Installation Did Not Go Well - Probably Due to Errors on My End

[danallendotcom]

I tried installing accownt on Debian 11. Steps

1. Cloned to a local debian server
2. git clone https://github.com/xyfir/accownt.git acct
3. cd acct/web
4. npm install
5. cd ../web
6. npm install

Both the npm installs produced:

added 1135 packages from 687 contributors and audited 1206 packages in 35.217s found 675 vulnerabilities (3 low, 242 moderate, 360 high, 70 critical) run npm audit fix to fix them, or npm audit for details

7. npm audit produced in web

SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nodemon > chokidar > fsevents > node-pre-gyp > mkdirp > │
│ │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-xvch-5gv4-984h │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nodemon > chokidar > fsevents > node-pre-gyp > tar > mkdirp │
│ │ > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-xvch-5gv4-984h │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nodemon > chokidar > fsevents > node-pre-gyp > rc > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-xvch-5gv4-984h │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nodemon > chokidar > fsevents > node-pre-gyp > rc > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-vh95-rmgr-6w4m │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nodemon > chokidar > fsevents > node-pre-gyp > mkdirp > │
│ │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-vh95-rmgr-6w4m │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nodemon > chokidar > fsevents > node-pre-gyp > tar > mkdirp │
│ │ > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-vh95-rmgr-6w4m │
└───────────────┴──────────────────────────────────────────────────────────────┘

There us a ton more from the npm audit. I am pretty clueless about what to do at this point.

I love the description of accownt, would be great to get it running if possible

[MrXyfir]

Hey, unfortunately I've stopped maintaining Accownt and it hasn't been updated in a few years.

That being said, the audit step was not necessary. I think essentially what it's doing is attempting to upgrade dependencies that may have breaking changes.

So there are a few options:

1. Do not do the audit and it should work with the original dependencies.
2. Audit it and apply the recommended fixes, although there may be breaking changes that cause it not to work.
3. If you really want to use Accownt, I'd recommend you fork it and then in server/ and web/ run npm run upgrade, and then afterwards npm outdated, and make sure to check the breaking changes of each remaining package and apply those changes to the code in order to get Accownt to run on the latest dependencies. I'm happy to accept a PR afterwards if you'd like to do that.

I apologize for the inconvenience!

[danallendotcom]

Thank you for responding. Your suggestions make complete sense, I will give them a shot. I have never had to deal with the level of troubleshooting involved here with this particular technology. To be honest, I am not sure I know what this is working with here. Is this node.js? I know that question must seem extremely stupid. I have done some work with react, which involved running npm command line steps. A key step with react the way I did things was to run create-react-app, which created App.js and other react structures. With accownt, we are running npm install that adds node_modules to the direectories where npm install runs, so I guess that is node.js. I have run node only for supporting react until now.

I hope I am not too garbled in my grasp.

I am going to see if I can get the updates applied as you have suggested

The reason I am interested in accownt is I went through my own efforts to develop the simplest possible login/security scheme a few years ago. I like what I came up with, but I was struck at the minimum complexity that seemed to be required. As your notes indicate, the real name of the game is integrating the security/login with an app. Overall a kinda big tricky nut. What I like about accownt is it seems to be streamline compared to the what I came up with and my solution is not isolated as much as accownt. By not isolated, I mean my solution is bundled with more functions that it needs. I never separated it out because I always needed the more elaborate package than only login/security

If I can get accownt running, I will see if I can isolate the comparable functionality I developed and you can take a look if you want.

I have a feeling you appreciate in a way similar to my perspective, the whole login/security thing is a real thing, not minor.

In the end, I cannot stand depending on Google, Facebook, OWA, or anyone else for a system I am making. More than any other part of the framework I put together, the security/login elements are what make it mine. Those other security services ALWAYS create agony.

[MrXyfir]

Yes I totally I understand what you mean! Having your own login system you can fully control is a rarity these days, but building your own really is quite a mess. It seems so straightforward on the surface but you quickly realize how much goes into it.

There are no stupid questions :) Yes, this is Node.js on the server and React with Node.js development tools on the web client. Accownt is really two separate codebases in one repository, with server/ and web/ being the two separate projects.

Unfortunately though if you're not familiar with Node then debugging and making changes will be a bit tricky. The idea was for Accownt to be a standalone application that 'just works' and which anyone could configure out of the box, but unfortunately my lack of attention to it means it has failed at that goal.

[danallendotcom]

Ah! I did not spot React in the client. Thanks for the sanity check. I think I will be alright debugging react. i just did an in depth mini project with it..... uh oh.. famous last words. I just looked again... those file extensions, .ts and .tsx TypeScript....for react, I was looking for App.js... I found App.tsx, so that is react with TypeScript. I have never laid eyes on TypeScript before.

Your note made me feel great. We are in a bit of a rare club. I don't get the feeling too many people make their own site security. I am glad to know the only other person I have encountered who has ventured this road corroborates my experience.

As far as your goal goes, it is pretty damned hard to make something idiot proof without an idiot helping out. I am happy to be the idiot. I have not had a chance to get into it, but when I do, with you being responsive the way you are, there is no doubt I will be able to get it going and come to understand it in the process. Then with four eyes on this, I am looking forward to seeing what we can figure out about this.

There is no way we are the only two who wanted their own security. I see an article and video coming out of this, and a repo people will want because it will give the control we all crave, especially with all that has come to light in Big Tech over the last few years.

Lots coming to mind, but first things first, I have to get it running.

BTW, I did try npm run upgrade, and then afterwards npm outdated, and that looked a billion percent better. I just had to stop at that point, due to time constraint

p.s. How did you make npm run, /server, /web, etc. look like a buttons in our note?

[danallendotcom]

Are you running anything forked off accownt for your security on projects where you can?

[MrXyfir]

TypeScript might be a bit of a head-scratcher at first but I assure you you'll be glad it's there soon enough!

I ran a few different projects based on Accownt, primarily in the privacy/security space, hence why I built my own system. Unfortunately with my day job I just didn't have time to maintain the unreasonably large network of projects I'd built for myself so I had to shut them down. I'd still like to return to them at some point but I'm unable to at this point. If I was able to I'd build this kind of stuff all day long =)

You can wrap your text in the ` character:

`like this`

But yes I'm happy to help out however I can!