Fixing NPM vulnerabilities - node.js

I am following a TypeScript tutorial. Unfortunately, the packages are outdated and I got a warning about vulnerabilities.
I followed a bunch of suggestions from npm check and update package if needed, namely:
npm audit fix
npm audit fix --force
npm update
npm audit says there are still 24 vulnerabilities left. But none of the above commands will fix them.
npm outdated results in no output.
The vulnerable packages are:
ansi-regex
glob-parent
node-forge
nth-check
postcss
I don't actually know why they are part of my project, I don't have them in my package.json configuration.
What are the next steps of fixing these vulnerabilities?
I have tried:
How to fix npm vulnerabilities?
which has no answers.
updating the dependencies in package.json manually to newer versions and then running npm install. It didn't have an effect.
deleting package-lock.json according to a suggestion here and then run npm install again.
adding "ansi-regex": "^6.0.1", "glob-parent": "^6.0.2", "node-forge": "^1.3.0", "nth-check": "^2.0.1", "postcss": "^8.4.12" as as devDependencies and running npm install.
running npm i npm#latest as suggested in How to fix NPM vulnerabilities
How to fix npm vulnerabilities? I tried two methods, problems persist which didn't have any new suggestions
I have 5 moderate severity vulnerabilities when I checked the npm audit. How can I fix these errors given below? which also didn't suggest any new commands
running npm update glob-parent --depth 2 just to find out that --depth is deprecated and NPM always updates any depth [Github]
running npm prune
deleting the node_modules folder and running npm install again
You can reproduce my latest state with the following package.json in an empty directory and running npm install.
{
"name": "pacman",
"version": "0.0.1",
"description": "I just follow a tutorial. Nothing of interest.",
"keywords": ["game"],
"license": "MIT",
"author": "someone stupid",
"scripts": {
"build": "parcel build index.html",
"dev": "parcel index.html --open",
"start": "npm run build && npm run dev",
"test": "echo \"Error: no test specified\" && exit 1"
},
"devDependencies": {
"#typescript-eslint/eslint-plugin": "^5.16.0",
"#typescript-eslint/parser": "^5.16.0",
"ansi-regex": "^6.0.1",
"eslint": "^8.12.0",
"eslint-config-prettier": "^8.5.0",
"eslint-plugin-prettier": "^4.0.0",
"glob-parent": "^6.0.2",
"node-forge": "^1.3.0",
"nth-check": "^2.0.1",
"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",
"postcss": "^8.4.12",
"prettier": "^2.6.1",
"typescript": "^4.6.3"
},
"dependencies": {
"npm": "^8.5.5"
}
}
This should give you 24 vulnerabilities, 18 moderate and 6 high (at the time of writing, running npm 8.5.5).

As per the comments, I have already tried all commands for the general case, in which case you need to start analyzing individual packages.
So, what did I do?
Update all dependencies to the latest version.
Next, perform a binary search by removing half of the dependencies and repeating the following steps
delete the node_modules folder
run npm install
run npm audit to check for the vulnerabilities
If there are no vulnerabilites, add the half of the remaining packages you want to install.
If there are vulnerabilities, remove the half of the packages you are currently installing.
In my case, this process boiled it down to the following two lines:
"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",
For parcel-bundler, NPM spit out a warning:
npm WARN deprecated parcel-bundler#1.12.5: Parcel v1 is no longer maintained.
Please migrate to v2, which is published under the 'parcel' package.
So I guess I don't need parcel-bundler at all, because it has been integrated into the parcel package, which I had already updated to version 2 in an earlier step.

Try to update all your npm with this command. It helped me
npm install -g npm#latest

Related

Can't install node-sass#6 for node v16

This is my package.json after uninstalling sass node-sass and sass-loader because I changed my node version from 14 to 16,
{
"name": "our-awesome-project",
"version": "1.0.0",
"private": true,
"scripts": {
"dev": "nuxt",
"build": "nuxt build",
"start": "nuxt start",
"generate": "nuxt generate",
"static": "NUXTJS_DEPLOY_TARGET=static NUXTJS_SSR=true nuxt generate",
"build-and-start": "NUXTJS_DEPLOY_TARGET=server NUXTJS_SSR=false nuxt build && NUXTJS_DEPLOY_TARGET=server NUXTJS_SSR=false nuxt start"
},
"husky": {
"hooks": {
"pre-commit": "cross-env PRE_COMMIT=true lint-staged -r"
}
},
"dependencies": {
"core-js": "^3.19.3",
"nuxt": "^2.15.8",
"nuxt-i18n": "^6.28.1",
"nuxt-purgecss": "^1.0.0",
"vue": "^2.6.14",
"vue-server-renderer": "^2.6.14",
"vue-template-compiler": "^2.6.14",
"webpack": "^4.46"
},
"devDependencies": {
"#nuxtjs/eslint-config": "^8.0.0",
"#nuxtjs/google-fonts": "^1.3.0",
"#nuxtjs/storybook": "^4.2.0",
"#nuxtjs/style-resources": "^1.2.1",
"#vue/cli-plugin-babel": "^4.5.15",
"babel-eslint": "^10.1.0",
"eslint": "^8.7.0",
"husky": "^7.0.4",
"nuxt-svg-loader": "^1.2.0",
"postcss": "^8.4.5"
}
}
According to this I should install node-sass version 6.0
But I'm trying:
npm install --save-dev sass#1.49.0 node-sass#6.0.1 sass-loader#10.2.1
Also, read here to add --unsafe-perm so I tried:
npm install --save-dev --unsafe-perm sass#1.49.0 node-sass#6.0.1 sass-loader#10.2.1
But it keeps failing, being the first error always this one:
npm ERR! code 1
npm ERR! path /Users/toniweb/Proyectos/our-awesome-project/node_modules/node-sass
npm ERR! command failed
npm ERR! command sh -c node scripts/build.js
npm ERR! Building: /Users/user/.nvm/versions/node/v16.13.1/bin/node /Users/toniweb/Proyectos/our-awesome-project/node_modules/node-gyp/bin/node-gyp.js rebuild --verbose --libsass_ext= --libsass_cflags= --libsass_ldflags= --libsass_library=
I tried removing node_modules package-lock.json and the same result
Of course, this is driving me nuts.. please tell me that anyone has an idea to try out
I think you are using ARM64 which is not supported by node-sass.
You should replace node-sass with sass(Dart Sass) as LibSass is deprecated
Just replace node-sass in your package.json file with sass. Both packages expose the same JavaScript API.
npm uninstall node-sass
npm install --save-dev sass
We have a Nuxt 2.15.8 app running on Node 16, in which a couple of months ago we switched from node-sass to sass, as the former is deprecated.
I recall at the time it took some figuring out, but in the end we just needed to install some postcss parsers to get the Nuxt app fully working with sass & sass-loader.
Taking as the baseline the package.json in your post, try:
npm install --save-dev \
sass#1.49.4 \
sass-loader#10.2.1 \
postcss-html#1.3.0 \
postcss-scss#4.0.3
The error message hints to node-gyp as the culprit. To work on a MacOS, node-gyp requires the XCode Command Line Tools to be installed (see here). So basically, in case you haven't done that yet, run
xcode-select --install
Or try any of the other methods described here. Then retry to install node-sass.
in fact , I think you have pasted the wrong error infomation.
there are two ways may help you
npm i --force this command will ignored the error in the package.json
use the pnpm , you can install it by
npm i -g pnpm
# then
pnpm i

ENOENT: no such file or directory when running npm install command

When I run npm install, I getting the following error,
npm WARN tar ENOENT: no such file or directory, open 'D:\Live Project\insyte-mobile\insyte-mobile\node_modules.staging\core-js-c9f4d03d\library\fn\symbol\unscopables.js'
Here is a screen shoot of the error
:
Here is my package.json
{
"name": "tonight-mobile",
"version": "0.1.0",
"private": true,
"devDependencies": {
"jest-expo": "~27.0.0",
"react-test-renderer": "16.3.1"
},
"main": "node_modules/expo/AppEntry.js",
"scripts": {
"start": "expo start",
"eject": "expo eject",
"initial-android": "npm install && npm run android",
"initial-ios": "npm install && npm run ios",
"android": "expo start --android",
"ios": "expo start --ios",
"test": "jest",
"postinstall": "rm ./node_modules/react-native/local-cli/core/__fixtures__/files/package.json"
},
"jest": {
"preset": "jest-expo"
},
"dependencies": {
"axios": "^0.18.0",
"expo": "^32.0.0",
"expo-image-picker": "^5.0.2",
"firebase": "^5.7.1",
"firebase-admin": "^8.5.0",
"firebase-functions": "^3.2.0",
"react": "16.5.0",
"react-native": "https://github.com/expo/react-native/archive/sdk-32.0.0.tar.gz",
"react-native-firebase": "^5.1.1",
"react-native-image-crop-picker": "^0.21.3",
"react-native-image-picker-form": "^0.2.5",
"react-native-maps": "^0.21.0",
"react-native-responsive-image": "^2.3.1",
"react-native-swiper": "^1.5.14",
"react-native-vector-icons": "^5.0.0",
"react-navigation": "^2.13.0",
"react-navigation-tabs": "^1.0.2",
"react-redux": "^5.0.7",
"redux": "^4.0.0",
"redux-persist": "^5.10.0",
"redux-persist-filesystem-storage": "^1.3.2",
"redux-thunk": "^2.3.0",
"tcomb-form-native": "^0.6.20"
}
}
above is the package.json file.
I have also used another code of this project, but this time I'm getting following error :
First delete the package-lock.json and then try npm install
Delete node_modules folder and package-lock.json, then run npm install
All you need to do is
Open a terminal in your pc's root and run this command:
killall node
Before restart the new metro bundler please reinstall the dependencies on yarn or npm :
npm i OR yarn
Also the article: ENOENT: no such file
Follow this step:
Delete node_modules folder and package-lock.json file
Run this command:
npm cache clean -force
Then run this command:
npm install (if the issue is not yet fixed try the following 4th step.)
Run this command npm install -g npm,then npm install
Finally run this command: npm start
Please check your current working directory. if you have created project using
npx react-native init demo
then navigate inside project from terminal using
cd demo
npm install
will install all npm modules and you can also check installed packages in the directory: demo/node_modules
also if project is expo base then
run expo eject to eject from expo
Check the node version, if the application was build using an older node version then you can downgrade your local environment node version using NVM (node version manager).
My simple solution for this error:
"npm WARN tar ENOENT:no such file or directory
Not only for ENOENT if all files in npm modules shows this kinds of error.
Go to your command prompt
Check for npm version(npm -v)
If its giving a version then type command npm init and click on enter for whatever it asks
After completing all the steps and then again try to create one angular project. It will be created without any errors in node modules.
npm ERR! code ENOENT
npm ERR! syscall open
npm ERR! path E:\Projects\package.json
npm ERR! errno -4058
npm ERR! enoent ENOENT: no such file or directory, open 'E:\Projects\package.json'
npm ERR! enoent This is related to npm not being able to find a file.
Solution ==> Check the root directory you might be outside the root directory or in wrong folder path has been opened
I suspect you do not have git installed on your computer. This is particularly true if you are getting this error at the bottom of your log:
npm ERR! syscall spawn git
If so, then you need to install git from here: https://git-scm.com/downloads.
I had the same problem as you, and once I installed git, the problem went away.
Do you have a package.json file in the folder ?*
To run npm install you need to have a package.json file.

Include package json dependencies for npm install global

I only know npm install locally particular plugin into the dependencies object in the package.json. Been doing npm install -g on many packages manually, but how do I include it inside the package.json?
eg. my current package:
{
"name": "mypackage",
"version": "0.0.1",
"private": true,
"scripts": {
"start": "node node_modules/react-native/local-cli/cli.js start",
"test": "jest"
},
"dependencies": {
"axios": "^0.19.0",
"lodash": "^4.17.15",
"react": "16.8.3",
}
}
To include my global install modules into mypackage
├── expo-cli#3.0.8
├── npm#6.9.0
├── npm-check-updates#3.1.20
├── react-devtools#4.1.0
├── react-native-cli#2.0.1
└── typescript#3.6.3
Go to your project root directory and execute,
npm install your-package-name
Or you can put the package-name manually in your package.json file and run,
npm install
But your package is already globally installed on your machine.
When you install an npm package, globally, using npm install -g my-package, then the package is globally available in your machine. You can use it anywhere in your machine.
But without global flag -g when you install a package, it only available inside the project scope.
So when a package is available globally, you do not need to install it in your project scope. It's a code redundant.
just type
$ npm install name-of-the-dependency
This is going to install the dependency in the package.json
The package will be added to your package.json when you install it from the project directory without -g
npm install --save package
you can also save the developer dependencies by
npm install --save-dev package
when you want to download a package for developers, such as grunt, gulp, then use this option
when you are distributing your code to production, these dependencies will not be available.
If you want to include packages like angular-cli you can install it as normal package and access it by referring the path inside the node_modules. like node_modules/.bin/ng build --prod
Appreciate with the guidance guys, just updated my question. So to add my global modules into mypackage gonna be like as per below?
{
"name": "mypackage",
"version": "0.0.1",
"private": true,
"scripts": {
"start": "node node_modules/react-native/local-cli/cli.js start",
"test": "jest"
},
"dependencies": {
"axios": "^0.19.0",
"lodash": "^4.17.15",
"react": "16.8.3",
"expo-cli": "3.0.8",
"npm": "6.9.0",
"npm-check-updates": "3.1.20",
"react-devtools": "4.1.0",
"react-native-cli": "2.0.1",
"typescript": "3.6.3"
}
}

Angular 2 Quick start tutorial issue

Hello everybody so i've ran into some issues as I am learning Angular. I initially watched thenewboston's Angular 2 tutorial. When i finished that I then proceeded to follow Angular's quick start tutorial.The two are very similar, but in bucky's its set up to make js files out of ts files. I updated the package.json by according to the errors, but when I run npm install it gives me errors that a certain package is need. More importantly i feel as if this is somehow affecting the behavior cause I cant nest the component as in Angular's hero list tutorial. package.json:
{
"name": "angular-2",
"version": "1.0.0",
"scripts": {
"start": "concurrently \"npm run tsc:w\" \"npm run lite\" ",
"tsc": "tsc",
"tsc:w": "tsc -w",
"lite": "lite-server",
"typings": "typings",
"postinstall": "typings install"
},
"license": "ISC",
"dependencies": {
"angular2": "2.0.0-beta.21",
"systemjs": "0.19.41",
"es6-shim": "^0.35.0",
"reflect-metadata": "0.1.9",
"rxjs": "5.0.0-rc.4",
"rxjs": "5.0.1",
"rxjs": "5.0.0-beta.6",
"zone.js": "0.6.12"
},
"devDependencies": {
"concurrently": "^3.1.0",
"lite-server": "^2.1.0",
"rxjs": "5.0.0-rc.4",
"typescript": "^2.1.4",
"typings": "^2.1.0"
}
}
npm WARN #angular/core#2.3.1 requires a peer of
rxjs#5.0.0-rc.4 but none was installed. npm WARN #angular/core#2.3.1
requires a peer of zone.js#^0.7.2 but none was installed. npm WARN
#angular/http#2.3.1 requires a peer of rxjs#5.0.0-rc.4 but none was
installed. npm WARN #angular/router#3.3.1 requires a peer of
rxjs#5.0.0-rc.4 but none was installed. npm WARN
angular-in-memory-web-api#0.2.2 requires a peer of rxjs#5.0.1 but none
was installed. npm WARN angular-in-memory-web-api#0.2.2 requires a
peer of zone.js#^0.7.4 but none was installed. npm WARN
angular2#2.0.0-beta.21 requires a peer of reflect-metadata#0.1.2 but
none was installed. npm WARN angular-2#1.0.0 No repository field.
Remove the extra rxjs entries in the dependencies. npm works by reading the dependencies list and semantic version numbers to determine what actual version of a particular dependency to install. Believe removing rxjs will alleviate the immediate issue of the npm warnings. Regarding the nested components it should probably be it's own question but either way would need to see the actual source.

How to solve npm "UNMET PEER DEPENDENCY"

I am having issues with my package.json file.
It should work fine as as I use most of the node modules in other projects, but I have this package.json below:
"dependencies": {
"#angular/common": "^2.0.0-rc.1",
"#angular/compiler": "^2.0.0-rc.1",
"#angular/core": "^2.0.0-rc.1",
"#angular/platform-browser": "^2.0.0-rc.1",
"#angular/platform-browser-dynamic": "^2.0.0-rc.1",
"#angular/router": "^2.0.0-rc.1",
"angular2-in-memory-web-api": "0.0.7",
"bootstrap": "^3.3.6",
"es6-shim": "^0.35.0",
"reflect-metadata": "^0.1.3",
"rxjs": "^5.0.0-beta.6",
"systemjs": "^0.19.27",
"zone.js": "^0.6.12"
},
"devDependencies": {
"body-parser": "^1.15.1",
"express": "^4.13.4",
"jsonwebtoken": "^6.2.0",
"mongoose": "^4.4.15"
}
and they should all run fine as all dependencies exist as angular is now in rc.4 and rxjs is on 5.0.0-beta.10.
But I get 3 unmet dependencies on
npm install
'rxjs#5.0.0-beta.10'
'rxjs#5.0.0-beta.6'
'#angular/core#2.0.0-rc.1'
I get these warnings too:
npm WARN #angular/core#2.0.0-rc.4 requires a peer of rxjs#5.0.0-beta.6 but none was installed.
npm WARN #angular/http#2.0.0-rc.1 requires a peer of rxjs#5.0.0-beta.6 but none was installed.
npm WARN #angular/http#2.0.0-rc.1 requires a peer of #angular/core#2.0.0-rc.1 but none was installed.
I have also done:
npm cache clean
npm update registry > with the registry link
npm update -g
node is on latest version and still same issue... so just wondering if there is something wrong?
I think its because the dependency resolution is a bit broken, see https://github.com/isaacs/npm/issues/1341#issuecomment-20634338
You may need to manually install top-level modules that have unmet dependencies:
npm install findup-sync#0.1.2
Or structure your package.json such that any top-level modules that are also dependencies of other modules are listed lower down.
Your problem could also be that npm failed to download the package, timed-out or whatnot. Sometimes re-running npm install remedies it.
You can also install the failed packages manually as well using npm install
Other steps that may help before attempting npm install again are:
Removing node_modules using:
rm -rf node_modules/
then
npm cache clean
To explain why removing node_modules sometimes is necessary:
Apparently if a nested module fails to install during npm install, subsequent npm install won't detect those missing nested dependencies. If that's the case, sometimes it's sufficient to remove the top-level dependency of those missing nested modules, and running npm install again.
See https://github.com/npm/npm/issues/1336

Resources