npm audit fix not changing anything - node.js

I think this is a pretty basic question but i've been stuck for a while:
I am trying to use npm audit fix to clean up an old repo that has many security vulnerabilities. When I run, I see that I get the following output:
fixed 3534 of 3576 vulnerabilities in 1926 scanned packages
42 vulnerabilities required manual review and could not be updated
However, I see that nothing in package-lock.json was changed. So It doesn't appear that audit has actually done anything? When I run npm install I can again see the following:
found 3576 vulnerabilities (3550 low, 10 moderate, 14 high, 2 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Does this mean that the audit process was not able to resolve any of these issues? If so, how do I approach resolving these?

What causes it: This would seem to be a known bug in npm for which no one has (yet) publicly worked out the cause, at least not that I can find. However you can see it reported in an issue in the current npm issue tracker which links to an issue in the archived npm issue tracker.
How to fix: When I encounter this behavior in npm, I do this:
$ rm -rf node_modules package-lock.json shrinkwrap.json npm-shrinkwrap.json
$ npm install
However, I don't think that works all the time. But if you haven't done that, it's worth a shot. #Kshewengger's suggestion to update npm is a good thing to try too. They suggest npm install -g npm and try that first, but if that doesn't work and if you don't mind an updated package-lock.json file format and other changes, you can also try npm install -g npm#7. As of this writing, npm install -g npm will give you npm#6.14.9 and npm install -g npm#7 will give you npm#7.0.15.

Related

When I install Axios an audit error occurs

This is the error I get when running the command npm i axios:
up to date, audited 1469 packages in 6s
226 packages are looking for funding
run `npm fund` for details
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
Here, I use VS code and typed that command on its terminal.
I keep getting this error when trying to install axios, and I am not sure how to fix this.
Could this be a problem for my future coding?
This is a result of the new npm version including the audit command.
It isn't some new issue with the CLI, npm just introduced new functionality in npm to warn users about vulnerabilities in the packages they're installing - so there's no "new" vulnerability, it's just that now npm is now warning you about vulnerabilities that already existed: https://blog.npmjs.org/
If you have run npm audit and got vulnerabilities, then you can have different scenarios:
Security vulnerabilities found with suggested updates
Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies.
Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see "SEMVER warnings".)
Security vulnerabilities found requiring manual review
If security vulnerabilities are found, but no patches are available, the audit report will provide information about the vulnerability so you can investigate further.
You can read more about it here.
Even after running npm audit fix if it is not fixed, then you can Turn off npm audit. Use the below command to turn off the npm audit.
When installing a single package:
npm install example-package-name --no-audit
To turn off npm audit when installing all packages:
npm set audit false
It will set the audit setting to false in your user and global npmrc config files.
If you still want to fix them, you can refer to this article about how to.

how to solve Prototype Pollution lodash after npm audit fix requires manual review

when I do npm audit it gives me this link saying that the I have to update lodash in my NODEJS application https://www.npmjs.com/advisories/782 but I tried npm install lodash#latest --save and it didn't it still gives me the same vunerabilities, I think thats why its not loading the localhost
Sounds silly but many times the fix can be the simplest, most obvious:
$ rm -rf node_modules/
$ npm install
$ npm audit
As reported here (https://thehackernews.com/2019/07/lodash-prototype-pollution.html), there were patches made in old pull requests that ended up getting updated. I'm not certain, but perhaps you ran npm audit fix before those patches got merged.
I just fixed mine a short while ago with a simple npm audit fix.

npm update dependency issue

I am trying to update dependencies for various projects I have on GitHub. I wanted to update them one at a time. I went through these steps:
npm update (from master)
npm update dependency-name (from folder containing the json files)
npm install dependency-name --save
npm fix --force (don't remember this command exactly. It was similar to that)
Then I got a message that said "--force. I hope you know what you're doing." I knew immediately that I'd made a mistake because I didn't know what I was doing. I found that command while Googling solutions, so I stopped there.
How can I update a specific dependency in a package-lock.json file?
Also, could I have done significant damage with the --force command?
Thank you.
--force is a flag which forces a particular operation/process to run
So I think to fix the dependencies you would have used npm audit fix --force
You wouldn't have done any damage to your dependency tree.
The npm docs say:
npm audit fix
Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies
Please refer https://docs.npmjs.com/cli/audit

Nothing change after executing the suggestion from npm audit

npm version 6.0.1
Run npm audit
As many projects we have some vulnerabilities in ours.
First thing the report suggests is:
# Run npm update fsevents --depth 4 to resolve 65 vulnerabilities
I did this for several times decrementing the number of the issues but this time doesn't work.
Any idea why?
You already have fsevents installed, the lock file has the outdated values. If you manually change them in your lock file your npm audits would look clean, the problem being when you run npm install again it won't matter and they will install it again. Make sure to check your node_modules and the version of the libraries being used are in fact the ones without any vulnerabilities
It's a problem npm audit/update have with some optional packages like fsevents. if you clear all those packages inside package.lock or yarn.lock or if you don't care about the lock just remove the file and run npm install or yarn install again to have the updated inner packages

How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?

Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update, neither of them update the dependency in the package-lock.json file.
I've done a lot of googling on this, as well as deleted the file and done npm install.
If anyone can help resolve this I'd hugely appreciate it. The package in question is Hoek, which I don't actually have in my package.json file.
It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it's own package.json).
You've already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.
Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.
Edit:
To help you identify which packages are using which dependencies, you can use NPM's ls command: https://docs.npmjs.com/cli/ls
For example, to see which packages are using Hoek:
npm ls hoek
Edit 2:
As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fix to ask NPM to attempt to fix the vulnerabilities for you.
Edit 3:
Those reading this should also check out JBallin's answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP's question better. However - if you want a quick fix - this answer should suffice.
TLDR: Update the parent package using npm i $PARENT_PKG_NAME.
Note
When updating dependencies, you should review the CHANGELOG for any breaking changes.
Diagnosis
npm audit will reveal both the vulnerable package (note that you'll need a package-lock.json file for this, so you'll need to run npm i), as well as the package that it is a dependency of (if applicable). Note that you can also use npm ls $CHILD_PKG_NAME to see its parent dependencies.
Quick Fix Attempt
npm audit fix and npm audit fix --force are worth a try, but sometimes the fix will need to be done manually (see below).
Manual Fix
Most likely the parent package will have already fixed their dependencies (you can verify this by going to their GitHub and reviewing the recent commits--or just seeing if this fixes it), so you can just run npm i $PARENT_PKG_NAME #$NEW_VERSION and it will update your package-lock.json.
If parent has not fixed the vulnerability
If the maintainer doesn't seem to be responsive, you may consider using an alternative package that accomplishes the same thing or forking the package and updating the vulnerability yourself.
Verify Fix
You can now verify that it worked by running npm audit and ensuring that no vulnerabilities are showing up. Commit your changes, push them to GitHub, refresh your notifications/alerts and they should be gone!
Step 1: Install Peer Dependencies
npm i --legacy-peer-deps
Step 2: Change package manually
Edit package-lock.json manually and update the vulnerable package version to the fixed one.
npm ci
That will install the packages according to package-lock.json by ignoring package.json first.
Step 3: Control it again
Run
npm audit fix
to be sure if it's properly done. If it does not help so, then use other given solutions.
More Information here:
https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
or here: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
If you have npm#6 or later, you can use npm audit fix for your security issues.
Use:
npm i hoek
npm will install the latest version of hoek and your package.lock.json become updated.
To check vulnerable npm packages, just use following commands:
npm audit
To fix vulnerable npm packages, just use following commands which will fix package-lock.json too:
npm audit fix
I had this issue and found that it was because the server on which I was running npm had an old version of npm on it- package-lock.json is only supported by newer versions.
did you try this: go to your project root, delete the package-lock.json file, node_modules and .cache folders, and then npm install.
After installing new dependencies run the following command to update the package-lock.json file:
npm update package-lock.json

Resources