itman 1,756 Posted April 20 Share Posted April 20 (edited) Has anyone tried this pointing to Eset root CA cert.? Quote I just found a solution, in the terminal when you are starting up the server I just had to include the directory of the rootCA.pem file: HTTPS=true NODE_EXTRA_CA_CERTS="$(mkcert -CAROOT)/rootCA.pem" npm run dev https://github.com/FiloSottile/mkcert/issues/563 I also believe the Eset cert. needs to be exported and converted to .pem format and then stored somewhere. Also, NODE_EXTRA_CA_CERTS can be deployed via environment variable as shown in this example: https://doc.sitecore.com/xp/en/developers/hd/19/sitecore-headless-development/walkthrough--configuring-sitecore-ca-certificates-for-node-js.html Edited April 20 by itman Link to comment
Guest Christopher Boisvert Posted April 21 Share Posted April 21 I have the same version of Eset Node 32 as all of you and I have the same error. What is the recommended solution for this with the minimal security surface area that is opened. I saw multiple answer but can't see exactly the one that would just fix those two commands for me : yarn install yarn upgrade The default behavior of yarn was modified by Eset Nod 32 without informing any customer. I think this is a bad move by Eset because it blocked me from working. Link to comment
Guest ratrakone Posted April 21 Share Posted April 21 Same problem here. I'm u sing ESET Endpoint Security v. 11.0.2044.0. It's been 3 days, that's thousands of euro, this is not a joke request. Link to comment
Guest Alexx Posted April 21 Share Posted April 21 I have read all the articles on the web related with this error. I have also paid for Medium membership to read some premium posts. Disabling the antivirus did not solved this issue, so I thought the problem was on my pc. I ended up reinstalling windows from 0 thinking it was a virus or some bad internal bug, reinstalling all the apps. Suddenly I realized it was eset fault. I have lost money and the whole weekend trying to figure out this issue. This is not acceptable. I have removed the antivirus from my pc and will wait for a response on your side. Hope it solves soon. Link to comment
Guest The Last Byte Posted April 21 Share Posted April 21 This is a massive issue, c'mon ESET - you cannot leave this unsolved for so long. For individuals who wasted their day who are on Windows 10 or similar, here is what I did: https://github.com/the-last-byte/ESET-NPM-Breakage-Fix For those managing dozens, hundreds, more computers, this could be a disaster. I really hope an official solution is not far away - as this doesn't build customer trust. Link to comment
Guest An angry customer Posted April 21 Share Posted April 21 This IS a massive issue. It cost me 2 days of work to find this thread and see that ESET is causing this issue! I'm a long time user but this is unacceptable. I also raised a support ticket. Please fix it ASAP Link to comment
Guest Joseph Posted April 21 Share Posted April 21 On 4/19/2024 at 1:45 PM, Marcos said: It is not actually a bug, we merely started to scan nodejs communication in order to detect nodejs malware payload. 👋 Hi Marcos! New ESET customer here. I really appreciate the focus on supply chain malware protection. That said, making npm inoperative is a pretty serious goof. We can disagree on whether this is a bug, but I hope you'll agree it's at least unacceptably disruptive. Could you let me know what the plans are for addressing this issue? Any timeline details would be especially helpful. I ask because we've got a software release scheduled for tomorrow and I'm pretty sure this issue will cause our build process to fail. Just a heads-up, a lot of us who rely on npm working seamlessly also have a say in our companies' cybersecurity budgets. 😁 Looking forward to your swift response! Link to comment
Guest Szabi Posted April 21 Share Posted April 21 I thought I'd leave a comment here as well, since many people find this thread. The fix detailed by @The Last Byte seems to work, but it needs a bit more work in some cases. Original fix here: https://github.com/the-last-byte/ESET-NPM-Breakage-Fix Notes and minor fixes: https://github.com/the-last-byte/ESET-NPM-Breakage-Fix/issues/1 Link to comment
Guest Pachomar Posted April 21 Share Posted April 21 6 hours ago, Guest Alexx said: I have read all the articles on the web related with this error. I have also paid for Medium membership to read some premium posts. Disabling the antivirus did not solved this issue, so I thought the problem was on my pc. I ended up reinstalling windows from 0 thinking it was a virus or some bad internal bug, reinstalling all the apps. Suddenly I realized it was eset fault. I have lost money and the whole weekend trying to figure out this issue. This is not acceptable. I have removed the antivirus from my pc and will wait for a response on your side. Hope it solves soon. This exactly, I had a release on Friday that had to be postponed because I wasn't able to properly build our app. And since this was a stealth "feature" I wasn't able to figure out what the issue was until I formatted my pc and started installing stuff one by one again. You can't have this kind of behavior towards your paying customers. Now ?m seriously thinking on switching to other antivirus Link to comment
Guest Annoyed customer Posted April 22 Share Posted April 22 We've lost many hours of development time due to this bug. Turning of HTTPS scanning as mentioned by "Guest Siemer" solved the issue. The whole dev team has lost trust in ESET due to this and it will be hard to regain that trust. I hope ESET realizes that. Link to comment
Guest Chris Posted April 22 Share Posted April 22 Setting an environment variable or passing an extra flag to node is not a solution, as it is not always possible to change them (e.g. in applications that use node). ESET should fix this in a way that will not require any user intervention. Link to comment
Guest Former Customer Posted April 22 Share Posted April 22 Having lost more than 3 days of work, all I have to say is that I'll start searching for a new antivirus after this. Sad, I never had any complains for ESET, but 3+ days of work translated to money is a LOT of years of subscription they won't have from me again after this Link to comment
Administrators Marcos 5,290 Posted April 22 Administrators Share Posted April 22 This Quick questions forum is for guests and does not require registration as it serves only for quick questions. It was not meant for reporting issues according to this forum rules: 4, Ask only simple questions. If you want to report an issue, inquire about your license, etc., create a forum account first. This forum is not intended for lengthy discussions. A correct procedure for reporting issues is by raising a support ticket. Should you want to report an issue in this forum in the future, please sign up first and make a post in the appropriate product forum. As for the issue, the whole problem is that Nodejs does not use the system trusted root CA certificate store while there is a bunch of Nodejs malware that our and other AV users want to be protected against at the network level. We hope that Nodejs will use the system TRCA cert. store in the future to allow that. We have provided possible workarounds in this topic. We have reported the issue to developers on Friday, ie. today is the first work day since the report. We are already testing Internet protection module 1475.1 with a fix which will be available on the pre-release update channel shortly, with release on the regular update channel to follow soon. Link to comment
Guest Anon Posted April 22 Share Posted April 22 Please, just let us know when it is fixed so we can reinstall the AV. Thanks! Link to comment
Administrators Marcos 5,290 Posted April 22 Administrators Share Posted April 22 You can update from the pre-release update channel to get Internet protection module 1475.1 or wait until it's updated automatically from the regular update channel. Link to comment
Guest kevin morizur Posted April 22 Share Posted April 22 I confirm that pre update 1475 is fixing certificate problem. Do you have any idea about when it will be officialy released ? Link to comment
Administrators Marcos 5,290 Posted April 22 Administrators Share Posted April 22 We expect it to be released gradually in the following days. Link to comment
itman 1,756 Posted April 22 Share Posted April 22 2 hours ago, Marcos said: You can update from the pre-release update channel to get Internet protection module 1475.1 or wait until it's updated automatically from the regular update channel. And what is the fix? To not SSL/TLS scan node.js apps? Link to comment
Guest Warren Posted April 22 Share Posted April 22 Quote 4, Ask only simple questions. If you want to report an issue, inquire about your license, etc., create a forum account first. This forum is not intended for lengthy discussions. A correct procedure for reporting issues is by raising a support ticket. Should you want to report an issue in this forum in the future, please sign up first and make a post in the appropriate product forum. The OP isn't even a customer of yours and took the time to carefully explain the issue your software has created, probably in the hopes that you'd go "oh ****, that's bad, lets get it sorted pronto" Quote As for the issue, the whole problem is that Nodejs does not use the system trusted root CA certificate store while there is a bunch of Nodejs malware that our and other AV users want to be protected against at the network level. We hope that Nodejs will use the system TRCA cert. store in the future to allow that. You have to work with the software that's released not some imaginary version that has the behaviour you want it to. Quote We have provided possible workarounds in this topic. The workarounds provided are not practical in many use cases (Github actions for instance) or reduce security from what was available prior to this new feature being implemented. Quote We have reported the issue to developers on Friday, ie. today is the first work day since the report. We are already testing Internet protection module 1475.1 with a fix which will be available on the pre-release update channel shortly, with release on the regular update channel to follow soon. Thread opened: "Posted Thursday at 08:14 AM". We began experiencing this issue on Wednesday 17th, so today is the fourth business day and sixth day and we still don't have a satisfactory fix with assurances that the same mistake won't be made again. Overall I have to say that I am very concerned about the attitude presented to the disruption caused by the implementation of this stealth feature. Many of the people posting here are developers and we all know that mistakes happen and that things can get missed. But this is leaving us anxious that ESET considers it everyone else's responsibility to correct it when they implement changes that take business critical systems down. Link to comment
Guest Anon Posted April 23 Share Posted April 23 Thanks Warren. I agree with everything you have said. Link to comment
Guest MaxPog Posted April 23 Share Posted April 23 Good luck to everyone. There was the same error: $ npx express-generator npm ERR! code UNABLE_TO_VERIFY_LEAF_SIGNATURE npm ERR! errno UNABLE_TO_VERIFY_LEAF_SIGNATURE npm ERR! request to https://registry.npmjs.org/express-generator failed, reason: unable to verify the first certificate npm ERR! A complete log of this run can be found in: C:\Users\*****\AppData\Local\npm-cache\_logs\2024-04-23T11_02_57_824Z-debug-0.log After updating from the test servers, another error appeared: $ npx express-generator npm ERR! code ENOENT npm ERR! syscall lstat npm ERR! path C:\Users\*****\AppData\Roaming\npm npm ERR! errno -4058 npm ERR! enoent ENOENT: no such file or directory, lstat 'C:\Users\*****\AppData\Roaming\npm' npm ERR! enoent This is related to npm not being able to find a file. npm ERR! enoent npm ERR! A complete log of this run can be found in: C:\Users\*****\AppData\Local\npm-cache\_logs\2024-04-23T11_22_27_353Z-debug-0.log Reinstalling NodeJs didn't fix anything. What to do? Link to comment
Administrators Marcos 5,290 Posted April 23 Administrators Share Posted April 23 Just now, Guest MaxPog said: Reinstalling NodeJs didn't fix anything. What to do? If disabling SSL/TLS filtering doesn't make any difference, then it should be unrelated to ESET. Link to comment
itman 1,756 Posted April 23 Share Posted April 23 2 hours ago, Guest MaxPog said: Good luck to everyone. There was the same error: Did you receive these errors when running Eset Endpoint pre-release ver. which includes the Internet module fix? Link to comment
itman 1,756 Posted April 23 Share Posted April 23 On 4/22/2024 at 7:08 AM, Marcos said: We hope that Nodejs will use the system TRCA cert. store in the future to allow that. Per the following, appears this is in-progress. However, it will require user intervention to implement; Quote In OpenSSL 3.2, support was added to use the Windows cert store as OpenSSL's CA store. While node currently doesn't use 3.2, when it eventually makes the move I would suggest defaulting the cert store to org.openssl.winstore:// - allowing any CA root certs to be picked up from the system. https://github.com/nodejs/node/issues/51537 Link to comment
Guest Kyle Posted April 23 Share Posted April 23 I'm also experiencing this issue and it has disrupted some client work. When can we expect a fix? I updated ESET as of today and still this is a problem. Also, your captcha is hilariously bad. Link to comment
Recommended Posts