I am working on a login/registration form using MongoDB, Express, Passport, Bcrypt.js, among other things.
When I run 'npm i' it tells me I have vulnerabilities, I cloned the file and ran 'npm audit fix', it worked! But it didn't fix all the vulnerabilities, so I ran 'npm audit fix --force' on the cloned file and it broke. How can I fix these vulnerabilities without breaking my code?
If "npm audit fix" didn't fix all the issues, it probably means the vulnerabilities were fixed in a major version. You'll need to see if the remaining packages with vulnerabilities have migration guides, as major versions mean there are breaking changes.
Although if they're all dev dependancies, you might be able to get away with ignoring the warnings.
Related
up to date, audited 1446 packages in 7s
194 packages are looking for funding
run npm fund for details
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
Ideally, we should address these vulnerabilities, especially in stages like production, sensible workplaces, etc. However, often, you will have to address these vulnerabilities manually.
npm audit fix will try to "fix" what it can by performing some updates.
npm audit fix --force will try to go further in considering upgrading even between major semantic versions (2 to 3, for instance, instead of 2 to 2.1 if necessary)
It may not be enough. To be on the safer side, you look through every single module declared vulnerable to ponder eventual risks and how any issues can affect your project(s)
Keep in mind:
"npm" can find vulnerabilities absolutely at any time.
Therefore, if the developer has not sent a new version correcting the identified problem, you will have to:
Decide whether to use a new library.
Decide to downgrade or upgrade their libraries with the most negligible effect on your code.
Decide to fix the vulnerability yourself
Decide to wait for the author to fix the issue
Decide to implement your solution.
Decide to live with these vulnerabilities and likely address them before production.
npm audit monitors modules over time, so some vulnerabilities can still happen on perfectly thought-safe modules. Therefore, there is no 100% permanent fixing.
A way to have the list of problematic modules:
$> npm audit fix --dry-run --json
https://docs.npmjs.com/cli/v8/commands/npm-audit
I am trying to teach myself web development and so far it's making my head hurt, but I'm not giving up. At the moment, I am trying to learn WordPress theme development using the Understrap framework. This is what I have done so far to try and get it all working:
Install Node using Homebrew on my Mac
Created a project folder on my Desktop
Ran the following git command to install Understrap in my project folder: git clone https://github.com/understrap/understrap.git
Then ran npm install within the director in a terminal window
After doing all of this, I keep getting the following errors, but not being a seasoned web dev expert, this has me a bit boggled:
72 packages are looking for funding
run `npm fund` for details
6 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Then I ran "npm audit" to get a better idea of the issue and this is where I am completely lost and hoping one of you fantastic folks on here can provide some assistance:
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp#3.9.1, which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
node_modules/glob-watcher/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/glob-watcher/node_modules/chokidar
glob-watcher >=3.0.0
Depends on vulnerable versions of chokidar
node_modules/glob-watcher
gulp >=4.0.0
Depends on vulnerable versions of glob-watcher
node_modules/gulp
glob-stream 5.3.0 - 6.1.0
Depends on vulnerable versions of glob-parent
node_modules/glob-stream
vinyl-fs >=2.4.2
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
6 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
BTW, I ran "npm audit fix --force", but it did not resolve this issue.
Thank you all so much for your help on this, I really appreciate it!
So basically, every time I run create-react-app with npx, npm or yarn (have tried them all), with both NodeJS 12 and NodeJS 16.3.0 and npm 7.15 (or something like this), it gives me multiple dependency vulnerabilities. With the newest versions of npm and nodeJS, I get 24 (11 moderate and 13 high). How do I resolve these dependencies? Or is it okay to just ignore them. I want to use the proposed app in production mode eventually, however I just can not for the life of me figure out how to resolve these dependences.
All the vulnerabilities seem to be related to react-scripts and denial of service. In the fixes, it suggests that an npx audit fix --force will fix it, by changing the react-scripts module to 1.1.5, however when i do this, even more vulnerabilities arise, suggesting the same solution but to revert back to react-script 4.0.3. Any advice would be great as I am driving myself mad here and finding next to 0 answers.
I posted my solution getting vulnerabilities down to one moderate risk due to the browserslist package here:
https://stackoverflow.com/a/68046680/1669123
Ultimately I think we'll need to wait on the CRA team to update react-scripts.
I have been following codelab instructions to implement Real-time communication with WebRTC and while trying to run npm-install I am getting the following warnings.
npm WARN webrtc-codelab#0.0.1 No repository field.
npm WARN webrtc-codelab#0.0.1 No license field.
audited 52 packages in 0.81s
found 16 vulnerabilities (11 low, 1 moderate, 3 high, 1 critical)
run npm audit fix to fix them, or npm audit for details
Can someone help me with fixing this?
The first ones are because of the licence and repository fields of the package.json being empty, you can fill them using docs for licence and repository.
The latter ones are due to outdated dependencies used by the code sample, it is ok to ignore this warning for an educational project because the vulnerabilities often are not important if you are not planning to use the project on a production server. But if it is bothering you you can use npm audit fix as suggested by npm, it'll try to update dependencies if there are no breaking changes in the upgrade it might not succeed in doing so for some or all of those packages in which case you'll need to manually install the newer version of those packages but beware cause doing so COULD break the code sample to the point that it'll no longer work.
This question already has answers here:
What does "npm audit fix" exactly do?
(2 answers)
Closed 2 years ago.
I'm making a website with a node express backend, which serves a react app from the public directory. Everything was working fine on my computer, I put all of this on an AWS server, ran npm install for my server, and for my app in the public directory, that's where I got that message:
/public$ npm audit fix
up to date, audited 1960 packages in 5s
# npm audit report
public *
Severity: high
Cross-Site Scripting - https://npmjs.com/advisories/1000
Path Traversal - https://npmjs.com/advisories/571
Cross-Site Scripting - https://npmjs.com/advisories/609
fix available via `npm audit fix`
1 high severity vulnerability
To address all issues, run:
npm audit fix
Everything was fine on my computer, I tried starting over again, emptying the node_modules directory then reinstall, but same thing again. I guess I must have not copied/deleted some files but I have no idea where to start, and I don't get what's the "public *" is that a module? You're welcome if you have some ideas!
By default, when you run npm install, another command, called npm audit is also executed. It's a tool to check if your project's dependencies have some known vulnerabilities.
It has nothing to do with your environment, local or AWS, it's all about dependencies.
Auditing package dependencies for security vulnerabilities
The npm audit --fix can automatically fix vulnerabilities, however, documentation says that in some cases manual intervention might be required.
npm audit command
You need to closely look at the output of the command, maybe, if interested, read about the vulnerability and fix it.