nmrugg
Doesn't install as expected
OS : Ubuntu 20.04 LTS
UE4 : 4.27
=== npm audit security report ===
# Run npm install --save-dev [email protected] to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate IPC messages delivered to the wrong frame in Electron
Package electron
Dependency of electron [dev]
Path electron
More info https://github.com/advisories/GHSA-hvf8-h2qh-37m9
Low Context isolation bypass in Electron
Package electron
Dependency of electron [dev]
Path electron
More info https://github.com/advisories/GHSA-56pc-6jqp-xqj8
High Unpreventable top-level navigation
Package electron
Dependency of electron [dev]
Path electron
More info https://github.com/advisories/GHSA-2q4g-w47c-4674
Moderate Sandboxed renderers can obtain thumbnails of arbitrary files
through the nativeImage API
Package electron
Dependency of electron [dev]
Path electron
More info https://github.com/advisories/GHSA-mpjm-v997-c4h4
# Run npm update normalize-url --depth 5 to resolve 1 vulnerability
High ReDoS in normalize-url
Package normalize-url
Dependency of electron [dev]
Path electron > @electron/get > got > cacheable-request >
normalize-url
More info https://github.com/advisories/GHSA-px4h-xg32-q955
# Run npm update lodash --depth 4 to resolve 2 vulnerabilities
High Command Injection in lodash
Package lodash
Dependency of electron [dev]
Path electron > @electron/get > global-tunnel-ng > lodash
More info https://github.com/advisories/GHSA-35jh-r3h4-6jhm
High Prototype Pollution in lodash
Package lodash
Dependency of electron [dev]
Path electron > @electron/get > global-tunnel-ng > lodash
More info https://github.com/advisories/GHSA-p6mc-m468-83gw
# Run npm update ini --depth 6 to resolve 1 vulnerability
High Prototype Pollution
Package ini
Dependency of electron [dev]
Path electron > @electron/get > global-tunnel-ng > npm-conf >
config-chain > ini
More info https://github.com/advisories/GHSA-qqgx-2p2h-9c37
found 8 vulnerabilities (1 low, 2 moderate, 5 high) in 132 scanned packages
run `npm audit fix` to fix 4 of them.
4 vulnerabilities require semver-major dependency updates.
I can do npm audit fix but it will only fix 4 out of the 8 vulnerabilities
I tried doing npm audit fix --force but that broke the launcher and nothing worked on it, UE4 engine was not detected, Marketplace or Learn couldn't be accessed (was getting ERR_BLOCKED_BY_RESPONSE by electron in console) and everything else just showed a no-entry mouse cursor on hovering above them.
I am able to download assets, but I didnt try any fixes. Do you think any of these vulnerabilities can make it insecure to use my password when accessing the linked google account? Or it could expose my google<->unrealenginemarket key (or w/e is used as a key after I login on google and it handshakes with unreal engine market)?
