I have been following codelab instructions to implement Real-time communication with WebRTC and while trying to run npm-install I am getting the following warnings.
npm WARN webrtc-codelab#0.0.1 No repository field.
npm WARN webrtc-codelab#0.0.1 No license field.
audited 52 packages in 0.81s
found 16 vulnerabilities (11 low, 1 moderate, 3 high, 1 critical)
run npm audit fix to fix them, or npm audit for details
Can someone help me with fixing this?
The first ones are because of the licence and repository fields of the package.json being empty, you can fill them using docs for licence and repository.
The latter ones are due to outdated dependencies used by the code sample, it is ok to ignore this warning for an educational project because the vulnerabilities often are not important if you are not planning to use the project on a production server. But if it is bothering you you can use npm audit fix as suggested by npm, it'll try to update dependencies if there are no breaking changes in the upgrade it might not succeed in doing so for some or all of those packages in which case you'll need to manually install the newer version of those packages but beware cause doing so COULD break the code sample to the point that it'll no longer work.
Related
I am trying to get a simple create-react-app to work, but nothing seems to work. With Linux Mint the terminal sends few warnings but can't get the create-react-app to function.
~/Documents/Code$ npx create-react-app testreact Creating a new React
app in /home/omistaja/Documents/Code/testreact.
Installing packages. This might take a couple minutes. Installing
react, react-dom, and react-scripts...
npm WARN deprecated stable#0.1.8: Modern JS already guarantees
Array#sort() is a stable sort, so this library is deprecated. See the
compatibility table on MDN:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated rollup-plugin-terser#7.0.2: This package has been
deprecated and is no longer maintained. Please use
#rollup/plugin-terser npm WARN deprecated w3c-hr-time#1.0.2: Use your
platform's native performance.now() and performance.timeOrigin. npm
WARN deprecated sourcemap-codec#1.4.8: Please use
#jridgewell/sourcemap-codec instead npm WARN deprecated svgo#1.3.2:
This SVGO version is no longer supported. Upgrade to v2.x.x.
added 1415 packages, and audited 1416 packages in 41s
231 packages are looking for funding run npm fund for details
6 high severity vulnerabilities
To address all issues, run: npm audit fix
Run npm audit for details.
A template was not provided. This is likely because you're using an
outdated version of create-react-app. Please note that global installs
of create-react-app are no longer supported. You can fix this by
running npm uninstall -g create-react-app or yarn global remove
create-react-app before using create-react-app again.**
Running the audit fix returns
up to date, audited 101 packages in 1s
20 packages are looking for funding run npm fund for details
found 0 vulnerabilities
In addition to the warnings the terminal does not start the "quick tips" part (which starts with npm start and ends in Happy hacking!)
The created folder only contains following
node_modules (folder)
package.json
package-lock.json
with windows the folder also contains
public
src
.gitignore
README.md
going to the folder and running npm start returns Missing script error (which is to be found in the comments)
I am using running
Linux mint 21
node v18.14.1.
npm v. 9.3.1.
I have uninstalled and removed couple of times and nothing seems to fix that.
I also tested my commands with windows Git Bash (i have a dual-boot machine) and seems to work fine with the commands I am giving it.
Any ideas?
Not sure what the specific problem was but fixed it bt restoring the system to a few days back (before started working on updating the node.js to current version and trying to create-react-app for the first time).
After restoring the system I did a fresh autoremove on the node and install to the current nodejs version 18.14.1. it all just worked.
up to date, audited 1446 packages in 7s
194 packages are looking for funding
run npm fund for details
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
Ideally, we should address these vulnerabilities, especially in stages like production, sensible workplaces, etc. However, often, you will have to address these vulnerabilities manually.
npm audit fix will try to "fix" what it can by performing some updates.
npm audit fix --force will try to go further in considering upgrading even between major semantic versions (2 to 3, for instance, instead of 2 to 2.1 if necessary)
It may not be enough. To be on the safer side, you look through every single module declared vulnerable to ponder eventual risks and how any issues can affect your project(s)
Keep in mind:
"npm" can find vulnerabilities absolutely at any time.
Therefore, if the developer has not sent a new version correcting the identified problem, you will have to:
Decide whether to use a new library.
Decide to downgrade or upgrade their libraries with the most negligible effect on your code.
Decide to fix the vulnerability yourself
Decide to wait for the author to fix the issue
Decide to implement your solution.
Decide to live with these vulnerabilities and likely address them before production.
npm audit monitors modules over time, so some vulnerabilities can still happen on perfectly thought-safe modules. Therefore, there is no 100% permanent fixing.
A way to have the list of problematic modules:
$> npm audit fix --dry-run --json
https://docs.npmjs.com/cli/v8/commands/npm-audit
I am working on a react project and I am using various npm packages. Now there were 1002 vulnerable packages when I started fixing/updating my old packages. And at last this only 20 vulnerable packages were remained which were also very low priority.
But now again after 3 months the vulnerability has increase to 925 vulnerable packages. So my question is, when I am using packages.lock.json for installing a specific package version only. Then how the vulnerabilities increased. I mean is there any mechanism which npm follow before telling "this package is vulnerable." I want to know how npm check if this package is vulnerable or not. Even when it was fine before and I am using same package version with same node version as well.
npm as a package manager runs audit of the installed/installing dependencies to check for the vulnerabilities posted/reported on that particular NPM package you installed/installing. It list them out to notify/warn you about the problem you might encounter, using such packages.
It will be an API call from npm to the registry. Read further: docs.npmjs.com/cli/audit#description
One can manually audit its dependencies as well. using the following command:
npm audit
Make sure you are running this command in the same directory where your package-lock.json exists.
If you are using yarn as a package manager, you can run:
yarn audit
Here is a great explanation on npm vulnerability.
https://snyk.io/blog/understanding-filesystem-takeover-vulnerabilities-in-npm-javascript-package-manager/
NPM vulnerability check mainly depends on the version and last publish date of each packages.
I am trying to update dependencies for various projects I have on GitHub. I wanted to update them one at a time. I went through these steps:
npm update (from master)
npm update dependency-name (from folder containing the json files)
npm install dependency-name --save
npm fix --force (don't remember this command exactly. It was similar to that)
Then I got a message that said "--force. I hope you know what you're doing." I knew immediately that I'd made a mistake because I didn't know what I was doing. I found that command while Googling solutions, so I stopped there.
How can I update a specific dependency in a package-lock.json file?
Also, could I have done significant damage with the --force command?
Thank you.
--force is a flag which forces a particular operation/process to run
So I think to fix the dependencies you would have used npm audit fix --force
You wouldn't have done any damage to your dependency tree.
The npm docs say:
npm audit fix
Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies
Please refer https://docs.npmjs.com/cli/audit
npm version 6.0.1
Run npm audit
As many projects we have some vulnerabilities in ours.
First thing the report suggests is:
# Run npm update fsevents --depth 4 to resolve 65 vulnerabilities
I did this for several times decrementing the number of the issues but this time doesn't work.
Any idea why?
You already have fsevents installed, the lock file has the outdated values. If you manually change them in your lock file your npm audits would look clean, the problem being when you run npm install again it won't matter and they will install it again. Make sure to check your node_modules and the version of the libraries being used are in fact the ones without any vulnerabilities
It's a problem npm audit/update have with some optional packages like fsevents. if you clear all those packages inside package.lock or yarn.lock or if you don't care about the lock just remove the file and run npm install or yarn install again to have the updated inner packages