Audit report

The npm (Node Package Manager) modules integrated into A.V.A.T.A.R or added by contributors in their plugins are reusable components that allow the integration of ready-to-use features.

Due to regular checks performed by the npm package manager, npm packages can contain security vulnerabilities, either inadvertently, because they are no longer maintained, or due to malicious exploitation. If these modules are vulnerable, they can become a gateway for potential attacks, compromising the security of A.V.A.T.A.R and your user data.

You have two commands to perform an npm package check:

The Information command: Accessible from the main menu, it allows you to check the npm packages of the A.V.A.T.A.R server and client.
The Audit command: Accessible from Plugin Studio, it allows you to check the npm packages of your own plugins and those of contributors.

Information command

The npm packages used by A.V.A.T.A.R are regularly updated with each new version. However, if there is a long period between updates and you notice vulnerable and/or outdated packages, you can help us by leaving an issue on the GitHub repository of the server or the client to alert us so that a new version can be made available quickly.

Open the A.V.A.T.A.R menu.
Click on Information.
The application searchs for the vulnerability and the deprecation of all A.V.A.T.A.R npm packages then the Information page appears:

Note: Refer to the next chapters of the Vulnerability Report and Deprecation Report tabs for the description of the tables.

Tip

The "Vulnerability Report" and "Deprecation Report" tabs of the Information command only allow you to view the npm packages. No correction options are available.

Audit command

A.V.A.T.A.R has no direct control over the security or quality of npm packages from contributors. This command helps you determine whether a plugin is trustworthy or not.

Open the A.V.A.T.A.R menu.
Open the Edition -> Visual Studio
Open the plugin tab and click on the Audit button.
Click on the Start Analysis button.
The command only searches for vulnerabilities and outdated dependencies in all plugins with npm packages and displays the reports:

Note: Refer to the next chapters of the Vulnerability Report and Deprecation Report tabs for the description of the tables.

Reports

Vulnerability Report

The vulnerability report displays the issues found in all npm packages of the plugins in the following format:

Plugin: This column only appears for plugin audit reports.
Package: The package affected by the vulnerability.
Used By: The element using the package. This can be the plugin or a package within the plugin containing other packages.

Severity: Several severity levels can be displayed:

Severity	Description
Info	This level indicates information or warnings that do not constitute vulnerabilities by themselves. It may include recommendations or points to monitor for improving security. Examples: - Changes in the security policies of a dependency. - General guidelines on better security practices.
Low	Vulnerabilities with minor impact or requiring specific and difficult-to-meet conditions to exploit. Examples: - Non-critical misconfiguration. - Flaws in rarely used functionality.
Moderate	Vulnerabilities exploitable under certain conditions that require heightened attention. Examples: - Partial data leaks. - Exploits requiring user interaction.
High	Vulnerabilities exploitable under common conditions, with significant impact on security, confidentiality, or integrity. Examples: - Unauthorized access to sensitive data. - Remote code execution under specific conditions.
Critical	Vulnerabilities that are easy to exploit, with severe impact, often requiring no user interaction. Examples: - Unrestricted remote code execution. - Massive sensitive data leaks.

Fix Available: Depending on the package analysis, the following messages may appear:

Availability	Description
Yes	An update is available to fix the vulnerability. Note: A `Fix` button appears at the bottom of the window, allowing A.V.A.T.A.R to attempt automatic resolution.
No	No update is available to fix the vulnerability. A possible solution is to extract this package from the plugin and manually address its vulnerabilities.
Possible with version X.X.X	An update is available to fix the vulnerability BUT it may be a major release with potential compatibility issues. This update includes changes that might be incompatible with the plugin (or A.V.A.T.A.R), requiring functional validation. You must perform the update manually using the command: npm install package@version.
No new version	Same as No. No update is available to fix the vulnerability. A possible solution is to extract this package from the plugin and manually address its vulnerabilities.

Description: A description of the vulnerability and possibly a solution to resolve the issue.

Fix Button

The Fix button appears only when the issue can be resolved (see the table above, Fix Available column with Yes).

Tip

The command only modifies the _node_modules_ directory and the _package.json_ files. However, if you want to keep a record of the previous directory, back up the plugin and package.json files before clicking the Update button.

Deprecation Report

The obsolescence of a package is not very critical as long as its security is not impacted. However, it is useful to know if the packages in use are up to date.

Important:

When installing A.V.A.T.A.R or a plugin via the Plugin Library, packages are automatically updated to the latest version if the versions of the packages to be installed are defined in the package.json file using the format:
"package": "^X.X.X" (where the version starts with a caret '^').

For example:
If in the package.json, the package axios is defined as follows:
- "axios": "^1.6.8",
And the latest version of the package axios is "1.7.9", then the installed package will be:
- "axios": "^1.7.9".

The deprecation report displays npm packages with a new version available across all plugins in the following format:

Plugin: This column only appears for plugin audit reports.
Package: The package with a new version available.
Current: The version currently used by the plugin.
Latest: The latest version of the package available in npm.

Update Button

The Update button appears only when a new version is available for a package.

Click the checkboxes in the left column to select the packages to update.
Click the Update button.

Tip

The command only modifies the _node_modules_ directory and the _package.json_ files. However, if you want to keep a record of the previous directory, back up the plugin and package.json files before clicking the Update button.