I wanted to start learning React Native using Expo, but I cannot install it using npm.
When I run the command npm install -g expo-cli, it gives me the following error:
added 825 packages, and audited 826 packages in 53s
28 packages are looking for funding
run `npm fund` for details
10 vulnerabilities (4 low, 6 moderate)
To address all issues, run:
npm audit fix
Run `npm audit` for details.
It told me to run npm audit fix and I tried the command right away.
However, the error stills seem to remain
# npm audit report
node-fetch <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
Denial of Service - https://npmjs.com/advisories/1556
fix available via `npm audit fix --force`
Will install expo#1.0.0, which is a breaking change
node_modules/node-fetch
isomorphic-fetch 2.0.0 - 2.2.1
Depends on vulnerable versions of node-fetch
node_modules/isomorphic-fetch
fbjs 0.7.0 - 1.0.0
Depends on vulnerable versions of isomorphic-fetch
node_modules/fbjs
fbemitter 2.0.3 - 3.0.0-alpha.1
Depends on vulnerable versions of fbjs
node_modules/fbemitter
expo >=14.0.0
Depends on vulnerable versions of expo-constants
Depends on vulnerable versions of fbemitter
node_modules/expo
xmldom *
Severity: moderate
Misinterpretation of malicious XML input - https://npmjs.com/advisories/1769
fix available via `npm audit fix --force`
Will install expo#1.0.0, which is a breaking change
node_modules/xmldom
#expo/plist <=0.0.13
Depends on vulnerable versions of xmldom
node_modules/expo-constants/node_modules/#expo/plist
#expo/config-plugins <=3.0.8
Depends on vulnerable versions of #expo/plist
node_modules/expo-constants/node_modules/#expo/config-plugins
#expo/config 3.3.23-alpha.0 - 5.0.8
Depends on vulnerable versions of #expo/config-plugins
node_modules/expo-constants/node_modules/#expo/config
expo-constants >=10.1.2
Depends on vulnerable versions of #expo/config
node_modules/expo-constants
expo >=14.0.0
Depends on vulnerable versions of expo-constants
Depends on vulnerable versions of fbemitter
node_modules/expo
10 vulnerabilities (4 low, 6 moderate)
To address all issues (including breaking changes), run:
npm audit fix --force
I tried running npm audit fix --force and it gave me the following outcome.
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating expo to 1.0.0,which is a SemVer major change.
removed 824 packages, changed 1 package, and audited 2 packages in 19s
found 0 vulnerabilities
I thought it worked and I tried running the command expo and expo-cli and bash told me that the command could not be found.
Related
I have inherited a project from a previous developer and having a bit of trouble getting it set up and running. I copied the files and then did npm install and now I am being presented with the following:
# npm audit report
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install babel-core#4.7.16, which is a breaking change
node_modules/babel-core/node_modules/json5
babel-core 5.8.20 - 7.0.0-beta.3
Depends on vulnerable versions of babel-register
Depends on vulnerable versions of json5
node_modules/babel-core
babel-register *
Depends on vulnerable versions of babel-core
node_modules/babel-register
3 high severity vulnerabilities
Any idea how I can get around these issues?
You are getting these warnings because, the packages that you are using have bugs. To dismiss this, you have to upgrade your packages to their latest versions.
your packages are outdated. that's why you are getting this type of error, to update all package.
try this command.
npx npm-check-updates -u
for some reason I am unable to install gulp, it always brings up this error:
/wp-content/themes/the-advocates-theme$ npm i gulp-install
added 4 packages, and audited 755 packages in 2s
39 packages are looking for funding
run `npm fund` for details
12 vulnerabilities (3 moderate, 6 high, 3 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
and this is what I get when I run npm audit:
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp#3.9.1, which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
node_modules/glob-watcher/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/glob-watcher/node_modules/chokidar
glob-watcher >=3.0.0
Depends on vulnerable versions of chokidar
node_modules/glob-watcher
glob-stream 5.3.0 - 6.1.0
Depends on vulnerable versions of glob-parent
node_modules/glob-stream
vinyl-fs >=2.4.2
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
gulp >=4.0.0
Depends on vulnerable versions of vinyl-fs
node_modules/gulp
lodash.template <4.5.0
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
No fix available
node_modules/lodash.template
gulp-util >=1.1.0
Depends on vulnerable versions of lodash.template
node_modules/gulp-util
gulp-install *
Depends on vulnerable versions of gulp-util
node_modules/gulp-install
postcss <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install gulp-sourcemaps#2.6.5, which is a breaking change
node_modules/#gulp-sourcemaps/identity-map/node_modules/postcss
#gulp-sourcemaps/identity-map >=2.0.0
Depends on vulnerable versions of postcss
node_modules/#gulp-sourcemaps/identity-map
gulp-sourcemaps >=3.0.0
Depends on vulnerable versions of #gulp-sourcemaps/identity-map
node_modules/gulp-sourcemaps
12 vulnerabilities (3 moderate, 6 high, 3 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Those are not errors, they are warnings issued by npm. The gulp team is aware of those warnings but has decided that they do not need to be regarded.
Instead, they insist that npm audit is broken and should be fixed. You may ask them to change their minds, but beware that your request would be likely flagged as spam: 1, 2, 3.
I am trying to teach myself web development and so far it's making my head hurt, but I'm not giving up. At the moment, I am trying to learn WordPress theme development using the Understrap framework. This is what I have done so far to try and get it all working:
Install Node using Homebrew on my Mac
Created a project folder on my Desktop
Ran the following git command to install Understrap in my project folder: git clone https://github.com/understrap/understrap.git
Then ran npm install within the director in a terminal window
After doing all of this, I keep getting the following errors, but not being a seasoned web dev expert, this has me a bit boggled:
72 packages are looking for funding
run `npm fund` for details
6 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Then I ran "npm audit" to get a better idea of the issue and this is where I am completely lost and hoping one of you fantastic folks on here can provide some assistance:
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp#3.9.1, which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
node_modules/glob-watcher/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/glob-watcher/node_modules/chokidar
glob-watcher >=3.0.0
Depends on vulnerable versions of chokidar
node_modules/glob-watcher
gulp >=4.0.0
Depends on vulnerable versions of glob-watcher
node_modules/gulp
glob-stream 5.3.0 - 6.1.0
Depends on vulnerable versions of glob-parent
node_modules/glob-stream
vinyl-fs >=2.4.2
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
6 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
BTW, I ran "npm audit fix --force", but it did not resolve this issue.
Thank you all so much for your help on this, I really appreciate it!
When I try to run my expo project I get this message:
D:\React\myproject>npm start
> start
> expo start
Starting project at D:\React\myproject
Unable to find expo in this project - have you run yarn / npm install yet?
If I run npm install i get this:
D:\React\myproject>npm install
npm notice Beginning October 4, 2021, all connections to the npm registry - including for package installation - must use TLS 1.2 or higher. You are currently using plaintext http to connect. Please visit the GitHub blog for more information: https://github.blog/2021-08-23-npm-registry-deprecating-tls-1-0-tls-1-1/
up to date, audited 940 packages in 4s
18 packages are looking for funding
run `npm fund` for details
12 vulnerabilities (6 low, 6 moderate)
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
And this is what I get when I run npm audit:
D:\React\myproject>npm audit
npm notice Beginning October 4, 2021, all connections to the npm registry - including for package installation - must use TLS 1.2 or higher. You are currently using plaintext http to connect. Please visit the GitHub blog for more information: https://github.blog/2021-08-23-npm-registry-deprecating-tls-1-0-tls-1-1/
# npm audit report
node-fetch =0.22.0-rc
Depends on vulnerable versions of #react-native-community/cli
Depends on vulnerable versions of #react-native-community/cli-platform-ios
Depends on vulnerable versions of fbjs
node_modules/react-native
node_modules/react-native/node_modules/react-native
metro-config =0.3.2
Depends on vulnerable versions of xmldom
node_modules/plist
#react-native-community/cli-platform-ios *
Depends on vulnerable versions of plist
Depends on vulnerable versions of xcode
node_modules/#react-native-community/cli-platform-ios
react-native =0.22.0-rc
Depends on vulnerable versions of #react-native-community/cli
Depends on vulnerable versions of #react-native-community/cli-platform-ios
Depends on vulnerable versions of fbjs
node_modules/react-native
node_modules/react-native/node_modules/react-native
#react-native-community/cli *
Depends on vulnerable versions of metro
Depends on vulnerable versions of react-native
node_modules/react-native/node_modules/#react-native-community/cli
simple-plist *
Depends on vulnerable versions of plist
node_modules/simple-plist
xcode >=0.8.3
Depends on vulnerable versions of simple-plist
node_modules/xcode
12 vulnerabilities (6 low, 6 moderate)
Some issues need review, and may require choosing
a different dependency.
This happens since I tried to update expo sdk, but I don't know what I did wrong. Can someone help me with this?
Run npm config set registry https://registry.npmjs.org/
Some computers are still running with http://registry.npmjs.org/ which is not going to be allowed anymore for security reasons.
You may try adding a .npmrc file and update the repo allocation under the user\xxx directory.
registry=https://registry.npmjs.org/
Background
If I do npm audit on a ReactJS application we haven't touched in a year (until recently), I get the following summary:
found 356 vulnerabilities (321 low, 20 moderate, 14 high, 1 critical)
in 11345 scanned packages run `npm audit fix` to fix 3 of them.
353 vulnerabilities require semver-major dependency updates.
If I do that npm audit fix those 3 vulnerabilities are resolved, the others are not because they are breaking changes.
Doing another npm audit I get this summary:
found 71 vulnerabilities (36 low, 20 moderate, 14 high, 1 critical) in 11345 scanned packages
71 vulnerabilities require semver-major dependency updates.
At the top of the audit:
Run npm install react-scripts#2.1.2 to resolve 71 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change
After I do that npm install react-scripts#2.1.2 the vulnerabilities are reduced to only 1:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of react-scripts
Path react-scripts > webpack-dev-server
More info https://nodesecurity.io/advisories/725
After I do a npm install webpack-dev-server#3.1.14, I get 2 new issues:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of react-scripts
Path react-scripts > webpack-dev-server
More info https://nodesecurity.io/advisories/725
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of webpack-dev-server
Path webpack-dev-server
More info https://nodesecurity.io/advisories/725
That more info link suggests an update to version 3.1.6 or later. What I do is way higher than that ...
Questions
To have a better understanding of what npm audit does, I'd like to discuss the following remarks:
Why does doing npm install webpack-dev-server#3.1.14 add an issue, rather than fix the one mentioned before? Looks like the previous issue remains even ...
Why does the vulnerabilities count drop from 356 to 71 after fixing only 3 issues while the total packages count is the same?
Why did the audit not suggest me to do npm install webpack-dev-server#3.1.11 or higher if it knows the issue is patched since 3.1.11? it did know npm install react-scripts#2.1.2 was necessary earlier.
What should I do to fix the issue mentioned in question #1?
PS: That nodesecurity link suggests to update webpack-dev-server to version 3.1.6 or higher. I'm doing much higher than that ...
PPS: I tried npm install webpack-dev-server#3.1.11 as well, no difference.
The advisory page for the webpack-dev-server vulnerability listed the latest version as an affected version. This has been caused by a typo in the npm security repository, as reported in a thread in the npm community forum. The typo has been fixed a few hours later.