Update your meteor-node-stubs dependency!

denyhs · April 1, 2024, 2:44pm

A Galaxy client complained about a severe issue with our meteor-node-stubs packages.

Inside meteor-node-stubs, we had a package called crypto-browserify, which had a dependency called browserify-sign with a big vulnerability.

The problem was this crypto-browserify didn’t have an update in 6 years!

To fix this, I forked its repository into our meteor-compat organization and published a new updated version of the crypto-browserify in our meteorjs npm organization, now called @meteorjs/crypto-browserify.

So, just for the sake of it, make sure to update your meteor-node-stub dependency by running:

meteor npm i meteor-node-stubs@1.2.8

brianlukoff · April 1, 2024, 6:59pm

I’m getting errors importing node modules on the client that worked with the old version – e.g.:

import path from 'path';

used to work in the browser but now throws an error.

denyhs · April 1, 2024, 7:26pm

Are you getting this locally? Can you reproduce this consistently?

I’m not sure what could cause this. And I didn’t get anything like this on my tests…

If you’re able to create a reproduction, it would be great.

xet7 · April 1, 2024, 7:33pm

@denyhs

I’m also getting error: No route for path: /

This is with flowrouter.

Building info is at Emoji · wekan/wekan Wiki · GitHub

Then I just installed this new npm package version, and got that error.

brianlukoff · April 1, 2024, 7:35pm

No problem – I am able to reproduce by creating a new app with meteor create (selecting the “minimal” option) and then adding this to the top of main.js:

import path from 'path';

Then I get this error in the console when running the app:

xet7 · April 1, 2024, 7:35pm

@denyhs

I would appreciate a lot, if some could help with upgrades to newest Meteor 3.0 and newest dependencies.

There is some PR about some updates at wekan repo, but it’s incomplete. I’m not even able to upgrade to newest Meteor 2 without breaking creating new board.

DanielDornhardt · April 2, 2024, 1:04pm

Hi, just to throw our vote in the hat here too, our CI pipeline updated to the latest version of meteor-node-stubs too on the weekend because of our “flexiple” pinning to the major version, and it also brakes our build…

For our pipeline we’ll roll back now as it’s unlikely that it’s exploitable, but a fix would be required for us to release again then.

Thank you for trying to prevent the security issue though @denyhs !

storyteller · April 2, 2024, 2:07pm

Getting Uncaught Error: Cannot find module 'os' with this update and Meteor can’t start on client with React.

denyhs · April 2, 2024, 3:14pm

Can you guys try again, but now with version 1.2.9? It looks like it was a package-lock issue. cc @brianlukoff @storyteller @DanielDornhardt @xet7

denyhs · April 2, 2024, 3:20pm

Can you create a post listing these packages?

I can, of course, try to help as much as I’m able to, but the community can also give a hand!

brianlukoff · April 2, 2024, 3:34pm

Thanks – looks good now!

DanielDornhardt · April 2, 2024, 3:50pm

LGTM too! Thank you @denyhs !

I’ve tried it locally & will put it into our pipeline now, if you hear nothing it probably works

xet7 · April 2, 2024, 11:07pm

@denyhs

Thanks! Released WeKan 7.42 to Snap Candidate, Docker, Kubernetes, Source Bundle. Snap Candidate has automatic updates.

denyhs · April 8, 2024, 6:29pm

Hey @xet7, I think it’ll be better if you create a post in the help category describing what you need and how people can help.

It will be easier for people to jump in and try to help, and it will have more exposure than here.