As a part of security vulnerability fix, I need update one of the transitive dependency.
The vulnerability is in minimist package, which needs to be updated to 0.2.1.
minimist :: 0.0.8 >> Mypackage >> node:npm:artifactory/npm-dcloud:less:3.9.0 >> node:npm:artifactory/npm-dcloud:mkdirp:0.5.1
This is how the vulnerable package is reported in my system.So I need to tell less:3.9.0 that it should use specific version of minimist when it is fetched in one of its dependencies from mkdirp.
As of now my package.json looks like:
"dependencies": {
.......
.......
"less": "^3.0.4",
.......
}
I have two queries here:
Why does package-lock.json has less version as 3.9.0 when I have 3.0.4 in package.json?In npm list also, I see only 3.9.0.
How can I inform npm to use minimist 0.2.1 instead 0.0.8 as reported above?
npm ls minimist
├─┬ babel-cli#6.26.0
│ └─┬ chokidar#1.7.0
│ └─┬ fsevents#1.1.3
│ └─┬ node-pre-gyp#0.6.39
│ ├─┬ mkdirp#0.5.1
│ │ └── minimist#0.0.8
│ └─┬ rc#1.2.1
│ └── minimist#1.2.0
├─┬ babel-loader#7.1.5
│ └─┬ mkdirp#0.5.1
│ └── minimist#0.0.8
├─┬ grunt#1.0.1
│ └─┬ dateformat#1.0.12
│ └─┬ meow#3.7.0
│ └── minimist#1.2.0
├─┬ karma#1.5.0
│ └─┬ optimist#0.6.1
│ └── minimist#0.0.10
├─┬ karma-mocha#1.3.0
│ └── minimist#1.2.0
├── minimist#0.2.1
├─┬ phantomjs-prebuilt#2.1.16
│ └─┬ extract-zip#1.6.6
│ └─┬ mkdirp#0.5.0
│ └── minimist#0.0.8
├─┬ UNMET PEER DEPENDENCY webpack#3.12.0
│ └─┬ watchpack#1.6.0
│ └─┬ chokidar#2.0.4
│ └─┬ fsevents#1.2.4
│ └─┬ node-pre-gyp#0.10.0
│ ├─┬ mkdirp#0.5.1
│ │ └── minimist#0.0.8
│ └─┬ rc#1.2.7
│ └── minimist#1.2.0
└─┬ webpack-dev-server#2.9.7
└─┬ internal-ip#1.2.0
└─┬ meow#3.7.0
└── minimist#1.2.0
npm ERR! peer dep missing: webpack#^2.1.0-beta || ^2.2.0-rc || ^2.0.0, required by grunt-webpack#2.0.1
npm ERR! peer dep missing: webpack#^1.1.0 || ^2 || ^2.1.0-beta.0 || ^2.2.0-rc.0, required by karma-webpack#2.0.3
I have tried overrides as mentioned
https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
as follow:
"overrides": {
"mkdirp": {
"minimist": "0.2.1"
}
but still minimist older version is coming
Second query:
rm -rf node_modules/
rm package-lock.json
In the package.json file it is possible to add the transitive dependency version.
"resolutions": {
"minimist": "0.2.1"
},
npm install
:)
npm install module_name#version_number
npm install less#3.0.4
Related
Get into a new directly, after typing those three commands:
npm install underscore
npm install lodash
npm install express
I get a node_modules directory with many packages:
$ ls node_modules
accepts cookie-signature encodeurl forwarded lodash mime-db parseurl send underscore
array-flatten debug escape-html fresh media-typer mime-types path-to-regexp serve-static unpipe
content-disposition depd etag http-errors merge-descriptors ms proxy-addr setprototypeof utils-merge
content-type destroy express inherits methods negotiator qs statuses vary
cookie ee-first finalhandler ipaddr.js mime on-finished range-parser type-is
While using npm list, I can get a tree strcture:
$ npm list
/tmp/play/npm
├─┬ express#4.14.0
│ ├─┬ accepts#1.3.3
│ │ ├─┬ mime-types#2.1.13
│ │ │ └── mime-db#1.25.0
│ │ └── negotiator#0.6.1
│ ├── array-flatten#1.1.1
│ ├── content-disposition#0.5.1
│ ├── content-type#1.0.2
│ ├── cookie#0.3.1
│ ├── cookie-signature#1.0.6
│ ├─┬ debug#2.2.0
│ │ └── ms#0.7.1
│ ├── depd#1.1.0
│ ├── encodeurl#1.0.1
│ ├── escape-html#1.0.3
│ ├── etag#1.7.0
│ ├─┬ finalhandler#0.5.0
│ │ ├── statuses#1.3.1
│ │ └── unpipe#1.0.0
│ ├── fresh#0.3.0
│ ├── merge-descriptors#1.0.1
│ ├── methods#1.1.2
│ ├─┬ on-finished#2.3.0
│ │ └── ee-first#1.1.1
│ ├── parseurl#1.3.1
│ ├── path-to-regexp#0.1.7
│ ├─┬ proxy-addr#1.1.2
│ │ ├── forwarded#0.1.0
│ │ └── ipaddr.js#1.1.1
│ ├── qs#6.2.0
│ ├── range-parser#1.2.0
│ ├─┬ send#0.14.1
│ │ ├── destroy#1.0.4
│ │ ├─┬ http-errors#1.5.1
│ │ │ ├── inherits#2.0.3
│ │ │ └── setprototypeof#1.0.2
│ │ └── mime#1.3.4
│ ├── serve-static#1.11.1
│ ├─┬ type-is#1.6.14
│ │ └── media-typer#0.3.0
│ ├── utils-merge#1.0.0
│ └── vary#1.1.0
├── lodash#4.17.2
└── underscore#1.8.3
My question is: from all those dependencies, how does npm list know which ones are my direct dependencies such as undersocre, lodash and express?
note: I don't have a package.json file.
It builds the list on the basis of the dependencies of the modules. The dependencies of the modules are specified in the package.json of each module in the dependencies field. When you install a module npm adds some additional fields to the module's package.json and one of those is the field _requiredBy to store the dependency link in the other direction as well. If you run the npm list command it goes through all the modules and reads the _requiredBy field in package.json of each module.
If you install a module directly without saving it to your package.json, npm adds #USER to the _requiredBy field to signify that you manually installed it and it is not just a dependency of the other modules. Then npm list shows that module in the root of the tree as well.
You can use this command:
npm list --depth=0 2>/dev/null
npm list command will print to stdout all the versions of packages that are installed, as well as their dependencies, in a tree-structure.
So you have only installed three packages
npm install underscore
npm install lodash
npm install express
All other packages are dependency for express package
I'm trying to install Grunt on a local project, when running
npm install grunt-contrib-watch
results in:
sass-test username$ npm install grunt-contrib-watch --save-dev
sass-test#1.0.0 /Users/username/Documents/WEB-DEV/sass-test
└─┬ grunt-contrib-watch#1.0.0
├── async#1.5.2
├─┬ gaze#1.0.0
│ └─┬ globule#0.2.0
│ ├─┬ glob#3.2.11
│ │ ├── inherits#2.0.1
│ │ └── minimatch#0.3.0
│ ├── lodash#2.4.2
│ └─┬ minimatch#0.2.14
│ ├── lru-cache#2.7.3
│ └── sigmund#1.0.1
├── lodash#3.10.1
└─┬ tiny-lr#0.2.1
├─┬ body-parser#1.14.2
│ ├── bytes#2.2.0
│ ├── content-type#1.0.2
│ ├── depd#1.1.0
│ ├─┬ http-errors#1.3.1
│ │ └── statuses#1.3.0
│ ├── iconv-lite#0.4.13
│ ├─┬ on-finished#2.3.0
│ │ └── ee-first#1.1.1
│ ├── qs#5.2.0
│ ├─┬ raw-body#2.1.6
│ │ ├── bytes#2.3.0
│ │ └── unpipe#1.0.0
│ └─┬ type-is#1.6.13
│ ├── media-typer#0.3.0
│ └─┬ mime-types#2.1.11
│ └── mime-db#1.23.0
├─┬ debug#2.2.0
│ └── ms#0.7.1
├─┬ faye-websocket#0.10.0
│ └─┬ websocket-driver#0.6.5
│ └── websocket-extensions#0.1.1
├── livereload-js#2.2.2
├── parseurl#1.3.1
└── qs#5.1.0
Installing all of the above packages into the node_module folder while failing to install the grunt dependancy. If these packages are dependancies for some other installed module, is there a way to find out what this is?
I'm thinking I have perhaps edited the default packages config folder but I am not too confident with npm to know for sure.
does anyone have any advice?
The dependencies installed match exactly with what is shown on the NPM page. Grunt isn't listed as a dependency.
Remember that Grunt is a task runner. It could conceivably run any task that you could add to your gruntfile, but those tasks don't need to know about Grunt itself.
Just install Grunt separately and you'll be good to go.
Is it possible to install grunt.js manually in node.js.
Actually my support team downloaded the grunt.js for windows machine and place in my machine.
Due to my company proxy not able to install via node npm install -g grunt-cli.
So want to install the same form the downloaded package.
or we can install grunt.js without node.js?
Even though it's pretty easy to both install the module manually, just put it in node_modules/grunt or reference it directly require('./path/to/grunt/directory'), the real problem is that you also need to download grunt's dependencies and their dependencies recursively.
└─┬ grunt#0.4.5
├── async#0.1.22
├── coffee-script#1.3.3
├── colors#0.6.2
├── dateformat#1.0.2-1.2.3
├── eventemitter2#0.4.14
├── exit#0.1.2
├─┬ findup-sync#0.1.3
│ ├─┬ glob#3.2.11
│ │ ├── inherits#2.0.1
│ │ └── minimatch#0.3.0
│ └── lodash#2.4.2
├── getobject#0.1.0
├─┬ glob#3.1.21
│ ├── graceful-fs#1.2.3
│ └── inherits#1.0.2
├─┬ grunt-legacy-log#0.1.3
│ ├─┬ grunt-legacy-log-utils#0.1.1
│ │ ├── lodash#2.4.2
│ │ └── underscore.string#2.3.3
│ ├── lodash#2.4.2
│ └── underscore.string#2.3.3
├── grunt-legacy-util#0.2.0
├── hooker#0.2.3
├── iconv-lite#0.2.11
├─┬ js-yaml#2.0.5
│ ├─┬ argparse#0.1.16
│ │ ├── underscore#1.7.0
│ │ └── underscore.string#2.4.0
│ └── esprima#1.0.4
├── lodash#0.9.2
├─┬ minimatch#0.2.14
│ ├── lru-cache#2.7.3
│ └── sigmund#1.0.1
├─┬ nopt#1.0.10
│ └── abbrev#1.0.7
├── rimraf#2.2.8
├── underscore.string#2.2.1
└── which#1.0.9
So either you have to install all these packages, or install them on another machine and copy them, or try to use a packer like browserify, webpack, or something else.
When I cd into my project and npm install express --save it not only injects express into my node_modules but also installs a lot of other dependencies that I do not need or want. I have tried to uninstall and reinstall node and npm. I am using homebrew to install node. Can someone help me understand why this is happening?
npm install express --save
─┬ express#4.13.4
├─┬ accepts#1.2.13
│ ├─┬ mime-types#2.1.9
│ │ └── mime-db#1.21.0
│ └── negotiator#0.5.3
├── array-flatten#1.1.1
├── content-disposition#0.5.1
├── content-type#1.0.1
├── cookie#0.1.5
├── cookie-signature#1.0.6
├─┬ debug#2.2.0
│ └── ms#0.7.1
├── depd#1.1.0
├── escape-html#1.0.3
├── etag#1.7.0
├─┬ finalhandler#0.4.1
│ └── unpipe#1.0.0
├── fresh#0.3.0
├── merge-descriptors#1.0.1
├── methods#1.1.2
├─┬ on-finished#2.3.0
│ └── ee-first#1.1.1
├── parseurl#1.3.1
├── path-to-regexp#0.1.7
├─┬ proxy-addr#1.0.10
│ ├── forwarded#0.1.0
│ └── ipaddr.js#1.0.5
├── qs#4.0.0
├── range-parser#1.0.3
├─┬ send#0.13.1
│ ├── destroy#1.0.4
│ ├─┬ http-errors#1.3.1
│ │ └── inherits#2.0.1
│ ├── mime#1.3.4
│ └── statuses#1.2.1
├── serve-static#1.10.2
├─┬ type-is#1.6.11
│ └── media-typer#0.3.0
├── utils-merge#1.0.0
└── vary#1.0.1
You're likely running npm version 3 or above. This version made it so all dependencies of dependencies are stored in the root node_modules folder.
See here for more info: https://github.com/npm/npm/releases/tag/v3.0.0
Your dependencies will now be installed maximally flat. Insofar as is possible, all of your dependencies, and their dependencies, and THEIR dependencies will be installed in your project's node_modules folder with no nesting. You'll only see modules nested underneath one another when two (or more) modules have conflicting dependencies.
That's normal, the module you're trying to install must have his own dependencies to work properly, so they are installed at the same time in your node_modules
I don't have too much experience in NodeJs. I wanted to try Cyclejs. The documentation says:
Create a new directory and run this inside that directory:
npm install rx #cycle/core #cycle/dom
When I do this, I get the following warning:
➜ cycle-examples npm install rx #cycle/core #cycle/dom
/Users/mertnuhoglu/projects/js/tmp2/cycle-examples
├── #cycle/core#5.0.1
├─┬ #cycle/dom#7.1.1
│ ├─┬ es6-map#0.1.1
│ │ ├── d#0.1.1
│ │ ├─┬ es5-ext#0.10.8
│ │ │ ├── es6-iterator#2.0.0
│ │ │ └── es6-symbol#3.0.1
│ │ ├─┬ es6-iterator#0.1.3
│ │ │ └── es6-symbol#2.0.1
│ │ ├─┬ es6-set#0.1.2
│ │ │ ├── es6-iterator#2.0.0
│ │ │ └── es6-symbol#3.0.1
│ │ ├── es6-symbol#0.1.1
│ │ └── event-emitter#0.3.4
│ ├── matches-selector#1.0.0
│ ├── vdom-parser#1.2.1
│ ├─┬ vdom-to-html#2.1.1
│ │ ├── escape-html#1.0.3
│ │ ├─┬ param-case#1.1.1
│ │ │ └─┬ sentence-case#1.1.2
│ │ │ └── lower-case#1.1.2
│ │ └── xtend#4.0.0
│ ├─┬ virtual-dom#2.1.1
│ │ ├── browser-split#0.0.1
│ │ ├─┬ error#4.4.0
│ │ │ ├── camelize#1.0.0
│ │ │ └── string-template#0.2.1
│ │ ├─┬ ev-store#7.0.0
│ │ │ └── individual#3.0.0
│ │ ├─┬ global#4.3.0
│ │ │ ├─┬ min-document#2.17.0
│ │ │ │ └── dom-walk#0.1.1
│ │ │ └── process#0.5.2
│ │ ├── is-object#1.0.1
│ │ ├── next-tick#0.2.2
│ │ └── x-is-string#0.1.0
│ └── x-is-array#0.1.0
└── rx#4.0.6
npm WARN ENOENT ENOENT, open '/Users/mertnuhoglu/projects/js/tmp2/cycle-examples/package.json'
npm WARN EPACKAGEJSON cycle-examples No description
npm WARN EPACKAGEJSON cycle-examples No repository field.
npm WARN EPACKAGEJSON cycle-examples No README data
npm WARN EPACKAGEJSON cycle-examples No license field.
After that I cloned cycle-examples and run npm start following the instructions. I get the following error:
➜ cycle-examples git clone https://github.com/cyclejs/cycle-examples
Cloning into 'cycle-examples'...
remote: Counting objects: 184, done.
remote: Total 184 (delta 0), reused 0 (delta 0), pack-reused 184
Receiving objects: 100% (184/184), 31.08 KiB | 0 bytes/s, done.
Resolving deltas: 100% (72/72), done.
Checking connectivity... done.
➜ cycle-examples npm start
npm ERR! Darwin 14.0.0
npm ERR! argv "node" "/usr/local/bin/npm" "start"
npm ERR! node v0.12.7
npm ERR! npm v3.3.8
npm ERR! path /Users/mertnuhoglu/projects/js/tmp2/cycle-examples/package.json
npm ERR! code ENOENT
npm ERR! errno -2
npm ERR! enoent ENOENT, open '/Users/mertnuhoglu/projects/js/tmp2/cycle-examples/package.json'
npm ERR! enoent This is most likely not a problem with npm itself
npm ERR! enoent and is related to npm not being able to find a file.
npm ERR! enoent
npm ERR! Please include the following file with any support request:
npm ERR! /Users/mertnuhoglu/projects/js/tmp2/cycle-examples/npm-debug.log
The error says I need to have package.json. The git repository does not have it. Should I create it on my own? If so, what should I put inside that file?
npm version is 3.3.8
I have browserify#11.2.0 and babel#5.8.23 libraries installed globally in Node.
The cycle-examples is a collection of examples. You need to enter an actual example directory, e.g., bmi-nested, and from there issue npm start.