I started a new npm repo (running in an official node docker container), installed the puppeteer package, and got a "high" severity vulnerability warning:
# node --version
v15.13.0
npm --version
7.8.0
# npm list
puppeteer#1.0.0 /home/node/puppeteer
`-- puppeteer#8.0.0
# npm audit
# npm audit report
puppeteer <1.13.0
Severity: high
Use-After-Free - https://npmjs.com/advisories/824
fix available via `npm audit fix`
1 high severity vulnerability
To address all issues, run:
npm audit fix
The puppeteer package version is obviously greater than 1.13.0, but it still warns about this "Use-After-Free" vulnerability. Needless to say, npm audit fix doesn't fix anything. What's going on?
Related
I have a problem with npm, when I try to install a package using npm it shows this error.
I tried to upgrade expo, reinstall expo and run npm audit fix --force but none of them worked.
qs 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install expo#44.0.6, which is a breaking change
node_modules/qs
body-parser 1.19.0
Depends on vulnerable versions of qs
node_modules/body-parser
#expo/dev-server *
Depends on vulnerable versions of body-parser
node_modules/#expo/dev-server
#expo/cli >=0.1.0
Depends on vulnerable versions of #expo/dev-server
node_modules/#expo/cli
expo >=45.0.0-beta.1
Depends on vulnerable versions of #expo/cli
node_modules/expo
5 high severity vulnerabilities
If I run npm upgrade or npm upgrade react-scripts I've always got the message like
added 84 packages, removed 249 packages, changed 428 packages, and audited 1245 packages in 57s
179 packages are looking for funding
run `npm fund` for details
6 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
So I try npm audit fix --force and get a long report about dependencies and the text
66 vulnerabilities (15 low, 26 moderate, 24 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
I follow these steps and run npm audit fix --force witch caused into errors:
npm ERR! code ERR_INVALID_ARG_TYPE
npm ERR! The "from" argument must be of type string. Received undefined
npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\{user}\AppData\Local\npm-cache\_logs\2022-05-09T15_11_33_120Z-debug-0.log
If I try to run npm audit fix --force instead of npm audit fix I'm get the following:
nth-check <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts#2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
#svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/#svgr/plugin-svgo
#svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of #svgr/plugin-svgo
node_modules/#svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of #svgr/webpack
node_modules/react-scripts
6 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
And no, running npm audit fix --force once again does not help.
Can somebody help me?
As the new version 6.3.0 doesn't have the proper #svgo and #svgr we won't be able to access those modules. So, my suggestion is to go with the older version that is 5.2.0.
Instead of using the latest version use the older version
npm install react-router-dom#5.2.0
By running the above code in the promt we can access all the services of "react-router-dom".
Thank you :)
I was hung up on this problem too and got past it by updating my npm version to the latest, then for the specific package I was trying to update that caused the problem in the first place, I uninstalled and reinstalled it. I still get the 69 vulnerabilities message but the update did actually work. Good luck!
I'm trying to install react native on my Mac through the terminal using "sudo npm install -g expo-cli" but at the end of the installation errors appear.
115 packages are looking for funding
run `npm fund` for details
31 vulnerabilities (19 moderate, 12 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
Before trying to install react native I obviously installed nodeJS (16) in its latest version.
Anyone have an idea why the installation doesn't work?
when I do "npm audit fix" this is what it says:
npm ERR! code ENOLOCK
npm ERR! audit This command requires an existing lockfile.
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! audit Original error: loadVirtual requires existing shrinkwrap file
Thank you in advance for your help.
Good news!
The first block you're referring to does not indicate installation failure. Your packages were installed correctly. The warnings are for nested security vulnerabilities which you can choose to address or ignore, depending on your app.
To prove that it was installed, run npm list -g in your terminal and see if expo-cli is in the list.
You can also check the packages installed correctly by creating a new react app using
npx create-react-app my-app
cd my-app
npm start
npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages
I am simply trying to update webpack-dev-server from version 3.11.2 to the latest version, which is 4.7.3 based on my npm outdated command:
root#fdaf6460fe1a:/home/ubuntu/myapp# npm outdated
Package Current Wanted Latest Location Depended by
#rails/activestorage 6.1.4 6.1.4 7.0.1 node_modules/#rails/activestorage myapp
#rails/ujs 6.1.4 6.1.4 7.0.1 node_modules/#rails/ujs myapp
#rails/webpacker 5.4.0 5.4.0 5.4.3 node_modules/#rails/webpacker myapp
bootstrap 4.3.1 4.3.1 5.1.3 node_modules/bootstrap myapp
datatables.net-bs4 3.2.2 3.2.2 1.11.4 node_modules/datatables.net-bs4 myapp
webpack 4.46.0 4.46.0 5.67.0 node_modules/webpack myapp
webpack-cli 3.3.12 3.3.12 4.9.2 node_modules/webpack-cli myapp
webpack-dev-server 3.11.2 3.11.2 4.7.3 node_modules/webpack-dev-server myapp
However, whenever I run npm update webpack-dev-server, it seems to run but doesn't change the version:
root#fdaf6460fe1a:/home/ubuntu/myapp# npm update webpack-dev-server
up to date, audited 1312 packages in 3s
123 packages are looking for funding
run `npm fund` for details
98 vulnerabilities (2 low, 88 moderate, 8 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
but when I run npm list webpack-dev-server, the version is still 3.11.2:
root#fdaf6460fe1a:/home/ubuntu/myapp# npm list webpack-dev-server
app#1.0.0 /home/ubuntu/myapp
└── webpack-dev-server#3.11.2
In my package.json file, it does list webpack-dev-server in the following manner:
"webpack-dev-server": "^3.11.2"
However, I've tried removing the ^ and running npm update webpack-dev-server again still, but no luck. How exactly do I update webpack-dev-server in my case or figure out why it's not updating?
How do I even know that npm update is even working? I can run npm update <anything here> and it doesn't return any errors:
root#fdaf6460fe1a:/home/ubuntu/myapp# npm update npmkerjhtekrhjter
up to date, audited 1312 packages in 3s
npm update will only update to whatever is specified in your package.json. Removing the ^ doesn't make it more lax. It makes it more strict.
To update to 4.x: npm install webpack-dev-server#4
That will install the 4.x version and update package.json (and package-lock.json if you're using that).
In your case, npm udpate isn't going to do anything because all the versions in the Current column are the same as the Wanted column. The Wanted column is what npm update will update to, but there's nothing to update. The Latest column lets you know if there are newer versions than what your package.json permits.
I have a CI service that runs npm audit on every build and notifies if there are high-risk vulnerabilities. The strange thing is when CI reports high vulnerabilities when I run npm audit locally, it says found 0 vulnerabilities. It will find the issue in a few days...
For example, the CI reports about: CVE-2020-7774: The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.
But on local dev env:
Both CI and local use Node 15.12.0 and npm 7.6.3.
Why is npm audit not finding the latest issues? Is there any way to force update it or something?
npm --verbose audit output: