Json dependencies NPM update- How fix vulnerabilities manually - node.js

I have lost 1 day in order to try to fix manually fews high vulnerabilities.
It was a waste of time.
I've read many post, blog and suggestion but I was unable to fix the problem.
Basically /css-what require an update to version 5.0.1 and the npm audit is telling that
│ Dependency of │ gulp-imagemin [dev]
│ Path │ gulp-imagemin > imagemin-svgo > svgo > css-select >
| css-what
I've run (on gulp-imagemin) the command npm update, then navigate to the next folder (imagemin-svgo) and again npm update etc etc. When I arrive to the css-what root, I run again npm update but it doesn't do anything;
Then I modified my package.json according
"resolutions": {
"trim-newlines": "^4.0.1",
"css-what": "^5.0.1",
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
}
I went back to the main root to run npm i but it doesn't amended all branches;
Besides when I run npm ls css-what or npm ls trim-newlines I can see that the new version has been installed on the node_modules but older version still unchanged on the tree
root/tree
I was following https://hackernoon.com/how-fix-security-vulnerabilities-in-npm-dependencies-in-3-minutes-rq9g3y7u post but it doesn't worked for some reason, most probably my inexperience.
Thanks for your help

To fix vulnerability you can try :
npm audit -fix
To update you can also use npm-check-updates

npm update css-what worked for me

Related

Unable to fix npm vulnerabilities

I am getting 6 vulnerabilities after running npm audit report:
I tried a solution and overridden the vulnerable versions of a particular package with their latest versions in package.json file like this:
"overrides": {
"nth-check": "2.1.1",
"#svgr/webpack": "6.5.1",
"#svgr/plugin-svgo": "6.5.1",
"svgo": "3.0.1",
"css-select": "5.1.0"
}
Then I updated the npm packages with npm update. But it did not change the result.
Tried another solution by making a resolution object in package.json and specified specific versions of a particular package, and ran it using npx i npm-force-resolutions but it gives this error:
npm ERR! could not determine executable to run.
But I am still unable to fix the npm vulnerabilities. Please help!
You should delete both node_modules and package-lock.json before launching npm install again; this will require more time to install all dependencies, but this will override all the version that are currently installed (it will bring also minor updates in dependencies).
Also, for this vulnerability, you only need to override nth-check. You can see the changes by executing npm list nth-check with and without the override (remember to delete both node_modules and package-lock.json).

npm audit Arbitrary File Overwrite

I recently updated my version of angular using ng update
and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
I thought of installing npm i tar but I am not sure.
The following worked for me:
Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.
Then run:
npm i
npm audit
npm audit fix
npm audit
you should see 0 vulnerabilities.
I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.
angular-cli relies on node-gyp, who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714
To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.
You should search in your package-lock.json this:
"tar": {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
And reemplace for that:
"tar": {
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
That worked for me

is there a yarn alternative for npm audit?

need pinned resolution feature of yarn, but also want to audit with npm audit? Is there a yarn alternative to npm audit? Or, alternately, will pinning resolutions of dependencies of dependencies work in npm?
Yarn doesn't have npm audit fix.
But here's how to do it by using npm – temporarily.
Generate a package-lock.json file without installing node modules
npm i --package-lock-only
Fix the packages and update the package-lock.json file
npm audit fix
Delete the yarn.lock file and convert package-lock.json file into yarn.lock
rm yarn.lock
yarn import
Delete the package-lock.json file
rm package-lock.json
For example:
yarn audit
38363 vulnerabilities found - Packages audited: 908342
Severity: 38352 Low | 11 Moderate
(I know. react-scripts is crazy...)
npm audit
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm i --package-lock-only
...
added 266 packages, removed 354 packages, updated 1653 packages, moved 1 package and audited 913793 packages in 54.304s
found 495 low severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
npm audit fix
...
added 267 packages from 152 contributors, removed 355 packages and updated 1712 packages in 92.849s
50 packages are looking for funding
run `npm fund` for details
fixed 211 of 495 vulnerabilities in 913793 scanned packages
284 vulnerabilities required manual review and could not be updated
git status -s
?? package-lock.json
yarn import
yarn import v1.21.1
info found npm package-lock.json, converting to yarn.lock
...
success Saved lockfile.
✨ Done in 25.61s
rm package-lock.json
yarn audit / yarn install --audit has been available since yarn#1.12.0
https://github.com/yarnpkg/yarn/releases/tag/v1.12.0
Unfortunately no --fix option yet, but as workaround you can use https://www.npmjs.com/package/yarn-audit-fix
Yes, you can use yarn audit to audit for vulnerability but you can't fix the Vulnerabilities by using yarn audit fix as you can do in npm audit fix.
To fix the Vulnerabilities in yarn.lock file you have to reinstall the package(which is carrying the Vulnerability) to its newer version by using yarn add package_name
you can read the issue here => https://github.com/yarnpkg/yarn/issues/7075
I thinks that it's not ready on yarn. You can refer to the following issue.
https://github.com/yarnpkg/yarn/issues/5808
do a yarn audit and find the package(s) with vulnerabilities,
if they are in your package.json file
fix their version from there
else
they are dependencies of your packages so add this to package.json file
"resolutions": {
"**/package-name": "known-good-version",
"**/**/package-name": "known-good-version"
}
1st
Always use source control and check in your package.json as well as your yarn.lock and/or package-lock.json first and start with all committed files, so you can roll back if needed with ease.
How about a solution that does not add dependencies to your project (nor installing a third party library)?
yarn outdated # view
yarn audit # view
yarn install --audit # install
Prefer an interactive way to upgrade selectively with ease?
yarn upgrade-interactive
That might do all you require.
Oddly, you might find with a yarn audit following that command you still have some vulnerabilities not mentioned from the command yarn upgrade-interactive. In this case I'd first consider this:
yarn upgrade-interactive --latest
where that can be found
Still not quite good enough?
```
yarn upgrade --latest
```
I've seen a lot of other potential solutions, previously I'd just switch to npm from yarn temporarily as some users have suggested, then switch back to yarn. This has worked fine for me too. (Though annoying and not elegant)
There are packages out there that don't require install to run.
I haven't tried this one, it might be good too:
npm_config_yes=true npx yarn-audit-fix
ref
The key here is you are using npx to avoid installing as a dependency.
Many more solutions are possible. npm and yarn both are package managers, dependency management is a very difficult thing to do, automagically fixing these dependencies will always be a difficult problem to solve. Thus I recommend a little research on how they are actually solving these problems if you have the time. You might find yourself not liking how they do things.
Ultimately, as long as you can roll back you can try a lot of these out and see for yourself. Some packages severity might not need fixing, sometimes libraries do not have solutions available yet, then you need to consider removing their usage in your codebase. In theory, less is more, less dependency on libraries, which use libraries, which use libraries.... becomes a much smaller surface for attackers to target. Also, it's not advisable to use libraries from untrusted sources, npm, yarn and more cannot know everything, nor right away, so keep that in consideration too.
I created a script command into the package.json file to fix it. It creates a copy of yarn.lock as package-lock.json, removes the issues and then re-creates yarn.lock.
"resolve:security": "npm i --package-lock-only && npm audit fix && rm yarn.lock && yarn import && rm package-lock.json",
I hope it helps :)
You can use yarn audit as mentioned in the other answers, however, there is a different way to solve them...
You will need to add the resolution instruction to specify the version of the library that the vunerability was solved and the path of the dependency (because the library can be a dependency of another dependency, for example:
Considering part of some package.json below
{
"name": "project",
"version": "1.0.0",
"dependencies": {
"left-pad": "1.0.0",
"c": "file:../c-1",
"d2": "file:../d2-1"
},
"resolutions": {
"d2/left-pad": "1.1.1",
"c/**/left-pad": "^1.1.2"
}
}
More details can be checked directly in the documentation: Doc
Yarn doesn't support the fix at the moment,
Workaround
create a package-lock.json file using npm.
fix the packages
remove the package-lock.json.
.
npm i --package-lock-only
npm audit fix
rm package-lock.json
and start
yarn start
Yarn also has yarn audit mechanism, but it doesn't have yarn audit fix mechanism. So in most cases you have to fix these issues manually. This is how it works. For example we'll demonstrate it using minimist package:
Add a resolutions key in your package.json file:
Adding dependency(say minimist) directly as key value .This resolution will override minimist entirely in your project.
{
"resolutions": {
"minimist": "^1.2.5"
}
}
In most cases, there can be multiple dependencies in a project that use the same secondary dependency, however, they might use different versions of those dependencies. Thankfully, yarn/npm allows us to have selective dependency resolutions.
The format to define resolutions is the following:
/* package.json */
{
"resolutions": {
"<package>/**/<dependency>": "<version>"
}
}
Let’s say for example, we have a dependency A and B and both of them depend upon another dependency C.
Then our resolutions field would look like:
/* package.json */
{
"resolutions": {
"A/**/C": "2.0.3", // A works fine with the latest version of C
"B/**/C": "1.9.0" // latest stable version for C for dependency B
}
}
Let's further see how it works with an example of package-merge-lodash-4 package. If audit says that lodash#3.9.3 has vulnerabilities and suggests us to upgrade lodash#3.9.3 -> 4.17.12.
We can write our json file's resolutions only for the concerned package as below:
{
"resolutions": {
"package-merge-lodash-4/**/lodash": "4.17.12"
}
}
How to use Selective dependency resolutions in npm?
add npm-force-resolutions to the preinstall script after you added resolutions key to package.json file, so that it patches the package-lock file before every npm install you run:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
To confirm that the right version was installed, use the below command
npm ls <vulnerable dependency>
npm ls lodash
Resources:
Selective dependency resolutions
Yarn - How to fix security issues
How to fix security vulnerabilities in NPM/Yarn dependencies
Yarn audit fix: workaround
What's the difference between tilde(~) and caret(^) in package.json?
Semver explained - why is there a caret (^) in my package.json?
Try using,
yarn upgrade-interactive --latest
Will install all the latest dependencies.

EINTEGRITY: npm 5.0 integrity check and modernizr.com dependency

I've encountered this error when installing deps of my package:
$ npm i
npm ERR! code EINTEGRITY
npm ERR! sha1-tU7jWojzuU8MIY2VLAx+BwluNo0= integrity checksum failed when using sha1: wanted sha1-tU7jWojzuU8MIY2VLAx+BwluNo0= but got sha1-oXYP0kzpbhku0KU+phy353lbBhQ=. (26624 bytes)
npm ERR! A complete log of this run can be found in:
npm ERR! /home/tlenex/.npm/_logs/2017-06-22T10_18_19_773Z-debug.log
the problem is with my Modernizr dependency:
"dependencies": {
"Modernizr": "https://modernizr.com/download?setclasses-flash"
}
is there any way to solve this or ignore this integrity check?
Currently I have to run
npm i https://modernizr.com/download?setclasses-flash
again to get things working, which overrides the "integrity" field for "Modernizr" in my package-lock.json.
This may happen every time there is a change in Modernizr package fetched from this link and my package dependencies need to be reinstalled (for example, each time on CI build)
If there is no other way of solving this? I hope I wont have to place package-lock.json in my .gitignore file :(
More data about my enviroment:
$ npm -v
5.0.3
$ node -v
v6.11.0
Edit package-lock.json , find the one you want to skip in this case the one that its failing
sha1-tU7jWojzuU8MIY2VLAx+BwluNo0
and remove the integrity parameter from it i.e
},
"range-parser": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.0.tgz",
"integrity": "sha1-9JvmtIeJTdxA3MlKMi9hEJLgDV4=",
"dev": true
},
to...
},
"range-parser": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.0.tgz",
"dev": true
},
after that run npm install, will check the rest, skip this integrity
The point of the integrity field is to alert you when something has changed, so if you do not want it to exist, you can disable package-lock.json files in your npmrc. Just set package-lock=false
Note: I am the developer of Modernizr, and spoke with the npm-cli team about this issue. The root cause appears to be the change of the SHA type between npm5 and earlier versions. Nuking the node_modules folder will fix it
Find all outdated packages and update theme:
npm outdated -g
sudo npm i -g outDatedPKG
Upgrade npm to lateste version with:
sudo npm i -g npm
Delete package-lock.json file.
Delete _cacache directory in ~/.npm:
npm cache verify
4.1. Every time i get that error, do steps 2 & 3.
If you still get the error, clear npm's cache:
npm cache clean --force
I had this same error and I solved it by :
Deleting package-lock.json
Running "npm install"
I finally resolved this issue.
Our team moved away from URL dependency without SEMVER notation, in this case https://modernizr.com/download?setclasses-flash and used modernizr-loader with webpack. There are also equivalents for gulp and grunt tools available on npm, pick and use one you like the most.
After using them, we finally get rid of returning EINTEGRITY npm error without nuking package-lock.json or node_modules.
Just do two things for the solution
first :
npm cache clean --force
second :
npm i -g npm
and than install what u want
$ rm -rf package-lock.json node_modules
$ npm install --cache /tmp/empty-npm-cache
If this fixes it, clear your global npm cache to fix the corruption.

angular2 error in lodash js

I have tried to use lodash for datatable. Here is what I have tried:
npm install lodash - gave cannot find package error
searched issue and then tried npm install --save #types/lodash
this produced following output:
+-- UNMET DEPENDENCY #angular/common#~2.1.0
+-- UNMET PEER DEPENDENCY #angular/compiler#2.4.6 invalid
+-- UNMET DEPENDENCY #angular/core#~2.1.0
`-- #types/lodash#4.14.52
which I dont understand, since my package.json has following:
"#angular/common": "~2.1.0",
"#angular/compiler": "~2.1.0",
"#angular/core": "~2.1.0",
after this, IDE can find package, but when I run npm start/ng serve I get multiple errors
ERROR in [default] path\node_modules\#types\lodash\index.d.ts:192
81:20
Cannot find namespace '_'.
ERROR in [default] path\node_modules\#types\lodash\index.d.ts:190
21:57
Cannot find name 'Many'.
ERROR in [default] path\node_modules\#types\lodash\index.d.ts:194
41:0
Declaration or statement expected.
and first two errors repeat multiple times each, but with different number (i guess line)
What should i do, to solve this issue?
This problem occurs when you are installing a old module(as written in your package.json) but it is not available on git due to update in their version.
for solving this issue
1.Need to install the project’s local dependencies (that’s where it’s looking for lodash). To do that,
2.cd into the project directory and run npm install.
3.You can also try npm i --save lodash
If the package.json file exists, and if it contains the lodash dependency you could try to remove the node_modules folder and run following command:
$ npm cache clean
$ npm install
The first command will clean the npm cache. (just to be sure) The second command will install all (missing) dependencies of the project.
So what worked for me, was to get package.json file from another (working project) and run npm install. I still have no idea why mine didn't work, but that is what solved the issue.

Resources