i have done the following steps.
1- npm install
2- npm ls c - this gave me dependency tree showing a particular version of package c say 1.4.1
└─┬ a#1.4.0
└─┬ b#0.13.0
└── c#1.4.1
3- npm update c --depth=100
c#1.4.8
added 1 package from 1 contributor, updated 3 packages and audited 69 packages in 2.112s
found 3 low severity vulnerabilities
run npm audit fix to fix them, or npm audit for details
4- npm ls c
└─┬ a#1.4.0
└─┬ b#0.13.0
└── c#1.4.1
This still showing old package, but when i verified in node_modules i see version 1.4.8.
What can i do to make npm ls report updated dependency tree?
Looks like i inadvertently left package-lock.json, after removing package-lock.json and running npm ls gave the correct dependency tree.
Related
Anybody knows why I am still having a missing dependency error, even though it clearly shows the correct version of webpack is already installed below??
When I ran npm start :
'''
There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix locally.
The react-scripts package provided by Create React App requires a dependency:
"webpack": "4.41.5"
Don't try to install it manually: your package manager does it automatically.
However, a different version of webpack was detected higher up in the tree:
When I run npm ls webpack, it gives me :
Chelseas-MacBook-Pro:website-expo-2018-master ipchelsea$ npm ls webpack
uwbce#0.1.0 /Users/ipchelsea/Desktop/website-expo-2018-master
├─┬ react-loading-screen#0.0.17
│ └── webpack#2.7.0
├─┬ react-scripts#3.4.0
│ └── webpack#4.41.5
└── webpack#4.41.6
You missed out the steps you took to get here. You did something, or missed something out in the steps you did to end up where you are now.
You should delete node_modules, then do npm i, and see if that correctly installs the packages.
Also, add the contents of your package.json file to the question. You need to have one in the root of this project.
I recently pushed an Angular CLI 5 application to GitHub and it indicated the following:
We found a potential security vulnerability in one of your dependencies.
A dependency defined in net-incident/package-lock.json has known security vulnerabilities and should be updated.
Dependencies defined in net-incident/package-lock.json 816
hapijs / hoek Known security vulnerability in 2.16.3
I have gone through the output from ‘npm audit’ and executed the various updates, including the following (which was not suggested):
npm install --save-dev request#2.86.0
The ‘request’ package contains ‘hawk’ which contains ‘hoek’. When I look at the ‘request’ package in node_modules the version has changed. But the following two updates from ‘npm audit’ do not seem to do anything:
npm update fsevents --depth 4 npm update stringstream --depth 5
And I am left with the following:
[!] 33 vulnerabilities found [12201 packages audited]
Severity: 5 Low | 24 Moderate | 4 High
Run `npm audit` for more detail
And many of the vulnerabilities are like the following:
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of karma
Path karma > log4js > loggly > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
In the end, the application would not compile, so I replaced the the package and lock files, and now I am back to the beginning. I really want to fix the security issues. How do I get rid of the pesky ‘hoek’ vulnerabilities?
You should runrm package-lock.json && npm update && npm install, if this still doesn't fix your issue, you can then continue by running npm ls hoek, which should gave you:
├─┬ fuse-box#3.3.0
│ └─┬ request#2.81.0
│ └─┬ hawk#3.1.3
│ ├─┬ boom#2.10.1
│ │ └── hoek#2.16.3
│ ├── hoek#2.16.3
│ └─┬ sntp#1.0.9
│ └── hoek#2.16.3
└── hoek#5.0.3
Check the version of hawk against the one on npm hawk, if it doesn't tally, run npm i hawk --save or npm i hoek#latest --save, then you should also run: npm i karma#latest --save, then npm audit After which I again ran my normal git commands:
git add .
git commit -m 'whatever_message'
git push
Then you can go back to Github, the security vulnerability should be fixed.
This answer addresses similar hoek problem, and this answer explains non-vulnerability audit reports in detail.
npm audit reports possible problems. It's unnecessary that they are real problems that should be solved.
A nested dependency like karma > log4js > loggly > request > hawk > boom > hoek may require to fork numerous packages in dependency chain in case it has to be fixed.
Prototype pollution diagnosis indicates code smell. The reason why prototype pollution smells is that it can cause security problems. This is the reason why it's labeled as Moderate. It's unlikely that it causes any security risks in hoek package due to how it works, regardless of how the package is used (that's important as well).
Additionally, karma > log4js > loggly > request > hawk > boom > hoek dependency chain means that the problem occurs in development dependency. Most security problems are primarily applicable to dependencies that are used in production. This problem is specific to tests and Karma. It's virtually impossible it is a threat.
TL;DR: this is not a vulnerability. It has to be ignored. Any npm audit report should pass sanity check before any efforts to fix it will be made.
I was patient and they fixed the problem:
npm update karma#latest
should work.
I wanted to install this package: https://github.com/react-native-fellowship/react-native-navbar:
npm i react-native-navbar --save
But i've got another, outdated package from another source https://github.com/malkomalko/react-native-navbar:
$ npm list| grep navbar
├── react-native-navbar#1.5.0
│ ├── react-native-navbar#1.1.7 (git://github.com/malkomalko/react-native-navbar.git#fe3d9ed0c717e5304188e22f86ff63f0e029919f)
The first one, which i wanted to install, is a fork from the second, older one.
I already tried to update with "npm update" and i also tried to install a specific version with "npm i react-native-navbar#1.5.0", but it remains the same.
How to deal with such naming conflicts?
I found the root cause. One of my dependencies declared the "wrong" package as a dependency:
"dependencies": {
"react-native-navbar": "malkomalko/react-native-navbar",
"react-native-tabs": "malkomalko/react-native-tabs"
}
npm knows that grunt is installed globally, so why isn't it found?
$ npm install -g grunt
... installs ...
$ npm list -g | grep grunt
│ ├─┬ gruntfile-editor#0.2.0
│ ├─┬ gruntfile-editor#0.2.0
├─┬ grunt#0.4.5
│ ├─┬ grunt-legacy-log#0.1.1
│ ├── grunt-legacy-util#0.2.0
$ grunt
-bash: grunt: command not found
I assume because it's put it somewhere that is not on my PATH.
Why doesn't npm just put it somewhere that is on my PATH by default, like /usr/local/bin?
UPDATE: Weirdly, I get the same grunt: command not found error even after I do npm install grunt to run it locally. What am I doing wrong? There is a Gruntfile.js in my repo.
The package "grunt" is the task runner itself whereas the "grunt-cli" package is the command line interface that includes the grunt executable. You can make sure that it is installed to the correct path.
If you do npm install grunt-cli it still would not work because this would be installed to node_modules in the corresponding directory which is most likely not on your path. However, when you use grunt from the globally installed CLI tool it will look for an installation of grunt that is local to that project as well as the Gruntfile.js
what you have to do is
install grunt-cli globally:
$ npm install grunt-cli -g
install grunt local in your dependencies (optionally save the dependency to your package.json):
$ npm install grunt --save
For me there was another thing missing, adding the path to NPM's folder in Window's env variables
Go to System (My computer->Properties)
Advanced System Settings
In Advanced tab, 'Environment Variables'
Under User variables, choose Path, then Edit
Add this alongside the others you have: '%USERPROFILE%\AppData\Roaming\npm'
Hope this helps, g'luck
I am having trouble running grunt-cli after installing it. I run
npm install -g grunt-cli
then running grunt errors with
node.js:63
throw e;
^
Error: Cannot find module 'findup-sync'
at loadModule (node.js:275:15)
at require (node.js:411:14)
at Object.<anonymous> (/home/tmartin/bin/grunt:9:14)
at Module._compile (node.js:462:23)
at Module._loadScriptSync (node.js:469:10)
at Module.loadSync (node.js:338:12)
at Object.runMain (node.js:522:24)
at Array.<anonymous> (node.js:756:12)
at EventEmitter._tickCallback (node.js:55:22)
at node.js:773:9
This is what I have installed:
tmartin#timcomp:~$ npm list -g
/home/tmartin/lib
└─┬ grunt-cli#0.1.6
├─┬ findup-sync#0.1.2
│ ├─┬ glob#3.1.21
│ │ ├── graceful-fs#1.2.0
│ │ ├── inherits#1.0.0
│ │ └─┬ minimatch#0.2.11
│ │ ├── lru-cache#2.2.2
│ │ └── sigmund#1.0.0
│ └── lodash#1.0.1
└─┬ nopt#1.0.10
└── abbrev#1.0.4
I had to install and link findup-sync and a few other npm packages to get these dependency issues to go away. I though npm was supposed to handle them for us, but installing the dependencies manually made the issues go away.
npm install findup-sync -g
npm link findup-sync
I got mine running again reinstalling grunt-cli globally and in my repo.
npm install -g grunt-cli
cd myrepo
npm install grunt-cli
I think Yosemite installation broke some things in my files ...
This is because npm doesn't set the right permission to sub-directory node_modules in /usr/lib/node_modules/grunt-cli.
In my case, I had:
drwxr-x--- 6 nobody root 4096 16 févr. 17:08 node_modules
When running grunt as non-root user, I had the same error (Cannot find module 'findup-sync') because of a permission denied to read this directory.
The solution is to fix permission with chmod: chmod a+rx node_modules.
But in fact, all directories was involved. The best way was to todo:
find /usr/lib/node_modules/grunt-cli -type d -exec chmod a+rx {} \;
This is maybe a distribution bug (I use Archlinux).
This may seem simple, but if anyone else is unsure if there's a permissions problem, try running sudo grunt then go from there.
I use NVM and was having this problem whenever I changed the active node version.
Following #davidcondrey 's suggestion worked for me. The catch really was to install grunt-cli before grunt. The order made a difference and fixed it.
npm i -g grunt-cli grunt
#inostia 's answer of using sudo to test the permissions was OK, but gave me quite a headache with file permissions, as all the grunt-processed files were inacessible by git later and broke my versioning.
This also may be obvious, but in my case I had set up my npm path off my home directory (on a chromebook) and needed to add .node_modules to my .profile
PATH=~./node_modules:$PATH
Then run:
source ~/.profile
I was able to fix this by reinstalling Grunt using these commands:
sudo npm remove -g grunt-cli
sudo npm install -g grunt-cli
This issue occurs if you change your NodeJS version.
After changing the node version, re installing grunt or npm install will resolve the issue.
Tried all the answers above and I could not get grunt to work without using sudo
Finally came across this Wordpress article and deleted the link to /usr/local/lib/node_modules/grunt/bin/grunt
lrwxrwxrwx 1 root root 35 Apr 19 22:45 /usr/local/bin/grunt -> ../lib/node_modules/grunt/bin/grunt
using sudo rm /usr/local/bin/grunt
Then I linked to the grunt executable in /usr/local/lib/node_modules/grunt-cli/bin
using sudo ln -s /usr/local/lib/node_modules/grunt-cli/bin/grunt /usr/local/bin/grunt
Now, I can run grunt without using sudo
I solved this by running:
npm install -gg grunt-cli --force