I want to use react-highcharts in my application. I used npm install react-highcharts, which succeeded with the warning:
found 1 high severity vulnerability, run `npm audit fix` to fix them, or `npm audit` for details.
npm audit fix did nothing; it said I had to manually fix the issue. I ran npm audit to see what was going on, and got
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Cross-Site Scripting │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=7.2.2 <8.0.0 || >=8.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-highcharts > highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1227 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 994 scanned packages
1 vulnerability requires manual review. See the full report for details.
The "More info" link and the "Patched in" row reveal that this was fixed in highcharts >=8.1.1. The most recent version is highcharts#9.0.0, so I decided to update it:
❯ npm update highcharts -dd
npm info it worked if it ends with ok
npm verb cli [
npm verb cli '/usr/local/bin/node',
npm verb cli '/usr/local/bin/npm',
npm verb cli 'update',
npm verb cli 'highcharts',
npm verb cli '-dd'
npm verb cli ]
npm info using npm#6.14.10
npm info using node#v14.15.4
npm verb npm-session 0b92b8dc64938cea
npm verb update computing outdated modules to update
npm verb exit [ 0, true ]
npm timing npm Completed in 1507ms
npm info ok
"It worked if it ends in ok," but look:
❯ npm list highcharts
myproj#1.0.0 /Users/actinidia/myproj
└─┬ react-highcharts#16.1.0
└── highcharts#6.2.0
I still have highcharts#6.2.0! And running npm install highcharts just leads to a second copy of highcharts, though the new version is indeed version 9.0.0:
├── highcharts#9.0.0
└─┬ react-highcharts#16.1.0
└── highcharts#6.2.0
How do I update the dependency that react-highcharts will use?
You should uninstall highcharts first and install again.
npm uninstall react-highcharts
npm install react-highcharts
I followed ppotaczek's advice and installed the officialy supported wrapper for Highcharts. It was as easy as
❯ npm install highcharts-react-official
npm WARN highcharts-react-official#3.0.0 requires a peer of highcharts#>=6.0.0
but none is installed. You must install peer dependencies yourself.
+ highcharts-react-official#3.0.0
added 1 package and audited 992 packages in 4.48s
❯ npm install highcharts
+ highcharts#9.0.0
added 1 package from 1 contributor and audited 993 packages in 4.978s
Remove installed: node_modules and package-lock.json
Modify the package.json format as follows
npm audit fix --force
npm install
Related
I want to fix one vulnerability and after lot of hit and trial, I want to use the fix given by npm audit fix. The npm audit says:
# Run npm update mkdirp --depth 8 to resolve 10 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ less │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ less > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │
└──────────────
Now, I ran the above command and result is:
npm update mkdirp --depth 8
npm WARN deprecated mkdirp#0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN grunt-webpack#2.0.1 requires a peer of webpack#^2.1.0-beta || ^2.2.0-rc || ^2.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN karma-webpack#2.0.3 requires a peer of webpack#^1.1.0 || ^2 || ^2.1.0-beta.0 || ^2.2.0-rc.0 but none is installed. You must install peer dependencies yourself.
npm WARN The package style-loader is included as both a dev and production dependency.
npm WARN The package uuid is included as both a dev and production dependency.
+ mkdirp#0.5.6
added 4 packages from 1 contributor, updated 1 package and audited 1827 packages in 8.439s
4 packages are looking for funding
run `npm fund` for details
found 528 vulnerabilities (31 low, 169 moderate, 228 high, 100 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Now if I run npm audit , the vulnerability is not there, but I dont see any changes in package.json file. Only changes are done in package-lock.json which we are not suppose to checkin, How can I have npm audit to change package.json, so that it can be checked in?
Only changes are done in package-lock.json which we are not suppose to checkin
This is wrong, you should check this in. It's the whole point of the file to make sure anyone else using the repo is running the same versions as you.
In answer to your question (a little late), the vulnerability is likely in one of the dependencies of your dependencies if that makes sense. Eg. You have installed package A which has a dependency on package B. Package A will be in your package.json but package B will only be in the lock file.
When I run npm install it says found 10 vulnerabilities (10 low)
run npm audit fix to fix them, or npm audit for details.
However, npm audit fix outputs up to date in 11s
fixed 0 of 10 vulnerabilities in 24653 scanned packages
10 vulnerabilities required manual review and could not be updated
Does that review mean it is not supposed to be fixed by user?
When I run npm audit it gives me list of tables, similar to this:
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ expo │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ expo > expo-constants > fbjs > isomorphic-fetch > node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1556 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ expo │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ expo > expo-linking > expo-constants > fbjs > │
│ │ isomorphic-fetch > node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1556 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ expo │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ expo > expo-error-recovery > fbjs > isomorphic-fetch > │
│ │ node-fetch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1556 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 10 low severity vulnerabilities in 1062 scanned packages
10 vulnerabilities require manual review. See the full report for details.
chingun#Chinguns-MacBook-Pro rn-starter % npm install <node-fetch>#3.0.0-beta.9
zsh: no such file or directory: node-fetch
chingun#Chinguns-MacBook-Pro rn-starter % npm install node-fetch#3.0.0-beta.9
npm WARN fetch-blob#2.1.1 requires a peer of domexception#^2.0.1 but none is installed. You must install peer dependencies yourself.
+ node-fetch#3.0.0-beta.9
updated 1 package and audited 1062 packages in 4.161s
55 packages are looking for funding
run `npm fund` for details
found 10 low severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
chingun#Chinguns-MacBook-Pro rn-starter % npm install node-fetch 3.0.0-beta.9
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/3.0.0-beta.9 - Not found
npm ERR! 404
npm ERR! 404 '3.0.0-beta.9#latest' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/chingun/.npm/_logs/2021-01-18T09_03_23_637Z-debug.log
chingun#Chinguns-MacBook-Pro rn-starter % npm install node-fetch 2.6.1
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/2.6.1 - Not found
npm ERR! 404
npm ERR! 404 '2.6.1#latest' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/chingun/.npm/_logs/2021-01-18T09_04_02_408Z-debug.log
chingun#Chinguns-MacBook-Pro rn-starter % npm install node-fetch#3.0.0-beta.9
npm WARN fetch-blob#2.1.1 requires a peer of domexception#^2.0.1 but none is installed. You must install peer dependencies yourself.
+ node-fetch#3.0.0-beta.9
updated 1 package and audited 1062 packages in 4.161s
55 packages are looking for funding
run `npm fund` for details
found 10 low severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
chingun#Chinguns-MacBook-Pro rn-starter % npm audit fix
⸨ ░░░░░░░░░░░░░░░░⸩ ⠧ loadDep:whatwg-fetch: sill install loadAllDepsIntoIdealTrnpm WARN fetch-blob#2.1.1 requires a peer of domexception#^2.0.1 but none is installed. You must install peer dependencies yourself.
up to date in 3.454s
55 packages are looking for funding
run `npm fund` for details
fixed 0 of 10 vulnerabilities in 1062 scanned packages
10 vulnerabilities required manual review and could not be updated
chingun#Chinguns-MacBook-Pro rn-starter %
After npm install on clean environment, I get following problem with b package:
npm ls b
a#2.0.6
├── b#3.0.0
├─┬ c#3.0.1
│ └── UNMET DEPENDENCY b#^1.0.0
└─┬ d#4.1.1
└─┬ c#2.1.0
└── UNMET DEPENDENCY b#^1.0.0
npm ERR! missing: b#^1.0.0, required by c#3.0.1
npm ERR! missing: b#^1.0.0, required by c#2.1.0
This obviously causes errors, as package c needs b#^1.0.0, but receives b#3.0.0.
I struggled to force npm to install both versions as if they were different packages. Tried going through npm docs, package-locks, and shinkwrap, but with no success. How can I solve this problem?
Environment info:
OS: macOS High Sierra 10.13.4
npm: 6.10
node: v8.8.1
Playing around I noticed, that a lot of packages had UNMET DEPENDENCY. Following procedure fixed the problem:
rm -rf node_modules
npm cache clean --force
npm install
After cleaning npm cache the issue is completely resolved:
a#2.0.6
├── b#3.0.0
├─┬ c#3.0.1
│ └── b#^1.0.0
└─┬ d#4.1.1
└─┬ c#2.1.0
└── b#^1.0.0
Strange bug.
After each installation of a new NPM module in my project I get the following error :
[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
Severity: 8 Low | 24 Moderate | 8 High
So then I run npm audit and I get the details for each of the 40 vulnerabilities such as :
# Run npm install npm#6.0.1 to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk > │
│ │ boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
or this :
# Run npm update fsevents --depth 2 to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ chokidar > fsevents > node-pre-gyp > tar-pack > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
So I run npm install npm#6.0.1 (even though I already had 6.0.1) then npm update fsevents --depth 2 But after that I re-run npm audit and nothing has changed, I still have the same 40 vulnerabilities and some of them are really scary. What should I do ?
This worked for me on MacOS:
Update NPM to the new 6.1.0. It introduces a 'npm audit fix' command, more info here.
Run 'npm audit fix'.
When you run 'npm audit' again, the only vulnerabilities left should be "Manual Review" issues.
This seems to be a bug in npm 6.0.1 related to handling of optional dependencies: https://github.com/npm/npm/issues/20577
This worked for me:
Do the npm audit suggestions that aren't npm updates
Delete package-lock.json
Delete the node_modules folder
Run npm install again
https://github.com/npm/npm/issues/20684
Source: https://github.com/npm/npm/issues/20675.
One fsevents issue may do with the fact that
fsevents can't be installed on windows, so you will have to update it on a macOS machine.
That's a bit strange, since looking at exhnozoaa's solution, as of this date seems to imply otherwise:
I was able to work around this on Windows with the following steps.
Open package-lock.json in an editor.
Search for "fsevents". Find the one that is an object directly under "dependencies".
Delete "fsevents" (the key and the whole object).
From the terminal, run npm install.
This should regenerate that section with the latest version that is compatible with the other packages. I don't really think this is a good way to fix it, but it is one that worked for me.
I'm getting an error when using npm to install grunt-cli globally. It's related to lodash:
npm WARN deprecated lodash#2.4.2:
lodash#<3.0.0 is no longer maintained. Upgrade to lodash#^3.0.0.
Here are the versions i'm using, and the list of global packages installed.
node: v5.1.0
npm: v3.5.0
npm list -g: http://pastebin.com/NuJU3bY0
I've attempted to install the latest version of lodash (v3.10.1) globally, but I still got the error again after uninstalling my grunt-cli global package, and then re-installing my global package. Below is the installation log:
sudo npm install lodash -g
/usr/local/lib
└── lodash#3.10.1
sudo npm install grunt-cli -g
npm WARN deprecated lodash#2.4.2:
lodash#<3.0.0 is no longer maintained. Upgrade to lodash#^3.0.0.
/usr/local/bin/grunt -> /usr/local/lib/node_modules/grunt-cli/bin/grunt
/usr/local/lib
└─┬ grunt-cli#0.1.13
├─┬ findup-sync#0.1.3
│ ├─┬ glob#3.2.11
│ │ ├── inherits#2.0.1
│ │ └─┬ minimatch#0.3.0
│ │ ├── lru-cache#2.7.3
│ │ └── sigmund#1.0.1
│ └── lodash#2.4.2
├─┬ nopt#1.0.10
│ └── abbrev#1.0.7
└── resolve#0.3.1
npm WARN In grunt-cli#0.1.13 replacing bundled version of nopt with nopt#1.0.10
npm WARN In grunt-cli#0.1.13 replacing bundled version of findup-sync with findup-sync#0.1.3
npm WARN In grunt-cli#0.1.13 replacing bundled version of resolve with resolve#0.3.1
npm WARN In grunt-cli#0.1.13 replacing bundled version of lodash with lodash#2.4.2
npm WARN In grunt-cli#0.1.13 replacing bundled version of glob with glob#3.2.11
npm WARN In grunt-cli#0.1.13 replacing bundled version of inherits with inherits#2.0.1
npm WARN In grunt-cli#0.1.13 replacing bundled version of minimatch with minimatch#0.3.0
npm WARN In grunt-cli#0.1.13 replacing bundled version of sigmund with sigmund#1.0.1
npm WARN In grunt-cli#0.1.13 replacing bundled version of lru-cache with lru-cache#2.7.3
npm WARN In grunt-cli#0.1.13 replacing bundled version of abbrev with abbrev#1.0.7
Can anyone tell me what i'm doing wrong, or how to fix this error and get a clean install of grunt-cli?
The packagegrunt-cli relies on a older version of lodash. It shouldn't affect the functionality of grunt; it's just a warning message.
So, you're doing nothing wrong, it's not an error message, just a warning, and the way you've installed grunt-cli should work fine.
You can try running this command in your console:
npm i -g lodash
Let me know if this fixes it.