So basically, every time I run create-react-app with npx, npm or yarn (have tried them all), with both NodeJS 12 and NodeJS 16.3.0 and npm 7.15 (or something like this), it gives me multiple dependency vulnerabilities. With the newest versions of npm and nodeJS, I get 24 (11 moderate and 13 high). How do I resolve these dependencies? Or is it okay to just ignore them. I want to use the proposed app in production mode eventually, however I just can not for the life of me figure out how to resolve these dependences.
All the vulnerabilities seem to be related to react-scripts and denial of service. In the fixes, it suggests that an npx audit fix --force will fix it, by changing the react-scripts module to 1.1.5, however when i do this, even more vulnerabilities arise, suggesting the same solution but to revert back to react-script 4.0.3. Any advice would be great as I am driving myself mad here and finding next to 0 answers.
I posted my solution getting vulnerabilities down to one moderate risk due to the browserslist package here:
https://stackoverflow.com/a/68046680/1669123
Ultimately I think we'll need to wait on the CRA team to update react-scripts.
Related
I am working on a login/registration form using MongoDB, Express, Passport, Bcrypt.js, among other things.
When I run 'npm i' it tells me I have vulnerabilities, I cloned the file and ran 'npm audit fix', it worked! But it didn't fix all the vulnerabilities, so I ran 'npm audit fix --force' on the cloned file and it broke. How can I fix these vulnerabilities without breaking my code?
If "npm audit fix" didn't fix all the issues, it probably means the vulnerabilities were fixed in a major version. You'll need to see if the remaining packages with vulnerabilities have migration guides, as major versions mean there are breaking changes.
Although if they're all dev dependancies, you might be able to get away with ignoring the warnings.
up to date, audited 1446 packages in 7s
194 packages are looking for funding
run npm fund for details
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
Ideally, we should address these vulnerabilities, especially in stages like production, sensible workplaces, etc. However, often, you will have to address these vulnerabilities manually.
npm audit fix will try to "fix" what it can by performing some updates.
npm audit fix --force will try to go further in considering upgrading even between major semantic versions (2 to 3, for instance, instead of 2 to 2.1 if necessary)
It may not be enough. To be on the safer side, you look through every single module declared vulnerable to ponder eventual risks and how any issues can affect your project(s)
Keep in mind:
"npm" can find vulnerabilities absolutely at any time.
Therefore, if the developer has not sent a new version correcting the identified problem, you will have to:
Decide whether to use a new library.
Decide to downgrade or upgrade their libraries with the most negligible effect on your code.
Decide to fix the vulnerability yourself
Decide to wait for the author to fix the issue
Decide to implement your solution.
Decide to live with these vulnerabilities and likely address them before production.
npm audit monitors modules over time, so some vulnerabilities can still happen on perfectly thought-safe modules. Therefore, there is no 100% permanent fixing.
A way to have the list of problematic modules:
$> npm audit fix --dry-run --json
https://docs.npmjs.com/cli/v8/commands/npm-audit
I am getting the following error while installing the multer package using npm.
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
multer <=2.0.0-rc.3
Depends on vulnerable versions of busboy
node_modules/multer
3 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
you can update multer to 1.4.5 as the latest version with npm i multer#latest that uses
busboy#1.0.0
without any vulnerabilities.
This is due to vulnerability in dicer dependency. Multer will still work, right now no fix is available. Maybe it will be resolved in next update. Check this GitHub reviewed vulnerability
I am a novice and this is not advice on what you should do - I'm just relaying what I did and what the outcome was.
This is a duplicate of my post on the same issue, on GitHub
After deploying my Vuejs3 app a week ago to Firebase, I was prompted to upgrade to the newest version of Firebase Tools (11.0.1) via npm. After doing this, I began experiencing the problem detailed in my comment on GitHub.
Having no other solutions on the table, I decided to uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools#10.9.2).
BUT, after first time I did this, I ran npm audit fix (not npm audit fix --force) and all I got a ton of high severity warnings and problems.
So I decided to once again uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools#10.9.2) and that's it (did NOT run npm audit fix).
I proceeded to npm run build and firebase deploy --only hosting and it worked just fine. Definitely NOT a great or long-term solution. Good luck!
I have been following codelab instructions to implement Real-time communication with WebRTC and while trying to run npm-install I am getting the following warnings.
npm WARN webrtc-codelab#0.0.1 No repository field.
npm WARN webrtc-codelab#0.0.1 No license field.
audited 52 packages in 0.81s
found 16 vulnerabilities (11 low, 1 moderate, 3 high, 1 critical)
run npm audit fix to fix them, or npm audit for details
Can someone help me with fixing this?
The first ones are because of the licence and repository fields of the package.json being empty, you can fill them using docs for licence and repository.
The latter ones are due to outdated dependencies used by the code sample, it is ok to ignore this warning for an educational project because the vulnerabilities often are not important if you are not planning to use the project on a production server. But if it is bothering you you can use npm audit fix as suggested by npm, it'll try to update dependencies if there are no breaking changes in the upgrade it might not succeed in doing so for some or all of those packages in which case you'll need to manually install the newer version of those packages but beware cause doing so COULD break the code sample to the point that it'll no longer work.
When I am giving npm install I am getting the below warning and it is not proceeding. It stuck in there.
npm WARN deprecated bower#1.8.0: ..psst! While Bower is maintained, we recommend Yarn and Webpack for *new* front-end projects! Yarn's advantage is security and reliability, and Webpack's is support for both CommonJS and AMD projects. Currently there's no migration path but we hope you'll help us figure out one.
Do anyone has any idea to proceed.
I waited for half an hour and it works ... the issue got resolved