I downloaded the source code from the Git repository at GitHub - 4ian/GDevelop: 🎮 Open-source, cross-platform game engine designed to be used by everyone. and opened it in JetBrains IntelliJ IDEA.
Then I looked into a couple of folders containing package.json files. There, I issued the command npm audit, and got a number of vulnerabilities reported.
Is this to be expected? Should I run npm install or a similar command, to update the dependencies and fix the vulnerabilities? My feeling is that it will not help. Actually, I tried in GDJS, and nothing happened, at least not with any file tracked by Git.
Running npm audit fix fixed the vulnerabilities and modified the package-lock.json file. Shouldn’t that file be updated to a vulnerability-free state in the Git repository?
Disclaimer: My knowledge of the npm environment is getting rusty; I haven’t worked with it for a while, and I’m starting to forget.
Generally, npm audit is pretty much just false positives.
See: npm audit: Broken by Design — overreacted
Most of the npm dependencies are build tools and only used by the devs on the GDevelop source code (which will not have malicious vulnerability bug triggering code obviously), and don’t run in the actual final product.
Generally, vulnerabilities doesn’t mean anything for GDevelop anyways since there’s nothing to protect/no attack surface to exploit them… GDevelop isn’t a server so people cannot send commands to it remotely to hack your computer, GDevelop JSON files are just data that are parsed against a strict schema in the browser’s sandbox so they cannot trigger malicious code just by opening them even if there’s a bug in the JSON parser, and if people are going to send malicious game json files they can just use events with for example file system actions to do the nefarious stuff instead of relying on a bug…
The article you linked is definitely interesting. Thanks for the link!
I issued npm audit --omit=dev in the GDJS folder, and there were no vulnerabilities reported. In the sub-folder GDJS/test, there were, but I can’t say if they are false positives or not. Judging from that article, they probably are.