I have tried to install the package but it is showing a lot of vulnerabilities and I cannot fix it properly even after using npm audit fix
enter image description here
If you are doing it for your personal projects then no need to worry about the vulnerabilities and all. The packages have already been installed in your projects.
Related
I am getting the following error while installing the multer package using npm.
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
multer <=2.0.0-rc.3
Depends on vulnerable versions of busboy
node_modules/multer
3 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
you can update multer to 1.4.5 as the latest version with npm i multer#latest that uses
busboy#1.0.0
without any vulnerabilities.
This is due to vulnerability in dicer dependency. Multer will still work, right now no fix is available. Maybe it will be resolved in next update. Check this GitHub reviewed vulnerability
I am a novice and this is not advice on what you should do - I'm just relaying what I did and what the outcome was.
This is a duplicate of my post on the same issue, on GitHub
After deploying my Vuejs3 app a week ago to Firebase, I was prompted to upgrade to the newest version of Firebase Tools (11.0.1) via npm. After doing this, I began experiencing the problem detailed in my comment on GitHub.
Having no other solutions on the table, I decided to uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools#10.9.2).
BUT, after first time I did this, I ran npm audit fix (not npm audit fix --force) and all I got a ton of high severity warnings and problems.
So I decided to once again uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools#10.9.2) and that's it (did NOT run npm audit fix).
I proceeded to npm run build and firebase deploy --only hosting and it worked just fine. Definitely NOT a great or long-term solution. Good luck!
I am using Sublime Text. I have installed the Linter package and the ccslint and htmllint. To install the last two I have had to install Node.js on my Mac.
The CSS and HTML linters appear to work fine in Sublime.
However, when I installed the htmllint by typing the following into Terminal
sudo npm install -g htmlhint#latest
I get the following worrying message in Terminal:
In Terminal I’ve typed in and pressed enter:
npm audit fix --force
I get the following
When I installed Node I got the following message, which I don’t understand and have not done anything with. Is this connected with the vulnerabilities? And if so, what do I do?
Help!
The package you installed has vulnerabilities. The maintainers need to update it or it will stay like this. You could of course update their dependency list but stuff might break!
There is not vulnerability report of NodeJS. The vulnerability report if for installed package htmlhint#latest. Take on mind, you will get a well known vulnerability report of all your scope package, every time you install a new one.
If you want to know more about these vulnerabilities run: npm audit without the fix command. Contact the maintainer package in order to get an update.
this might be a weird question, but I am trying to install some npm packages in a restricted network.
All packages from npmjs.com works and downloads fine. Problem is that some of the dependencies have dependencies towards other packages that are downloaded through github.
And unfortunately github is blocked on my network, and there doesn't seem to be much I can do about it.
So my question is: Can one force npm to not go to github and try to resolve packages from npm instead?
I entered npm install -g expo-cli
upper part pic
lower part pic
This issue happens, because nowadays when packages are installed with npm it runs command npm audit at the same time and informs user about possible vulnerabilities in downloaded dependency.
I attempted the same installation with node version 16.11 and OSX, the result was the same. However, these are not errors but vulnerabilities included in dependencies that Expo is using, and Expo by itself is working properly but has some vulnerabilities in it.
Therefore, there is not much that can be done from your perspective. Expo should fix these.
EDIT: And those warnings, those are a similar issue, which you cannot address. Expo is using dependencies that are old and are being deprecated.
can someone help me to identify what the issues is to my cli code when uninstalling the npm packages. When i run this cli code (in the picture below), the npm not unistalling the packages but instead added it to my node_modules. I hope someone in this community can solve my problem and bring any solutions that i can try to solve this weird problem to me.
NPM package is being removed. The one which are being shown as added are already remaining packages. This is the way node shows output in terminal.
To verify, check your pacakge.json, there won't be any package named webpack-config.