Added dev shell support on nix#776
Conversation
…es would work properly. And tar cause some dependencies break without it.
|
Well now i tested and it seems to work. Although for some reason "minecraft-protocol-dependency" in node-modules using default version of minecraft "1.12.*" not that one that i set "1.18.2" in settings in mindcraft. I just change the default version in version file of that dependency for now but i think it need's to be pasted here, just don't have time to this so just leave this for those who would review this. Tested on nixpkgs/master branch (linux), on x86_64-linux system. |
| "minecraft-data": "3.97.0", | ||
| "minecraft-assets": "^1.16.0", | ||
| "mineflayer": "^4.33.0", | ||
| "mineflayer": "4.33.0", |
There was a problem hiding this comment.
Why are you locking this package to 4.33.0?
There was a problem hiding this comment.
Okay i just need to run "npx patch-package mineflayer" and it would work without changing package.json, although it would change patch name for "mineflayer" so this change of package.json maybe would be unnecessary. So that just patches version mismatch. But without override of tar i get error.
npm audit report
tar <=7.5.10
Severity: high
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal - https://github.com/advisories/GHSA-34x7-hfp2-rc4v
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction - https://github.com/advisories/GHSA-83g3-92jg-28cx
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
node-tar Symlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-9ppj-qmqm-q256
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - https://github.com/advisories/GHSA-r6q2-hw4h-h46w
No fix available
node_modules/tar
cacache 14.0.0 - 18.0.4
Depends on vulnerable versions of tar
node_modules/cacache
make-fetch-happen 7.1.1 - 14.0.0
Depends on vulnerable versions of cacache
node_modules/make-fetch-happen
node-gyp <=10.3.1
Depends on vulnerable versions of make-fetch-happen
Depends on vulnerable versions of tar
node_modules/node-gyp
gl 0.0.5 - 8.1.6
Depends on vulnerable versions of node-gyp
node_modules/gl
node-canvas-webgl *
Depends on vulnerable versions of gl
node_modules/node-canvas-webgl
6 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
So this one is probably necessary.
There was a problem hiding this comment.
audit report doens't look like an error to me. do you get any actual error?
There was a problem hiding this comment.
So... What is the purpose exactly of this PR?
There was a problem hiding this comment.
to add flake file so it can be builded on nixos.
There was a problem hiding this comment.
So you can undo the changes to package.json then?
There was a problem hiding this comment.
yeah, flake not correlated to package.json, i just wanted to point that i also have problem on building it. i just don't good at js, so i think what i get is an error.
There was a problem hiding this comment.
So are you going to undo the changes?
2 participants
Added flake to easily build project on nix system using "nix develop .#devShell" command.
Also changed versions of packages so patches would apply properly without errors, and tar overrided cause some dependencies break without it.