js-controller 4.0.x jetzt für alle User im STABLE!

Feinfinger

root@ioBroker:~# npm i iobroker.js-controller@4.0.18 --production

added 150 packages, removed 169 packages, changed 46 packages, and audited 311 packages in 1m

16 packages are looking for funding
  run `npm fund` for details

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
root@ioBroker:~# npm fund
root
+-- https://opencollective.com/ioredis
|   `-- ioredis@4.28.5
+-- https://github.com/sindresorhus/execa?sponsor=1
| | `-- execa@5.1.1
| `-- https://github.com/sponsors/sindresorhus
|     `-- get-stream@6.0.1, is-stream@2.0.1, onetime@5.1.2
+-- https://github.com/sponsors/RubenVerborgh
|   `-- follow-redirects@1.14.9
+-- https://paulmillr.com/funding/
| | `-- chokidar@3.5.3
| `-- https://github.com/sponsors/jonschlinkert
|     `-- picomatch@2.3.1
+-- https://github.com/sponsors/feross
|   `-- safe-buffer@5.2.1
+-- https://github.com/sponsors/ljharb
|   `-- is-nan@1.3.2, call-bind@1.0.2, get-intrinsic@1.1.1, has-symbols@1.0.3
+-- https://github.com/sponsors/epoberezkin
|   `-- ajv@6.12.6
`-- https://github.com/chalk/wrap-ansi?sponsor=1
  | `-- wrap-ansi@7.0.0
  `-- https://github.com/chalk/ansi-styles?sponsor=1
      `-- ansi-styles@4.3.0

root@ioBroker:~# npm audit
# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    node_modules/cliui
      yargs  8.0.0-candidate.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of yargs-parser
      node_modules/yargs
        iobroker.js-controller  <=2.1.1
        Depends on vulnerable versions of redis
        Depends on vulnerable versions of socket.io
        Depends on vulnerable versions of socket.io-client
        Depends on vulnerable versions of winston-daily-rotate-file
        Depends on vulnerable versions of yargs
        node_modules/iobroker.js-controller
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/string-width

debug  <2.6.9
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix`
node_modules/engine.io-client/node_modules/debug
node_modules/engine.io/node_modules/debug
node_modules/socket.io-adapter/node_modules/debug
node_modules/socket.io-client/node_modules/debug
node_modules/socket.io-parser/node_modules/debug
node_modules/socket.io/node_modules/debug
  engine.io  <=4.0.0-alpha.1
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of ws
  node_modules/engine.io
    socket.io  <=2.4.1
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of engine.io
    Depends on vulnerable versions of socket.io-parser
    node_modules/socket.io
      iobroker.js-controller  <=2.1.1
      Depends on vulnerable versions of redis
      Depends on vulnerable versions of socket.io
      Depends on vulnerable versions of socket.io-client
      Depends on vulnerable versions of winston-daily-rotate-file
      Depends on vulnerable versions of yargs
      node_modules/iobroker.js-controller
  engine.io-client  <=3.3.2 || 3.4.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  Depends on vulnerable versions of ws
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client
    socket.io-client  1.0.0-pre - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of engine.io-client
    Depends on vulnerable versions of socket.io-parser
    node_modules/socket.io-client
  socket.io-adapter  <=1.1.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of socket.io-parser
  node_modules/socket.io-adapter
  socket.io-parser  <=3.3.1
  Depends on vulnerable versions of debug
  node_modules/socket.io-parser

engine.io  <=4.0.0-alpha.1
Severity: high
Resource exhaustion in engine.io  - https://github.com/advisories/GHSA-j4f2-536g-r55m
Depends on vulnerable versions of debug
Depends on vulnerable versions of ws
fix available via `npm audit fix`
node_modules/engine.io
  socket.io  <=2.4.1
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of engine.io
  Depends on vulnerable versions of socket.io-parser
  node_modules/socket.io
    iobroker.js-controller  <=2.1.1
    Depends on vulnerable versions of redis
    Depends on vulnerable versions of socket.io
    Depends on vulnerable versions of socket.io-client
    Depends on vulnerable versions of winston-daily-rotate-file
    Depends on vulnerable versions of yargs
    node_modules/iobroker.js-controller

iobroker.js-controller  <=2.1.1
Severity: high
Arbitrary File Write in iobroker.js-controller - https://github.com/advisories/GHSA-cmch-296j-wfvw
Depends on vulnerable versions of redis
Depends on vulnerable versions of socket.io
Depends on vulnerable versions of socket.io-client
Depends on vulnerable versions of winston-daily-rotate-file
Depends on vulnerable versions of yargs
fix available via `npm audit fix`
node_modules/iobroker.js-controller

minimist  <0.2.1
Severity: moderate
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/winston-daily-rotate-file/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/winston-daily-rotate-file/node_modules/mkdirp
    winston-daily-rotate-file  1.7.0 - 1.7.2
    Depends on vulnerable versions of mkdirp
    node_modules/winston-daily-rotate-file
      iobroker.js-controller  <=2.1.1
      Depends on vulnerable versions of redis
      Depends on vulnerable versions of socket.io
      Depends on vulnerable versions of socket.io-client
      Depends on vulnerable versions of winston-daily-rotate-file
      Depends on vulnerable versions of yargs
      node_modules/iobroker.js-controller

parsejson  *
Severity: high
Regular Expression Denial of Service in parsejson - https://github.com/advisories/GHSA-q75g-2496-mxpp
fix available via `npm audit fix`
node_modules/parsejson
  engine.io-client  <=3.3.2 || 3.4.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  Depends on vulnerable versions of ws
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client
    socket.io-client  1.0.0-pre - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of engine.io-client
    Depends on vulnerable versions of socket.io-parser
    node_modules/socket.io-client
      iobroker.js-controller  <=2.1.1
      Depends on vulnerable versions of redis
      Depends on vulnerable versions of socket.io
      Depends on vulnerable versions of socket.io-client
      Depends on vulnerable versions of winston-daily-rotate-file
      Depends on vulnerable versions of yargs
      node_modules/iobroker.js-controller

redis  2.6.0 - 3.1.0
Potential exponential regex in monitor mode - https://github.com/advisories/GHSA-35q2-47q7-3pc3
fix available via `npm audit fix`
node_modules/redis
  iobroker.js-controller  <=2.1.1
  Depends on vulnerable versions of redis
  Depends on vulnerable versions of socket.io
  Depends on vulnerable versions of socket.io-client
  Depends on vulnerable versions of winston-daily-rotate-file
  Depends on vulnerable versions of yargs
  node_modules/iobroker.js-controller

socket.io  <=2.4.1
Severity: high
Insecure defaults due to CORS misconfiguration in socket.io - https://github.com/advisories/GHSA-fxwf-4rqh-v8g3
Depends on vulnerable versions of debug
Depends on vulnerable versions of engine.io
Depends on vulnerable versions of socket.io-parser
fix available via `npm audit fix`
node_modules/socket.io
  iobroker.js-controller  <=2.1.1
  Depends on vulnerable versions of redis
  Depends on vulnerable versions of socket.io
  Depends on vulnerable versions of socket.io-client
  Depends on vulnerable versions of winston-daily-rotate-file
  Depends on vulnerable versions of yargs
  node_modules/iobroker.js-controller

socket.io-parser  <=3.3.1
Severity: high
Resource exhaustion in socket.io-parser - https://github.com/advisories/GHSA-xfhh-g9f5-x4m4
Depends on vulnerable versions of debug
fix available via `npm audit fix`
node_modules/socket.io-parser
  socket.io  <=2.4.1
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of engine.io
  Depends on vulnerable versions of socket.io-parser
  node_modules/socket.io
    iobroker.js-controller  <=2.1.1
    Depends on vulnerable versions of redis
    Depends on vulnerable versions of socket.io
    Depends on vulnerable versions of socket.io-client
    Depends on vulnerable versions of winston-daily-rotate-file
    Depends on vulnerable versions of yargs
    node_modules/iobroker.js-controller
  socket.io-adapter  <=1.1.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of socket.io-parser
  node_modules/socket.io-adapter
  socket.io-client  1.0.0-pre - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of engine.io-client
  Depends on vulnerable versions of socket.io-parser
  node_modules/socket.io-client

ws  <=1.1.4
Severity: high
Denial of Service in ws - https://github.com/advisories/GHSA-5v72-xg48-5rpm
fix available via `npm audit fix`
node_modules/engine.io-client/node_modules/ws
node_modules/engine.io/node_modules/ws
  engine.io  <=4.0.0-alpha.1
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of ws
  node_modules/engine.io
    socket.io  <=2.4.1
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of engine.io
    Depends on vulnerable versions of socket.io-parser
    node_modules/socket.io
      iobroker.js-controller  <=2.1.1
      Depends on vulnerable versions of redis
      Depends on vulnerable versions of socket.io
      Depends on vulnerable versions of socket.io-client
      Depends on vulnerable versions of winston-daily-rotate-file
      Depends on vulnerable versions of yargs
      node_modules/iobroker.js-controller
  engine.io-client  <=3.3.2 || 3.4.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  Depends on vulnerable versions of ws
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client
    socket.io-client  1.0.0-pre - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of engine.io-client
    Depends on vulnerable versions of socket.io-parser
    node_modules/socket.io-client

xmlhttprequest-ssl  <=1.6.1
Severity: critical
Improper Certificate Validation in xmlhttprequest-ssl - https://github.com/advisories/GHSA-72mh-269x-7mh5
Arbitrary Code Injection - https://github.com/advisories/GHSA-h4j5-c7cj-74xg
fix available via `npm audit fix`
node_modules/xmlhttprequest-ssl
  engine.io-client  <=3.3.2 || 3.4.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  Depends on vulnerable versions of ws
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client
    socket.io-client  1.0.0-pre - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of engine.io-client
    Depends on vulnerable versions of socket.io-parser
    node_modules/socket.io-client
      iobroker.js-controller  <=2.1.1
      Depends on vulnerable versions of redis
      Depends on vulnerable versions of socket.io
      Depends on vulnerable versions of socket.io-client
      Depends on vulnerable versions of winston-daily-rotate-file
      Depends on vulnerable versions of yargs
      node_modules/iobroker.js-controller

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix`
node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 15.0.0
  Depends on vulnerable versions of cliui
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    iobroker.js-controller  <=2.1.1
    Depends on vulnerable versions of redis
    Depends on vulnerable versions of socket.io
    Depends on vulnerable versions of socket.io-client
    Depends on vulnerable versions of winston-daily-rotate-file
    Depends on vulnerable versions of yargs
    node_modules/iobroker.js-controller

21 vulnerabilities (2 low, 9 moderate, 7 high, 3 critical)

To address all issues, run:
  npm audit fix

bedeutet das ein npm audit fix ausführen?

arteck

@feinfinger sagte in js-controller 4.0.x jetzt für alle User im STABLE!:

bedeutet das ein npm audit fix ausführen?

NEIN..

und stell dich mal richtig hin

cd /opt/iobroker
npm i iobroker.js-controller@4.0.18 --production

und erst dann

wobei mach direkt die .19 drauf

npm i iobroker.js-controller@4.0.19 --production

Thomas Braun

@feinfinger sagte in js-controller 4.0.x jetzt für alle User im STABLE!:

root@ioBroker

Und hüpf da nicht als root rum.

Feinfinger

@arteck

Danke für die Hilfe, aber da ist wohl mehr im Busch.

Frage mich, warum updates bisher immer geklappt haben?

root@ioBroker:/opt/iobroker# npm i iobroker.js-controller@4.0.19 --production
npm ERR! code ENOTEMPTY
npm ERR! syscall rename
npm ERR! path /opt/iobroker/node_modules/abab
npm ERR! dest /opt/iobroker/node_modules/.abab-bvmibCm3
npm ERR! errno -39
npm ERR! ENOTEMPTY: directory not empty, rename '/opt/iobroker/node_modules/abab' -> '/opt/iobroker/node_modules/.abab-bvmibCm3'

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/iobroker/.npm/_logs/2022-03-07T08_39_26_200Z-debug-0.log

Thomas Braun

@feinfinger sagte in js-controller 4.0.x jetzt für alle User im STABLE!:

directory not empty, rename '/opt/iobroker/node_modules/abab' -> '/opt/iobroker/node_modules/.abab-bvmibCm3'

Dann mach das doch mal.

Feinfinger

@thomas-braun

Dann kommt der nächste Fehler...

root@ioBroker:/opt/iobroker# npm i iobroker.js-controller@4.0.19 --production
npm ERR! code ENOTEMPTY
npm ERR! syscall rename
npm ERR! path /opt/iobroker/node_modules/abbrev
npm ERR! dest /opt/iobroker/node_modules/.abbrev-5eNud0FY
npm ERR! errno -39
npm ERR! ENOTEMPTY: directory not empty, rename '/opt/iobroker/node_modules/abbrev' -> '/opt/iobroker/node_modules/.abbrev-5eNud0FY'

Was mich wundert ist, das diese Ordner alle vorhanden sind...

Thomas Braun

@feinfinger
Dann mache es nochmal...
Und wie gesagt, hampel da nicht als root rum.

Rene55

@thomas-braun Und hüpf da nicht als root rum.
Ich habe eben meine Installation (Docker-Image von Buanet) meinen js-Controller auf 4.0.18 hochgezogen. In der Console hab ich dazu 'root@iobroker:/opt/iobroker# iob upgrade self' ausgeführt. Dieser root ist ja so vorgegeben! Ist das ein anderer root, so dass ich den benutzen darf ?

Thomas Braun

@rene55 sagte in js-controller 4.0.x jetzt für alle User im STABLE!:

Dieser root ist ja so vorgegeben!

Auch im Docker kann man user anlegen, wenn es nicht gerade auf sowas wie einer Synology läuft. Da geht's wohl aus irgendwelchen Gründen nicht.

Als standard user zu agieren ist absolut 'best practice' und so in modernen Linux-Distributionen vorgesehen.

Rene55

@thomas-braun Wenn ich eine eigene Linux-Installation mache gibt's immer einen User - root benutz ich gar nicht. Ich werd den Teufel tun, und im Container von Buanet irgendeinen Benutzer anzulegen. Da Frage ich mich doch allen ernstes, warum der Container nicht direkt mit einem separaten Benutzer z.B. iobroker kommt. Hierdrauf brauchst du nicht zu antworten - das weiß nur @buanet.

Ben1983

@rene55 ich habe heute im Docker auf der Synology auch das update auf die 4.0.18 gemacht.
habe bis dato keine Probleme bemerkt, außer:
Vorher zeigte der host im iobroker admin 4% CPU (und im Synology der Container auch ca. 4-5% CPU an).
Nach dem Update zeigt der host im iobroker admin immer noch ca. 4% an, der container im synology allerdings ca. 10%.

Mr English

@apollon77
Hallo zusammen ich habe gerade meinen iobroker updatet und leider läuft er nicht mehr…

Die console sagt bei jeden Command das (siehe Bild)

Was ist der Fehler ??

Lg
English

Thomas Braun

@mr-english

Screenshots sind schon Mist. Bilder von Monitoren sind Megamist.
Per ssh einloggen und Konsolentext in CodeTags posten.

Magnus 0

Hallo Zusammen,

ich habe auch vor ein paar Tagen das Update auf 4.x.x durchgeführt.

Im ersten Moment eigentlich alles gut, nur gerade ist mir Folgendes aufgefallen:

https://forum.iobroker.net/topic/53166/fehler-ein-aus-zustand-switch-active-skript

Kann das ein Fehler in der Version 4.0.0 bzw. der neuen Datenbank sein?

Gruß

Mr English

@thomas-braun
Ok das nächste Mal werde ich es besser machen.

Aber was ist das Problem vom ioBroker ?

Thomas Braun

@mr-english sagte in js-controller 4.0.x jetzt für alle User im STABLE!:

Aber was ist das Problem vom ioBroker ?

Da man das nicht entziffern kann...
Keine Ahnung.

wendy2702

@mr-english

cd /opt/iobroker/

npm install iobroker.js-controller@4.0.19

Ich gehe zumindest davon aus das du diese Version haben willst, oder?

Mr English

@thomas-braun

Hier ist es alles noch einmal ordentlich

pi@raspberrypi4-iob:~ $ iob start
pi@raspberrypi4-iob:~ $ iob backup
internal/modules/cjs/loader.js:818
  throw err;
  ^

Error: Cannot find module '/opt/iobroker/node_modules/iobroker.js-controller/iobroker.js'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:815:15)
    at Function.Module._load (internal/modules/cjs/loader.js:667:27)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12)
    at internal/main/run_main_module.js:17:47 {
  code: 'MODULE_NOT_FOUND',
  requireStack: []
}
pi@raspberrypi4-iob:~ $ iob -v
internal/modules/cjs/loader.js:818
  throw err;
  ^

Error: Cannot find module '/opt/iobroker/node_modules/iobroker.js-controller/iobroker.js'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:815:15)
    at Function.Module._load (internal/modules/cjs/loader.js:667:27)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12)
    at internal/main/run_main_module.js:17:47 {
  code: 'MODULE_NOT_FOUND',
  requireStack: []
}
pi@raspberrypi4-iob:~ $ iob status 
internal/modules/cjs/loader.js:818
  throw err;
  ^

Error: Cannot find module '/opt/iobroker/node_modules/iobroker.js-controller/iobroker.js'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:815:15)
    at Function.Module._load (internal/modules/cjs/loader.js:667:27)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12)
    at internal/main/run_main_module.js:17:47 {
  code: 'MODULE_NOT_FOUND',
  requireStack: []
}
pi@raspberrypi4-iob:~ $

Thomas Braun

@mr-english

Geht doch.

cd /opt/iobroker 
sudo -H -u iobroker npm install iobroker.js-controller

wendy2702

@thomas-braun sagte in js-controller 4.0.x jetzt für alle User im STABLE!:

sudo -H -u iobroker npm install iobroker.js-controller

Tztztz… Direkt immer der Holzhammer

NEWS

js-controller 4.0.x jetzt für alle User im STABLE!

Support us

876
Online

31.9k
Users

80.2k
Topics

1.3m
Posts

NEWS

js-controller 4.0.x jetzt für alle User im STABLE!

Support us

876Online

31.9kUsers

80.2kTopics

1.3mPosts

876
Online

31.9k
Users

80.2k
Topics

1.3m
Posts