Develop Reference

npm audit fix not updating package.json

I want to fix one vulnerability and after lot of hit and trial, I want to use the fix given by npm audit fix. The npm audit says:
# Run npm update mkdirp --depth 8 to resolve 10 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ less │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ less > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │
└──────────────
Now, I ran the above command and result is:
npm update mkdirp --depth 8
npm WARN deprecated mkdirp#0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN grunt-webpack#2.0.1 requires a peer of webpack#^2.1.0-beta || ^2.2.0-rc || ^2.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN karma-webpack#2.0.3 requires a peer of webpack#^1.1.0 || ^2 || ^2.1.0-beta.0 || ^2.2.0-rc.0 but none is installed. You must install peer dependencies yourself.
npm WARN The package style-loader is included as both a dev and production dependency.
npm WARN The package uuid is included as both a dev and production dependency.
+ mkdirp#0.5.6
added 4 packages from 1 contributor, updated 1 package and audited 1827 packages in 8.439s
4 packages are looking for funding
run `npm fund` for details
found 528 vulnerabilities (31 low, 169 moderate, 228 high, 100 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Now if I run npm audit , the vulnerability is not there, but I dont see any changes in package.json file. Only changes are done in package-lock.json which we are not suppose to checkin, How can I have npm audit to change package.json, so that it can be checked in?

Only changes are done in package-lock.json which we are not suppose to checkin
This is wrong, you should check this in. It's the whole point of the file to make sure anyone else using the repo is running the same versions as you.
In answer to your question (a little late), the vulnerability is likely in one of the dependencies of your dependencies if that makes sense. Eg. You have installed package A which has a dependency on package B. Package A will be in your package.json but package B will only be in the lock file.

Node module's dependencies will not update after update or install?

I want to use react-highcharts in my application. I used npm install react-highcharts, which succeeded with the warning:
found 1 high severity vulnerability, run `npm audit fix` to fix them, or `npm audit` for details.
npm audit fix did nothing; it said I had to manually fix the issue. I ran npm audit to see what was going on, and got
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Cross-Site Scripting │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=7.2.2 <8.0.0 || >=8.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-highcharts > highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1227 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 994 scanned packages
1 vulnerability requires manual review. See the full report for details.
The "More info" link and the "Patched in" row reveal that this was fixed in highcharts >=8.1.1. The most recent version is highcharts#9.0.0, so I decided to update it:
❯ npm update highcharts -dd
npm info it worked if it ends with ok
npm verb cli [
npm verb cli '/usr/local/bin/node',
npm verb cli '/usr/local/bin/npm',
npm verb cli 'update',
npm verb cli 'highcharts',
npm verb cli '-dd'
npm verb cli ]
npm info using npm#6.14.10
npm info using node#v14.15.4
npm verb npm-session 0b92b8dc64938cea
npm verb update computing outdated modules to update
npm verb exit [ 0, true ]
npm timing npm Completed in 1507ms
npm info ok
"It worked if it ends in ok," but look:
❯ npm list highcharts
myproj#1.0.0 /Users/actinidia/myproj
└─┬ react-highcharts#16.1.0
└── highcharts#6.2.0
I still have highcharts#6.2.0! And running npm install highcharts just leads to a second copy of highcharts, though the new version is indeed version 9.0.0:
├── highcharts#9.0.0
└─┬ react-highcharts#16.1.0
└── highcharts#6.2.0
How do I update the dependency that react-highcharts will use?

You should uninstall highcharts first and install again.
npm uninstall react-highcharts
npm install react-highcharts

I followed ppotaczek's advice and installed the officialy supported wrapper for Highcharts. It was as easy as
❯ npm install highcharts-react-official
npm WARN highcharts-react-official#3.0.0 requires a peer of highcharts#>=6.0.0
but none is installed. You must install peer dependencies yourself.
+ highcharts-react-official#3.0.0
added 1 package and audited 992 packages in 4.48s
❯ npm install highcharts
+ highcharts#9.0.0
added 1 package from 1 contributor and audited 993 packages in 4.978s

Remove installed: node_modules and package-lock.json
Modify the package.json format as follows
npm audit fix --force
npm install

How to resolve npm vulnerability with npm as the dependent package involved?

So I run npm audit and all of the vulnerabilities are due to some dependency in npm, particularly node-gyp which is using a vulnerable version of tar. Note that I don’t have node-gyp in my package.json.
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.2.2 <3.0.0 || >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
I tried updating to the latest version of npm but I still get the same audit report. It’s quite nested. How do I resolve this?

Running suggested command doesn't fix NPM Vulnerability

After each installation of a new NPM module in my project I get the following error :
[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
Severity: 8 Low | 24 Moderate | 8 High
So then I run npm audit and I get the details for each of the 40 vulnerabilities such as :
# Run npm install npm#6.0.1 to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk > │
│ │ boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
or this :
# Run npm update fsevents --depth 2 to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ chokidar > fsevents > node-pre-gyp > tar-pack > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
So I run npm install npm#6.0.1 (even though I already had 6.0.1) then npm update fsevents --depth 2 But after that I re-run npm audit and nothing has changed, I still have the same 40 vulnerabilities and some of them are really scary. What should I do ?

This worked for me on MacOS:
Update NPM to the new 6.1.0. It introduces a 'npm audit fix' command, more info here.
Run 'npm audit fix'.
When you run 'npm audit' again, the only vulnerabilities left should be "Manual Review" issues.

This seems to be a bug in npm 6.0.1 related to handling of optional dependencies: https://github.com/npm/npm/issues/20577

This worked for me:
Do the npm audit suggestions that aren't npm updates
Delete package-lock.json
Delete the node_modules folder
Run npm install again
https://github.com/npm/npm/issues/20684

Source: https://github.com/npm/npm/issues/20675.
One fsevents issue may do with the fact that
fsevents can't be installed on windows, so you will have to update it on a macOS machine.
That's a bit strange, since looking at exhnozoaa's solution, as of this date seems to imply otherwise:
I was able to work around this on Windows with the following steps.
Open package-lock.json in an editor.
Search for "fsevents". Find the one that is an object directly under "dependencies".
Delete "fsevents" (the key and the whole object).
From the terminal, run npm install.
This should regenerate that section with the latest version that is compatible with the other packages. I don't really think this is a good way to fix it, but it is one that worked for me.

Cannot Install gulp-sass

I'm trying to learn how to use gulp / sass / and all the other fun tools with Nodejs and I'm having an issue installing gulp-sass. The process I'm using to install everything is:
1. Start Git Bash in the project folder
2. npm init
3. npm install gulp -g
4. npm install gulp --save-dev
5. npm install gulp-sass <- this is where I get errors
Once I get to step five, I get the following error:
$ npm install gulp-sass
npm WARN package.json project#1.0.0 No repository field.
npm WARN package.json project#1.0.0 No README data
-
> node-sass#3.2.0 install \\primary\home\mendsley\profile\Desktop\project\node_modules\gulp- sass\node_modules\node-sass
> node scripts/install.js
'\\primary\home\mendsley\profile\Desktop\project\node_modules\gulp- sass\node_modules\node-sass'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
module.js:338
throw err;
^
Error: Cannot find module 'C:\Windows\scripts\install.js'
at Function.Module._resolveFilename (module.js:336:15)
at Function.Module._load (module.js:278:25)
at Function.Module.runMain (module.js:501:10)
at startup (node.js:129:16)
at node.js:814:3
npm ERR! Windows_NT 6.1.7601
npm ERR! argv "c:\\Program Files\\nodejs\\node.exe" "c:\\Users\\mendsley\\AppData\\Roaming\\npm\\node_modules\\npm\\bin\\npm-cli.js" "install" "gulp-sass"
npm ERR! node v0.12.1
npm ERR! npm v2.13.1
npm ERR! code ELIFECYCLE
npm ERR! node-sass#3.2.0 install: `node scripts/install.js`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the node-sass#3.2.0 install script 'node scripts/install.js'.
npm ERR! This is most likely a problem with the node-sass package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node scripts/install.js
npm ERR! You can get their info via:
npm ERR! npm owner ls node-sass
npm ERR! There is likely additional logging output above.
npm ERR! Please include the following file with any support request:
npm ERR! \\primary\home\mendsley\profile\Desktop\project\npm-debug.log
I'm trying this on my work computer, so I'm not sure if that matters. The system admin says there should not be any issue and other people have no issue with same package...and talking to them, they offer no help. I tried everything on my personal laptop and gulp-sass installs just fine, so it is something with my work pc.
My initial thought is it's a path issue, but then why do other packages install okay?
I did uninstall/reinstall Nodejs, but that didn't help.
Does anyone have an idea?
Thanks in advance!

Your first guess was good as it is a matter of path name. From the error message :
UNC paths are not supported. Defaulting to Windows directory.
Npm needed to access \\primary\home\mendsley\...\node_modules\node-sass so as to execute the gulp-sass installation script. But this path is a UNC path (Uniform Naming Convention) and therefore is not supported.
As a consequence, the npm command defaulted to C:/Windows instead and tries to execute the installation script of gulp-sass (install.js) but this script is, as you might guess, not present in this directory.

It could be a dependency hell problem with an older NodeJS or NPM version, too. gulp-sass depends on node-sass, which in turn depends on other packages, and they also depend on the right NodeJS and NPM version. For version 0.7.3 the full dependencies look like this:
├─┬ gulp-sass#0.7.3
│ ├── map-stream#0.1.0
│ └─┬ node-sass#0.9.6
│ ├─┬ chalk#0.5.1
│ │ ├── ansi-styles#1.1.0
│ │ ├── escape-string-regexp#1.0.3
│ │ ├─┬ has-ansi#0.1.0
│ │ │ └── ansi-regex#0.2.1
│ │ ├─┬ strip-ansi#0.3.0
│ │ │ └── ansi-regex#0.2.1
│ │ └── supports-color#0.2.0
│ ├── get-stdin#3.0.2
│ ├─┬ mkdirp#0.5.1
│ │ └── minimist#0.0.8
│ ├─┬ mocha#1.21.5
│ │ ├── commander#2.3.0
│ │ ├─┬ debug#2.0.0
│ │ │ └── ms#0.6.2
│ │ ├── diff#1.0.8
│ │ ├── escape-string-regexp#1.0.2
│ │ ├─┬ glob#3.2.3
│ │ │ ├── graceful-fs#2.0.3
│ │ │ ├── inherits#2.0.1
│ │ │ └─┬ minimatch#0.2.14
│ │ │ ├── lru-cache#2.7.3
│ │ │ └── sigmund#1.0.1
│ │ ├── growl#1.8.1
│ │ ├─┬ jade#0.26.3
│ │ │ ├── commander#0.6.1
│ │ │ └── mkdirp#0.3.0
│ │ └─┬ mkdirp#0.5.0
│ │ └── minimist#0.0.8
│ ├── nan#1.3.0
│ ├── node-sass-middleware#0.3.1
│ ├── node-watch#0.3.5
│ ├── object-assign#1.0.0
│ ├─┬ sinon#1.10.3
│ │ ├─┬ formatio#1.0.2
│ │ │ └── samsam#1.1.3
│ │ └─┬ util#0.10.3
│ │ └── inherits#2.0.1
│ └── yargs#1.3.3
I had trouble to install version 0.7.3 of gulp-sass with the latest versions of NodeJS 5.2.0 and NPM 3.5.2. This older version of gulp-sass worked only with the older version of NodeJS 0.12.9 and NPM 2.14.9, see also https://github.com/sass/node-sass/issues/1166

Look at this:
"CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory."
You can use the pushd command. As example for --global Installation for a domain user on network share:
pushd \\server\yourpath\user\AppData\Roaming\npm
hint: you could figure out the right path for global npm installations by using %appdata%\npm in your Explorer, the cmd answers:
Z:\user\AppData\Roaming\npm>
now you can type "npm install node-sass" (or gulp-sass or whatever)
Z:\user\AppData\Roaming\npm>npm install node-sass
without --global or -g, in this path you are "global"
if finished, then popd to disconnect the Z:

I had the same issue and I fixed it with simple step.
The real problem is with autorun to set the path of your command prompt. It is related to your registry.
i just deleted the autorun file in registry for command processor and it started working normally.
Hop in this link