Apologies if this is really simple, I really don't understand the fundamentals involved here.
I recently got a string of emails from GitHub letting me know that there were security vulnerabilities in my package-lock.json files, but since I do not actually have any packages in my package.json files (except parcel bundler, which was auto generated?), I wasn't sure if that was an issue. The only reason either file exists is because I used the Webstorm HTML5-Boilerplate template for the project, which auto generated them.
This is the entirety of my package.json file.
{
"name": " ",
"version": "0.0.1",
"description": "",
"keywords": "",
"license": "",
"author": "",
"scripts": {
"build": "parcel build index.html",
"dev": "parcel index.html --open",
"start": "npm run build && npm run dev",
"test": "echo \"Error: no test specified\" && exit 1"
},
"devDependencies": {
"parcel-bundler": "^1.12.4"
}
}
To the best of my knowledge the only other external code used is jsdelivr and two research scripts, jquery and proliferate; none of these are raising any flags on GitHub.
Are there vulnerabilities simply by virtue of having outdated packages in package-lock.json even if they are never used? Should I just delete the files or is there a better solution?
The only real bug fix I've tried so far is generating a new HTML5-Boilerplate template using Webstorm to see if it had updated the package-lock, but that didn't do anything.
Related
I have my own nodejs web application which is using Parcel 2 to bundle the resources.
{
"name": "acme-web-app",
"version": "0.0.1",
"description": "",
"keywords": [],
"license": "",
"author": "",
"scripts": {
"build": "parcel build index.html",
"dev": "parcel index.html --open",
"start": "npm run build && npm run dev",
"test": "echo \"Error: no test specified\" && exit 1"
},
"devDependencies": {
"#parcel/packager-raw-url": "^2.6.0",
"#parcel/transformer-sass": "^2.6.0",
"#parcel/transformer-webmanifest": "^2.6.0",
"parcel": "^2.6.0",
"sass": "^1.52.2"
}
}
All works fine - the js bundles end up in a dist folder.
I am contemplating whether it is possible to write a parcel plug-in within this project is executed when the build script is run.
Is it possible - or does every reference need to go through npm channels via devDependencies?
I haven't figured a starting point for this - and have not been able to find what I am looking for on google so hopefully, the question makes sense.
NOTE: I have only really built web applications with nodejs.
I have to document and resume code from another developer which has been fired because of a lot a disciplinary trouble inside the team.
The application uses nodeJS and mongoDB and I'm a beginner at nodeJS, but webstorm help me a lot to understand how the application works.
(I precise the former dev did not leave me so much documentation, so I'm doing reverse engeeniring and cleaning here).
My question today is:
the node_modules looks like it is really huge to me, with 243 sub-repository. I'm suspecting than some of these are not usefull to the project but the package.json is not really helping here:
{
"name": "my_rotting_project",
"version": "1.0.0",
"description": "",
"main": "main.js",
"bin": "main.js",
"scripts": {
"start": "node --no-deprecation core/server",
"server": "nodemon --no-deprecation core/server",
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"dependencies": {
"luna": "file:./core"
},
"pkg": {
"scripts": "plugins/**/*.js",
"assets": [
"static/**/*",
"core/static/**/*"
]
},
"nodemonConfig": {
"ext": "js,mjs,json,html,css,ejs"
}
}
I have launched npx check and npx npm_check commands but they show me no unused library which seems unlikely (but both of them have written than some of dependencies was missing in package.json)
Does someone know if theses plugins are reliable enough or should I try other methods ? (and what should I do in this case ?)
thank you !
I know this has been asked before, but that question did not help me at all! So I am trying to make an Electron app using its tutorial, and whenever I try and run my code, this error pops up:
npm ERR! missing script: start
Here is my package.json:
{
"name": "my-electron-app",
"version": "1.0.0",
"description": "",
"main": "main.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1",
"start": "electron ."
},
"keywords": [],
"author": "",
"license": "ISC"
}
So what am I doing wrong?
Strange. I can't think of many reasons why this is happening. I have a few ideas that may help.
Check you are in the correct folder to run the command
Attempt npm run start instead
If neither of these work, there may be something else that is missing
Ok for those of you who had a similar problem, try using a different shell! I was using WSL and when I tried Windows command prompt everything worked just fine.
I've got the following scripts in my root package.json in my lerna repo:
"scripts": {
"lerna:changed": "npx lerna changed",
"lerna:diff": "npx lerna diff",
"lerna:publish": "npx lerna publish"
}
After running npm run lerna:publish I see a gitHead key in my package.json file of all packages (not the root.json). This becomes a big problem when it comes to versioning because all packages will get bumped when this change is added. Why is this happening and how can I stop it?
I used to have a publish command in my root package.json file and I know this could have caused this problem originally but I've since removed it. Now, the package.json files for my sub packages look basically like this:
{
"name": "#myProject/appOne",
"version": "0.0.15-alpha.0",
"description": "",
"main": "index.js",
"directories": {
"lib": "lib"
},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
UPDATE: It seems like gitHead is added as a temporary key during the publish phase. My publish creates tags and commits them to GIT but my deployment to my registry is failing and that's probably why the cleanup isn't happening.
I've been following this Gulp install by CSS tricks - https://css-tricks.com/gulp-for-beginners/ I noticed that when I get to their folder shot of what should be in the node_module folder... they only have bin and gulp. I have 40+ folders that get added. Is this suppose to happen? Does Gulp need these dependencies? If not why is it happening? Here is my package.json with certain info emitted and a screenshot of 1/2 the folders made on install. I start the project clean (no folders or crazy installs uninstalls were done).
{
"name": "---",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"repository": {
"type": "git",
"url": "git+-----.git"
},
"keywords": [
"---",
"---'",
"---",
"---"
],
"author": "-----",
"license": "ISC",
"homepage": "------",
"devDependencies": {
"gulp": "^3.9.0"
}
}
This is due to changes in the new npm 3, which I assume you're using here (you can check by doing npm -v if you want to make sure). All modules and their dependencies are now in /node_modules instead of being nested in sub-folders of the module that depended on them (like it used to be).
Your dependencies will now be installed maximally flat. Insofar as is possible, all of your dependencies, and their dependencies, and THEIR dependencies will be installed in your project's node_modules folder with no nesting.
Source: http://dailyjs.com/2015/06/26/npm-3/