SAO vulnerabilites - Cause for concern?

Support System Administrator
1

I have been working on installing Tryton and have not been able to fix the following errors:

ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - Inefficient Regular Expression Complexity in chalk/ansi-regex · CVE-2021-3807 · GitHub Advisory Database · GitHub
fix available via npm audit fix
node_modules/grunt-shell/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/grunt-shell/node_modules/strip-ansi
grunt-shell >=3.0.1
Depends on vulnerable versions of strip-ansi
node_modules/grunt-shell

underscore 1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution in underscore - Arbitrary Code Execution in underscore · CVE-2021-23358 · GitHub Advisory Database · GitHub
fix available via npm audit fix
node_modules/underscore
nomnom >=1.6.0
Depends on vulnerable versions of underscore
node_modules/nomnom
po2json 0.3.1 - 0.4.5
Depends on vulnerable versions of nomnom
node_modules/po2json

I have tried many different installations over the week with different versions of Tryton and each one produces the same result. All installations are done in VM running a clean install of OpenSuse 15.3 Leap.

The sequence of events that I follow are:

  1. Install trytond from OpenSuse repository - version 6.2
  2. Install nodejs from OpenSuse repository - npm version 8.5.5
  3. Install postgresql from OpenSuse repository - version 14
  4. Configure postgresql with user tryton
  5. Create OS user tryton
  6. Perform database initialization with trytond-admin

At this point all works well and I can connect with the desktop app.

Installation of Web Client

  1. Download from website tryton-sao-last.tgz - Version 6.2
  2. Create directory /srv/www/tryton-sao
  3. Unzip tryton-sao-last.tgz to /srv/www/tryton-sao
  4. Change owner/group to tryton on /srv/www/tryton-sao and all sub-directories
  5. Modify trytond.conf and set root=/srv/www/tryton-sao/package
  6. Switch user to tryton
  7. Run ‘npm install --production --legacy-peer-deps’
  8. Run ‘npm audit fix’
  9. Run ‘npm audit fix --force’
  10. Run ‘npx grunt’

At this point I can login and use the web interface.

I just want to make sure that all is well. Having errors/vulnerabilities is not something I like to see, especially when the severity is listed as high.

I am very excited and looking forward to running Tryton in our business.

Thanks,
Steve

2

Those vulnerabilities are only on building tools not the code running in sao.
The main problem is that Javascript we have chosen to build when starting sao are not deprecated as it is too often the case in Javascript world. That’s why we plan to reduce them with State of the dependencies of the web client