulnerable versions of 3d-force-graph-vr
node_modules/react-force-graph
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/nice-color-palettes/node_modules/got
nice-color-palettes >=3.0.0
Depends on vulnerable versions of got
node_modules/nice-color-palettes
three-bmfont-text >=3.0.0
Depends on vulnerable versions of nice-color-palettes
node_modules/three-bmfont-text
phin <3.7.1
Severity: moderate
phin may include sensitive headers in subsequent requests after redirect - https://github.com/advisories/GHSA-x565-32qp-m3vf
fix available via `npm audit fix`
node_modules/phin
load-bmfont >=1.4.0
Depends on vulnerable versions of phin
node_modules/load-bmfont
I've edited the lock file and made all the references to the debug package to be version 4.3.4
thinkmachine/electron/package-lock.json
It seemed to install ok after that but I haven't had time to address the other two issues yet. I only ran it briefly in dev mode and saw a few debug errors being reported. Still unsure if the version dependencies were immaterial or legit.
FYI, the worst one was really old, and pointing to repository that has not been updated in 7 years.
Line 2295 when viewed in github (strangely line 2275 when viewed in my vscode copy):
"node_modules/aframe/node_modules/debug": {
"version": "2.2.0",
"resolved": "git+ssh://[email protected]/ngokevin/debug.git#ef5f8e66d49ce8bc64c6f282c15f8b7164409e3a"
},
Anything lower than 4.3.1 still gets reported.
debug 4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - GHSA-gxpj-cx7g-858c
I've attached the edited file. It only contains a fix for debug.
package-lock.json
Summary:
- The debug dependencies looks fixable (just forcing all instances to use at least 4.3.4 in the lock file)
- The phin package has been deprecated. Not sure if you can chose an equivalent alternative package maybe?
- The got package i haven't looked in to yet
PS. Thank you for creating this tool. The world needs it! :)
It makes the usual 2d hierarchical mind maps and knowledge graphs look like children's toys ;)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.