Update your meteor-node-stubs dependency!

A Galaxy client complained about a severe issue with our meteor-node-stubs packages.

Inside meteor-node-stubs, we had a package called crypto-browserify, which had a dependency called browserify-sign with a big vulnerability.

The problem was this crypto-browserify didn’t have an update in 6 years!

To fix this, I forked its repository into our meteor-compat organization and published a new updated version of the crypto-browserify in our meteorjs npm organization, now called @meteorjs/crypto-browserify.

So, just for the sake of it, make sure to update your meteor-node-stub dependency by running:

meteor npm i meteor-node-stubs@1.2.8

I’m getting errors importing node modules on the client that worked with the old version – e.g.:

import path from 'path';

used to work in the browser but now throws an error.

Are you getting this locally? Can you reproduce this consistently?

I’m not sure what could cause this. And I didn’t get anything like this on my tests…

If you’re able to create a reproduction, it would be great.


I’m also getting error: No route for path: /

This is with flowrouter.

Building info is at Emoji · wekan/wekan Wiki · GitHub

Then I just installed this new npm package version, and got that error.

No problem – I am able to reproduce by creating a new app with meteor create (selecting the “minimal” option) and then adding this to the top of main.js:

import path from 'path';

Then I get this error in the console when running the app:


I would appreciate a lot, if some could help with upgrades to newest Meteor 3.0 and newest dependencies.

There is some PR about some updates at wekan repo, but it’s incomplete. I’m not even able to upgrade to newest Meteor 2 without breaking creating new board.

1 Like

Hi, just to throw our vote in the hat here too, our CI pipeline updated to the latest version of meteor-node-stubs too on the weekend because of our “flexiple” pinning to the major version, and it also brakes our build…


For our pipeline we’ll roll back now as it’s unlikely that it’s exploitable, but a fix would be required for us to release again then.

Thank you for trying to prevent the security issue though @denyhs !

1 Like

Getting Uncaught Error: Cannot find module 'os' with this update and Meteor can’t start on client with React.

Can you guys try again, but now with version 1.2.9? It looks like it was a package-lock issue. cc @brianlukoff @storyteller @DanielDornhardt @xet7

Can you create a post listing these packages?

I can, of course, try to help as much as I’m able to, but the community can also give a hand!

Thanks – looks good now!


LGTM too! Thank you @denyhs !

I’ve tried it locally & will put it into our pipeline now, if you hear nothing it probably works :slight_smile:



Thanks! Released WeKan 7.42 to Snap Candidate, Docker, Kubernetes, Source Bundle. Snap Candidate has automatic updates.


Hey @xet7, I think it’ll be better if you create a post in the help category describing what you need and how people can help.

It will be easier for people to jump in and try to help, and it will have more exposure than here.

1 Like