I am getting 6 vulnerabilities after running npm audit report:
I tried a solution and overridden the vulnerable versions of a particular package with their latest versions in package.json file like this:
"overrides": {
"nth-check": "2.1.1",
"#svgr/webpack": "6.5.1",
"#svgr/plugin-svgo": "6.5.1",
"svgo": "3.0.1",
"css-select": "5.1.0"
}
Then I updated the npm packages with npm update. But it did not change the result.
Tried another solution by making a resolution object in package.json and specified specific versions of a particular package, and ran it using npx i npm-force-resolutions but it gives this error:
npm ERR! could not determine executable to run.
But I am still unable to fix the npm vulnerabilities. Please help!
You should delete both node_modules and package-lock.json before launching npm install again; this will require more time to install all dependencies, but this will override all the version that are currently installed (it will bring also minor updates in dependencies).
Also, for this vulnerability, you only need to override nth-check. You can see the changes by executing npm list nth-check with and without the override (remember to delete both node_modules and package-lock.json).
Related
I've downloaded a nodejs project from Github, edited the source to add missing functionality and now I'm trying to compile it into an executable or run it uncompiled (node main.js). In both cases I get messages that it can't find its dependencies.
This is not my normal programming language, so I'm unfamiliar with how node dependencies work.
The dependencies in questions are other node packages. I installed them with npm install -g but that didn't help.
In the package.json file they are described as follows:
"dependencies": {
"#castlelemongrab/ioh": "^0.0.4",
"#castlelemongrab/strr": "^0.0.1",
"bent": "^7.3.6",
"jsDump": "^1.1.0",
"yargs": "^15.3.1"
},
The warning messages specify the dependencies beginning with # as the ones that are missing. Although it's just a warning, the program fails to function and issues the same message when you attempt to use it, so it's effectively an error. I found this Stackoverflow post mentioning that you could define dependencies like this:
"dependencies": {
"public": "git://github.com/user/repo.git#ref",
"private": "git+ssh://git#github.com:user/repo.git#ref"
}
But that didn't seem to have any effect:
Error: Cannot find module '#castlelemongrab/ioh'
How should I resolve it? I tried going into the node_modules directory and git clone-ing the ioh library into the #castlelemongrab folder but that also led to some errors:
npm ERR! code EISGIT
npm ERR! path C:\...\node_modules\#castlelemongrab\ioh
npm ERR! git C:\...\node_modules\#castlelemongrab\ioh: Appears to be a git repo or submodule.
npm ERR! git C:\...\node_modules\#castlelemongrab\ioh
npm ERR! git Refusing to remove it. Update manually,
npm ERR! git or move it out of the way first.
Additionally, since I have the production version of this package installed on my system and I don't want to overwrite it, if I change the "name" field in package.json is that an effective and safe way to avoid conflicts?
The solution was to git clone the missing modules into node_modules and then to rm -rf the .git and .gitignore.
Figured this out by trial and error. If anyone has a more complete and informed answer, please feel free to add it.
I recently updated my version of angular using ng update
and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
I thought of installing npm i tar but I am not sure.
The following worked for me:
Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.
Then run:
npm i
npm audit
npm audit fix
npm audit
you should see 0 vulnerabilities.
I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.
angular-cli relies on node-gyp, who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714
To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.
You should search in your package-lock.json this:
"tar": {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
And reemplace for that:
"tar": {
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
That worked for me
I saw this somewhere, inside package.json:
"dependencies": {
...,
"npm": "^6.1.0",
...
}
Is there any point in this?
Will npm update itself as a result of this?
If yes, will it be able to do so if its current version is lower than 6?
This is not the normal practice for packages. This will not affect your global installation of npm.
If you wish to specify which version of npm your package requires to be installed, the engines field in the package.json is the proper place to put it. From the npm docs:
You can also use the “engines” field to specify which versions of npm are capable of properly installing your program. For example:
{ "engines" : { "npm" : "~1.0.20" } }
Unless the user has set the engine-strict config flag, this field is advisory only and will only produce warnings when your package is installed as a dependency.
npm will not prevent installation of packages with a different version of npm listed in engines, but it will warn in the console that it's requesting a different version of npm than what you're using.
The only purpose of installing npm as a dependency would be if it's a package that somehow needs to use npm's API directly (like a node_modules/ analyzer, or something like that).
I've encountered this error when installing deps of my package:
$ npm i
npm ERR! code EINTEGRITY
npm ERR! sha1-tU7jWojzuU8MIY2VLAx+BwluNo0= integrity checksum failed when using sha1: wanted sha1-tU7jWojzuU8MIY2VLAx+BwluNo0= but got sha1-oXYP0kzpbhku0KU+phy353lbBhQ=. (26624 bytes)
npm ERR! A complete log of this run can be found in:
npm ERR! /home/tlenex/.npm/_logs/2017-06-22T10_18_19_773Z-debug.log
the problem is with my Modernizr dependency:
"dependencies": {
"Modernizr": "https://modernizr.com/download?setclasses-flash"
}
is there any way to solve this or ignore this integrity check?
Currently I have to run
npm i https://modernizr.com/download?setclasses-flash
again to get things working, which overrides the "integrity" field for "Modernizr" in my package-lock.json.
This may happen every time there is a change in Modernizr package fetched from this link and my package dependencies need to be reinstalled (for example, each time on CI build)
If there is no other way of solving this? I hope I wont have to place package-lock.json in my .gitignore file :(
More data about my enviroment:
$ npm -v
5.0.3
$ node -v
v6.11.0
Edit package-lock.json , find the one you want to skip in this case the one that its failing
sha1-tU7jWojzuU8MIY2VLAx+BwluNo0
and remove the integrity parameter from it i.e
},
"range-parser": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.0.tgz",
"integrity": "sha1-9JvmtIeJTdxA3MlKMi9hEJLgDV4=",
"dev": true
},
to...
},
"range-parser": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.0.tgz",
"dev": true
},
after that run npm install, will check the rest, skip this integrity
The point of the integrity field is to alert you when something has changed, so if you do not want it to exist, you can disable package-lock.json files in your npmrc. Just set package-lock=false
Note: I am the developer of Modernizr, and spoke with the npm-cli team about this issue. The root cause appears to be the change of the SHA type between npm5 and earlier versions. Nuking the node_modules folder will fix it
Find all outdated packages and update theme:
npm outdated -g
sudo npm i -g outDatedPKG
Upgrade npm to lateste version with:
sudo npm i -g npm
Delete package-lock.json file.
Delete _cacache directory in ~/.npm:
npm cache verify
4.1. Every time i get that error, do steps 2 & 3.
If you still get the error, clear npm's cache:
npm cache clean --force
I had this same error and I solved it by :
Deleting package-lock.json
Running "npm install"
I finally resolved this issue.
Our team moved away from URL dependency without SEMVER notation, in this case https://modernizr.com/download?setclasses-flash and used modernizr-loader with webpack. There are also equivalents for gulp and grunt tools available on npm, pick and use one you like the most.
After using them, we finally get rid of returning EINTEGRITY npm error without nuking package-lock.json or node_modules.
Just do two things for the solution
first :
npm cache clean --force
second :
npm i -g npm
and than install what u want
$ rm -rf package-lock.json node_modules
$ npm install --cache /tmp/empty-npm-cache
If this fixes it, clear your global npm cache to fix the corruption.
I need to know if the following behavior is normal.
When I npm install, each package from my package.json and the dependencies, don't get installed nested anymore, but each dependency is installed in the node_modules directory. That makes my node_modules directory blown and look like this:
This happened since I updated npm and node.
Now I run:
npm -v 3.3.6
node -v 4.2.1
python 2.7
windows 7
wamp
My package.json file looks like this:
{
"private": true,
"devDependencies": {
"gulp": "^3.8.8"
},
"dependencies": {
"laravel-elixir": "^3.0.0",
"bootstrap-sass": "^3.0.0"
}
}
It's the standard laravel package.json file.
Is there a way to have nested directories again, because I don't like such a blown article with over 100 sub directories.
Update: As Erik Pukinskis mentioned in the comments:
As of npm 3.5, support for --legacy-bundling has been dropped.
Yes, there is a way to have nested directories again by changing npm's (version 3 as of this writing) default behaviour:
Delete the currently present node_modules folder.
Tell npm to install with legacy bundling for this one install:
npm install --legacy-bundling
A "permanent" alternative:
Set your npm config to always use legacy bundling...
npm set legacy-bundling=true
.. and run as usual:
npm install
Note: fetching dependencies with legacy bundling will take a lot more time because many several different versions of the same dependencies will be installed.
Disclaimer: As a non-Windows user I have no need for flat dependencies and want to find self-declared dependencies with ease in favour of automatic deduping. Since installing npm dependencies without legacy bundling already takes an incredible amount of time I'm usually willing to spend those extra minutes install time. It gets back down to 5 directories from previously 700+ (...) in a Laravel Elixir setup with bootstrap (non-sass), font-awesome and jquery added.
That's the new behavior of npm 3 as per this npm blog.