I have been working on installing Tryton and have not been able to fix the following errors:
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - Inefficient Regular Expression Complexity in chalk/ansi-regex · CVE-2021-3807 · GitHub Advisory Database · GitHub
fix available via npm audit fix
node_modules/grunt-shell/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/grunt-shell/node_modules/strip-ansi
grunt-shell >=3.0.1
Depends on vulnerable versions of strip-ansi
node_modules/grunt-shell
underscore 1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution in underscore - Arbitrary Code Execution in underscore · CVE-2021-23358 · GitHub Advisory Database · GitHub
fix available via npm audit fix
node_modules/underscore
nomnom >=1.6.0
Depends on vulnerable versions of underscore
node_modules/nomnom
po2json 0.3.1 - 0.4.5
Depends on vulnerable versions of nomnom
node_modules/po2json
I have tried many different installations over the week with different versions of Tryton and each one produces the same result. All installations are done in VM running a clean install of OpenSuse 15.3 Leap.
The sequence of events that I follow are:
- Install trytond from OpenSuse repository - version 6.2
- Install nodejs from OpenSuse repository - npm version 8.5.5
- Install postgresql from OpenSuse repository - version 14
- Configure postgresql with user tryton
- Create OS user tryton
- Perform database initialization with trytond-admin
At this point all works well and I can connect with the desktop app.
Installation of Web Client
- Download from website tryton-sao-last.tgz - Version 6.2
- Create directory /srv/www/tryton-sao
- Unzip tryton-sao-last.tgz to /srv/www/tryton-sao
- Change owner/group to tryton on /srv/www/tryton-sao and all sub-directories
- Modify trytond.conf and set root=/srv/www/tryton-sao/package
- Switch user to tryton
- Run ‘npm install --production --legacy-peer-deps’
- Run ‘npm audit fix’
- Run ‘npm audit fix --force’
- Run ‘npx grunt’
At this point I can login and use the web interface.
I just want to make sure that all is well. Having errors/vulnerabilities is not something I like to see, especially when the severity is listed as high.
I am very excited and looking forward to running Tryton in our business.
Thanks,
Steve