This question already has answers here:
What does "npm audit fix" exactly do?
(2 answers)
Closed 2 years ago.
I'm making a website with a node express backend, which serves a react app from the public directory. Everything was working fine on my computer, I put all of this on an AWS server, ran npm install for my server, and for my app in the public directory, that's where I got that message:
/public$ npm audit fix
up to date, audited 1960 packages in 5s
# npm audit report
public *
Severity: high
Cross-Site Scripting - https://npmjs.com/advisories/1000
Path Traversal - https://npmjs.com/advisories/571
Cross-Site Scripting - https://npmjs.com/advisories/609
fix available via `npm audit fix`
1 high severity vulnerability
To address all issues, run:
npm audit fix
Everything was fine on my computer, I tried starting over again, emptying the node_modules directory then reinstall, but same thing again. I guess I must have not copied/deleted some files but I have no idea where to start, and I don't get what's the "public *" is that a module? You're welcome if you have some ideas!
By default, when you run npm install, another command, called npm audit is also executed. It's a tool to check if your project's dependencies have some known vulnerabilities.
It has nothing to do with your environment, local or AWS, it's all about dependencies.
Auditing package dependencies for security vulnerabilities
The npm audit --fix can automatically fix vulnerabilities, however, documentation says that in some cases manual intervention might be required.
npm audit command
You need to closely look at the output of the command, maybe, if interested, read about the vulnerability and fix it.
Related
This is the error I get when running the command npm i axios:
up to date, audited 1469 packages in 6s
226 packages are looking for funding
run `npm fund` for details
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
Here, I use VS code and typed that command on its terminal.
I keep getting this error when trying to install axios, and I am not sure how to fix this.
Could this be a problem for my future coding?
This is a result of the new npm version including the audit command.
It isn't some new issue with the CLI, npm just introduced new functionality in npm to warn users about vulnerabilities in the packages they're installing - so there's no "new" vulnerability, it's just that now npm is now warning you about vulnerabilities that already existed: https://blog.npmjs.org/
If you have run npm audit and got vulnerabilities, then you can have different scenarios:
Security vulnerabilities found with suggested updates
Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies.
Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see "SEMVER warnings".)
Security vulnerabilities found requiring manual review
If security vulnerabilities are found, but no patches are available, the audit report will provide information about the vulnerability so you can investigate further.
You can read more about it here.
Even after running npm audit fix if it is not fixed, then you can Turn off npm audit. Use the below command to turn off the npm audit.
When installing a single package:
npm install example-package-name --no-audit
To turn off npm audit when installing all packages:
npm set audit false
It will set the audit setting to false in your user and global npmrc config files.
If you still want to fix them, you can refer to this article about how to.
up to date, audited 1446 packages in 7s
194 packages are looking for funding
run npm fund for details
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
Ideally, we should address these vulnerabilities, especially in stages like production, sensible workplaces, etc. However, often, you will have to address these vulnerabilities manually.
npm audit fix will try to "fix" what it can by performing some updates.
npm audit fix --force will try to go further in considering upgrading even between major semantic versions (2 to 3, for instance, instead of 2 to 2.1 if necessary)
It may not be enough. To be on the safer side, you look through every single module declared vulnerable to ponder eventual risks and how any issues can affect your project(s)
Keep in mind:
"npm" can find vulnerabilities absolutely at any time.
Therefore, if the developer has not sent a new version correcting the identified problem, you will have to:
Decide whether to use a new library.
Decide to downgrade or upgrade their libraries with the most negligible effect on your code.
Decide to fix the vulnerability yourself
Decide to wait for the author to fix the issue
Decide to implement your solution.
Decide to live with these vulnerabilities and likely address them before production.
npm audit monitors modules over time, so some vulnerabilities can still happen on perfectly thought-safe modules. Therefore, there is no 100% permanent fixing.
A way to have the list of problematic modules:
$> npm audit fix --dry-run --json
https://docs.npmjs.com/cli/v8/commands/npm-audit
I am trying to teach myself web development and so far it's making my head hurt, but I'm not giving up. At the moment, I am trying to learn WordPress theme development using the Understrap framework. This is what I have done so far to try and get it all working:
Install Node using Homebrew on my Mac
Created a project folder on my Desktop
Ran the following git command to install Understrap in my project folder: git clone https://github.com/understrap/understrap.git
Then ran npm install within the director in a terminal window
After doing all of this, I keep getting the following errors, but not being a seasoned web dev expert, this has me a bit boggled:
72 packages are looking for funding
run `npm fund` for details
6 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Then I ran "npm audit" to get a better idea of the issue and this is where I am completely lost and hoping one of you fantastic folks on here can provide some assistance:
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp#3.9.1, which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
node_modules/glob-watcher/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/glob-watcher/node_modules/chokidar
glob-watcher >=3.0.0
Depends on vulnerable versions of chokidar
node_modules/glob-watcher
gulp >=4.0.0
Depends on vulnerable versions of glob-watcher
node_modules/gulp
glob-stream 5.3.0 - 6.1.0
Depends on vulnerable versions of glob-parent
node_modules/glob-stream
vinyl-fs >=2.4.2
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
6 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
BTW, I ran "npm audit fix --force", but it did not resolve this issue.
Thank you all so much for your help on this, I really appreciate it!
I have been following codelab instructions to implement Real-time communication with WebRTC and while trying to run npm-install I am getting the following warnings.
npm WARN webrtc-codelab#0.0.1 No repository field.
npm WARN webrtc-codelab#0.0.1 No license field.
audited 52 packages in 0.81s
found 16 vulnerabilities (11 low, 1 moderate, 3 high, 1 critical)
run npm audit fix to fix them, or npm audit for details
Can someone help me with fixing this?
The first ones are because of the licence and repository fields of the package.json being empty, you can fill them using docs for licence and repository.
The latter ones are due to outdated dependencies used by the code sample, it is ok to ignore this warning for an educational project because the vulnerabilities often are not important if you are not planning to use the project on a production server. But if it is bothering you you can use npm audit fix as suggested by npm, it'll try to update dependencies if there are no breaking changes in the upgrade it might not succeed in doing so for some or all of those packages in which case you'll need to manually install the newer version of those packages but beware cause doing so COULD break the code sample to the point that it'll no longer work.
I am working on a react project and I am using various npm packages. Now there were 1002 vulnerable packages when I started fixing/updating my old packages. And at last this only 20 vulnerable packages were remained which were also very low priority.
But now again after 3 months the vulnerability has increase to 925 vulnerable packages. So my question is, when I am using packages.lock.json for installing a specific package version only. Then how the vulnerabilities increased. I mean is there any mechanism which npm follow before telling "this package is vulnerable." I want to know how npm check if this package is vulnerable or not. Even when it was fine before and I am using same package version with same node version as well.
npm as a package manager runs audit of the installed/installing dependencies to check for the vulnerabilities posted/reported on that particular NPM package you installed/installing. It list them out to notify/warn you about the problem you might encounter, using such packages.
It will be an API call from npm to the registry. Read further: docs.npmjs.com/cli/audit#description
One can manually audit its dependencies as well. using the following command:
npm audit
Make sure you are running this command in the same directory where your package-lock.json exists.
If you are using yarn as a package manager, you can run:
yarn audit
Here is a great explanation on npm vulnerability.
https://snyk.io/blog/understanding-filesystem-takeover-vulnerabilities-in-npm-javascript-package-manager/
NPM vulnerability check mainly depends on the version and last publish date of each packages.