I am trying to install firebase for my electron app
using command - npm install firebase
'npm audit' shows this output, can you help ?
node-fetch <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via npm audit fix --force
Will install firebase#8.6.8, which is a breaking change
node_modules/#firebase/auth-compat/node_modules/node-fetch
node_modules/#firebase/auth/node_modules/node-fetch
node_modules/#firebase/firestore/node_modules/node-fetch
node_modules/#firebase/functions/node_modules/node-fetch
node_modules/#firebase/storage/node_modules/node-fetch
#firebase/auth <=0.0.900-exp.f919db6a9 || 0.17.0-20217250818 - 0.19.6
Depends on vulnerable versions of node-fetch
node_modules/#firebase/auth
firebase 0.800.3 - 0.900.25 || 7.9.1-0 - 7.9.1-canary.0396117e || 7.17.1-20206244562 - 7.17.1-canary.f1299756 || 7.17.2-20206291717 - 9.6.4
Depends on vulnerable versions of #firebase/auth
Depends on vulnerable versions of #firebase/auth-compat
Depends on vulnerable versions of #firebase/firestore
Depends on vulnerable versions of #firebase/functions
Depends on vulnerable versions of #firebase/storage
Depends on vulnerable versions of #firebase/storage-compat
Related
after running npm install --save-dev #nomicfoundation/hardhat-toolbox then npm audit the following report appears:
# npm audit report
flat <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
No fix available
node_modules/eth-gas-reporter/node_modules/flat
yargs-unparser <=1.6.3
Depends on vulnerable versions of flat
node_modules/eth-gas-reporter/node_modules/yargs-unparser
mocha 5.1.0 - 9.2.1
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of yargs-unparser
node_modules/eth-gas-reporter/node_modules/mocha
eth-gas-reporter >=0.2.1
Depends on vulnerable versions of mocha
node_modules/eth-gas-reporter
hardhat-gas-reporter *
Depends on vulnerable versions of eth-gas-reporter
node_modules/hardhat-gas-reporter
#nomicfoundation/hardhat-toolbox *
Depends on vulnerable versions of hardhat-gas-reporter
Depends on vulnerable versions of solidity-coverage
node_modules/#nomicfoundation/hardhat-toolbox
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
web3-bzz <=1.7.4
Depends on vulnerable versions of got
node_modules/web3-bzz
web3 1.0.0-beta.1 - 1.7.4 || 2.0.0-alpha - 3.0.0-rc.0
Depends on vulnerable versions of web3-bzz
node_modules/web3
#truffle/provider <=0.3.0
Depends on vulnerable versions of web3
node_modules/#truffle/provider
solidity-coverage 0.7.0-beta.0 - 0.8.0-rc.test.0
Depends on vulnerable versions of #truffle/provider
node_modules/solidity-coverage
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
No fix available
node_modules/eth-gas-reporter/node_modules/minimatch
12 vulnerabilities (5 moderate, 4 high, 3 critical)
Some issues need review, and may require choosing
a different dependency.
my nodejs version is node-v18.14.1-x64
I'm trying to set up the hardhat development environment by following the tutorial on their website: https://hardhat.org/tutorial
I tried running npm audit fix --force but it did not work
Turns out audit is just broken and it was a non-error for all practical purposes.
https://overreacted.io/npm-audit-broken-by-design/
I read a lot of questions/articles related to npm audit where people have provided the response of the npm audit in a tabular format. But when I run the npm audit I get the response as plain text.
I tried to install a library npm-audit-html and get the format in HTML as provided in answer but that is running into the issue: zsh: command not found: npm-audit-html
Can someone please explain and help in resolving the beautification of the npm audit response? Currently, my npm audit response shows up something like this:
postcss-overflow-shorthand <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-overflow-shorthand
postcss-page-break <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-page-break
postcss-place <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-place
postcss-pseudo-class-any-link <=6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-pseudo-class-any-link
postcss-reduce-initial <=4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-initial
postcss-reduce-transforms <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-transforms
postcss-replace-overflow-wrap <=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-replace-overflow-wrap
postcss-selector-matches *
Depends on vulnerable versions of postcss
node_modules/postcss-selector-matches
postcss-selector-not <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-selector-not
postcss-svgo <=5.0.0-rc.2
Depends on vulnerable versions of postcss
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
postcss-unique-selectors <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-unique-selectors
postcss-url 3.3.0 - 10.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-url
stylehacks <=4.0.3
Depends on vulnerable versions of postcss
node_modules/stylehacks
90 vulnerabilities (84 moderate, 6 high)
In windows, I've used npm audit with ">" to write its content in a json file, refer below command:
npm audit --json > FOLDER_PATH\FILE_NAME.json
The npm audit format you posted is a breaking change of npm 7.
Output and data structure is significantly refactored to call attention to issues, identify classes of fixes not previously available, and remove extraneous data not used for any purpose.
BREAKING CHANGE: Any tools consuming the output of npm audit will almost certainly need to be updated, as this has changed significantly, both in the readable and --json output styles.
Source: npm release notes
As the output format not officially explained, there is a post try to find it out. You can check the post for more details.
When I run npm audit it tells me the following about vulnerabilities:
react-dev-utils 0.4.0 - 12.0.0-next.60
Severity: critical
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of strip-ansi
fix available via `npm audit fix --force`
Will install #sambego/storybook-state#1.3.6, which is a breaking change
node_modules/#sambego/storybook-state/node_modules/react-dev-utils
node_modules/react-dev-utils
It says npm fix will install
--> #sambego/storybook-state#1.3.6,
but in my package.json it says
--> "#sambego/storybook-state": "^2.0.1",
So my package is much newer than the recommended package.
I will accept any answer that tells me if and why I can ignore this critical npm vulnerability.
This is happening for me as well. If you see the below image, fix suggests to install an outdated version of testcafe.
Same thing happens codelyzer as well, It is complaining about angular version and suggests to install codelyzer#0.0.28 instead of the version 6.x.x which is used in project
When I try to run my expo project I get this message:
D:\React\myproject>npm start
> start
> expo start
Starting project at D:\React\myproject
Unable to find expo in this project - have you run yarn / npm install yet?
If I run npm install i get this:
D:\React\myproject>npm install
npm notice Beginning October 4, 2021, all connections to the npm registry - including for package installation - must use TLS 1.2 or higher. You are currently using plaintext http to connect. Please visit the GitHub blog for more information: https://github.blog/2021-08-23-npm-registry-deprecating-tls-1-0-tls-1-1/
up to date, audited 940 packages in 4s
18 packages are looking for funding
run `npm fund` for details
12 vulnerabilities (6 low, 6 moderate)
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
And this is what I get when I run npm audit:
D:\React\myproject>npm audit
npm notice Beginning October 4, 2021, all connections to the npm registry - including for package installation - must use TLS 1.2 or higher. You are currently using plaintext http to connect. Please visit the GitHub blog for more information: https://github.blog/2021-08-23-npm-registry-deprecating-tls-1-0-tls-1-1/
# npm audit report
node-fetch =0.22.0-rc
Depends on vulnerable versions of #react-native-community/cli
Depends on vulnerable versions of #react-native-community/cli-platform-ios
Depends on vulnerable versions of fbjs
node_modules/react-native
node_modules/react-native/node_modules/react-native
metro-config =0.3.2
Depends on vulnerable versions of xmldom
node_modules/plist
#react-native-community/cli-platform-ios *
Depends on vulnerable versions of plist
Depends on vulnerable versions of xcode
node_modules/#react-native-community/cli-platform-ios
react-native =0.22.0-rc
Depends on vulnerable versions of #react-native-community/cli
Depends on vulnerable versions of #react-native-community/cli-platform-ios
Depends on vulnerable versions of fbjs
node_modules/react-native
node_modules/react-native/node_modules/react-native
#react-native-community/cli *
Depends on vulnerable versions of metro
Depends on vulnerable versions of react-native
node_modules/react-native/node_modules/#react-native-community/cli
simple-plist *
Depends on vulnerable versions of plist
node_modules/simple-plist
xcode >=0.8.3
Depends on vulnerable versions of simple-plist
node_modules/xcode
12 vulnerabilities (6 low, 6 moderate)
Some issues need review, and may require choosing
a different dependency.
This happens since I tried to update expo sdk, but I don't know what I did wrong. Can someone help me with this?
Run npm config set registry https://registry.npmjs.org/
Some computers are still running with http://registry.npmjs.org/ which is not going to be allowed anymore for security reasons.
You may try adding a .npmrc file and update the repo allocation under the user\xxx directory.
registry=https://registry.npmjs.org/
I am developing a web application with Angular but I have a problem installing json server. Please help me correct this problem.
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of #pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via npm audit fix --force
Will install react-scripts#1.1.5, which is a breaking change
node_modules/react-scripts/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/react-scripts/node_modules/webpack-dev-server/node_modules/chokidar
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/react-scripts/node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/react-scripts/node_modules/webpack
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/react-scripts/node_modules/webpack-dev-server
node_modules/webpack-dev-server
#angular-devkit/build-angular *
Depends on vulnerable versions of #angular-devkit/build-webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-angular
#angular-devkit/build-webpack *
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-webpack
#pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts/node_modules/#pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of #pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
12 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
enter image description here
enter image description here
It's just a warning to let you know that there is some known vulnerabilities on the packages you using in your project.
vulnerabilities can be missbehavior, bugs, crashes, security vulnerabilities, etc...
npm keep tracks of known vulnerabilities of all the npm packages.
So basiacally you have to wait updates on your package to fix the vulnerability, you can also try to use a different version of the package, or use a different package.
Duplicate of : how to solve this npm glob-parent problem
Answer: ​https://stackoverflow.com/a/68342168/158649
As it is a dev dependency, not a big deal,
npm update glob-parent#5.1.2 --depth 4
has no effect on the npm audit message.
npm audit warnings can be a little bit boy-crying-wolf sometimes.
npm install glob-parent#5.1.2 --save-dev
does remove the warning but not really much to worry about.