Recently discovered npm-audit and on the first run it flagged a lot of vulnerabilities, mostly around packages and their dependencies.
Wanting to get these vulnerabilities resolved I have discovered npm shrinkwrap which allows me to specify what versions and its dependencies should use? That's how I see it anyway (Please correct me if wrong, here to learn).
One example I am trying to fix is the module hoek, in my package.json this is set as "hoek": "^5.0.3"
When I run npm shrinkwrap one of the dependencies has hoek set as version 2
"boom": {
"version": "2.10.1",
"resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
"integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
"requires": {
"hoek": "2.x.x"
},
"dependencies": {
"hoek": {
"version": "2.16.3",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz",
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0="
}
}
},
I thought I could edit this and specify what version i want the dependency to use like so
"boom": {
"version": "2.10.1",
"resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
"integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
"dev": true,
"requires": {
"hoek": "2.x.x"
},
"dependencies": {
"hoek": {
"version": "5.0.3",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-5.0.3.tgz",
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
"dev": true
}
}
},
However when I run npm shrinkwrap or npm install all this reverts to the original
How do I go about managing this? Is shrinkwrap the right choice or am I trying to do things with it I simply cannot?
Thanks
NPM shrinkwrap is used to lock the dependency version in a project.
After installing packages using npm install or npm install package-name and updating your node_modules folder, you should run npm shrinkwrap
It will create new npm-shrinkwrap.json file with information about all packages you use and you have to commit the file.
Next time, when someone calls npm install, it will install packages from npm-shrinkwrap.json and you will have the same environment on all machines.
Following warning is being thrown on npm install command -
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#1.1.2 (node_modules\rea
ct-scripts\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#
1.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}
)
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#^1.0.0 (node_modules\ch
okidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#
1.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}
)
The warning is apparently causing our Jenkins Job to mark failed, so we are just trying to get rid of the same.
I already checked this https://stackoverflow.com/a/42938398/351903
But, unlike what is mentioned there, I do not have any /node_modules/fserrors in my setup. Also, my package.json does not contain fserrors. Following is my package.json -
{
"name": "mvc-panel",
"version": "0.1.0",
"private": true,
"dependencies": {
"bootstrap": "^3.3.7",
"jquery": "^3.2.1",
"material-ui": "^0.18.3",
"qs": "^6.4.0",
"react": "^15.5.4",
"react-alert": "^2.1.2",
"react-bootstrap-table": "^3.4.1",
"react-dom": "^15.5.4",
"react-loader": "^2.4.2",
"react-router-dom": "^4.1.1",
"react-tap-event-plugin": "^2.0.1",
"serve": "^6.0.0"
},
"devDependencies": {
"datatables.net": "^1.10.15",
"jquery": "^3.2.1",
"react-scripts": "^1.0.7"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test --env=jsdom",
"eject": "react-scripts eject"
}
}
I can see fsevents in the package.json of react-scripts (which is defined under devDependencies of my package.json) in node_modules\react-scripts\package.json -
{
"_args": [
[
{
"raw": "react-scripts#^1.0.7",
"scope": null,
"escapedName": "react-scripts",
"name": "react-scripts",
"rawSpec": "^1.0.7",
"spec": ">=1.0.7 <2.0.0",
"type": "range"
},
"D:\\Sandeepan\\Payu MVC\\backend codebase\\MVC2.0\\panel\\mvc-panel"
]
],
"_from": "react-scripts#>=1.0.7 <2.0.0",
"_id": "react-scripts#1.0.14",
"_inCache": true,
"_location": "/react-scripts",
"_nodeVersion": "8.5.0",
"_npmOperationalInternal": {
"host": "s3://npm-registry-packages",
"tmp": "tmp/react-scripts-1.0.14.tgz_1506471610836_0.5613740666303784"
},
"_npmUser": {
"name": "timer",
"email": "timer150#gmail.com"
},
"_npmVersion": "5.3.0",
"_phantomChildren": {
"asap": "2.0.6",
"escape-string-regexp": "1.0.5",
"graceful-fs": "4.1.11",
"has-ansi": "2.0.0",
"universalify": "0.1.1"
},
"_requested": {
"raw": "react-scripts#^1.0.7",
"scope": null,
"escapedName": "react-scripts",
"name": "react-scripts",
"rawSpec": "^1.0.7",
"spec": ">=1.0.7 <2.0.0",
"type": "range"
},
"_requiredBy": [
"#DEV:/"
],
"_resolved": "https://registry.npmjs.org/react-scripts/-/react-scripts-1.0.14.tgz",
"_shasum": "70fe76c9beb67b136b953e875bdfe4ad78d410d1",
"_shrinkwrap": null,
"_spec": "react-scripts#^1.0.7",
"_where": "D:\\Sandeepan\\Payu MVC\\backend codebase\\MVC2.0\\panel\\mvc-panel",
"bin": {
"react-scripts": "./bin/react-scripts.js"
},
"bugs": {
"url": "https://github.com/facebookincubator/create-react-app/issues"
},
"dependencies": {
"autoprefixer": "7.1.2",
"babel-core": "6.25.0",
"babel-eslint": "7.2.3",
"babel-jest": "20.0.3",
"babel-loader": "7.1.1",
"babel-preset-react-app": "^3.0.3",
"babel-runtime": "6.26.0",
"case-sensitive-paths-webpack-plugin": "2.1.1",
"chalk": "1.1.3",
"css-loader": "0.28.4",
"dotenv": "4.0.0",
"eslint": "4.4.1",
"eslint-config-react-app": "^2.0.1",
"eslint-loader": "1.9.0",
"eslint-plugin-flowtype": "2.35.0",
"eslint-plugin-import": "2.7.0",
"eslint-plugin-jsx-a11y": "5.1.1",
"eslint-plugin-react": "7.1.0",
"extract-text-webpack-plugin": "3.0.0",
"file-loader": "0.11.2",
"fs-extra": "3.0.1",
"fsevents": "1.1.2",
"html-webpack-plugin": "2.29.0",
"jest": "20.0.4",
"object-assign": "4.1.1",
"postcss-flexbugs-fixes": "3.2.0",
"postcss-loader": "2.0.6",
"promise": "8.0.1",
"react-dev-utils": "^4.1.0",
"style-loader": "0.18.2",
"sw-precache-webpack-plugin": "0.11.4",
"url-loader": "0.5.9",
"webpack": "3.5.1",
"webpack-dev-server": "2.8.2",
"webpack-manifest-plugin": "1.2.1",
"whatwg-fetch": "2.0.3"
},
"description": "Configuration and scripts for Create React App.",
"devDependencies": {
"react": "^15.5.4",
"react-dom": "^15.5.4"
},
"directories": {},
"dist": {
"integrity": "sha512-+p0q2N2WW7L4WW6uObqN7fYwSQZ9fBI0StpMYl1Ukoz/lCbemf+yW6b8refyhTsGy62GAqxlpyEfVcTE3hJAxg==",
"shasum": "70fe76c9beb67b136b953e875bdfe4ad78d410d1",
"tarball": "https://registry.npmjs.org/react-scripts/-/react-scripts-1.0.14.tgz"
},
"engines": {
"node": ">=6"
},
"files": [
"bin",
"config",
"scripts",
"template",
"utils"
],
"homepage": "https://github.com/facebookincubator/create-react-app#readme",
"license": "MIT",
"maintainers": [
{
"name": "timer",
"email": "timer150#gmail.com"
},
{
"name": "fb",
"email": "opensource+npm#fb.com"
},
{
"name": "gaearon",
"email": "dan.abramov#gmail.com"
}
],
"name": "react-scripts",
"optionalDependencies": {
"fsevents": "1.1.2"
},
"readme": "ERROR: No README data found!",
"repository": {
"type": "git",
"url": "git+https://github.com/facebookincubator/create-react-app.git"
},
"version": "1.0.14"
}
Update
I tried running the npm install command and getting the exit status of the earlier command. It showed 0 meaning success, despite the warnings. So, it does not look like Jenkins job should be stuck due to this. However, we are still trying to find a way to get rid of this warning because it is not relevant to our OS.
fsevents is dealt differently in mac and other linux system. Linux system ignores fsevents whereas mac install it. As the above error message states that fsevents is optional and it is skipped in installation process.
You can run npm install --no-optional command in linux system to avoid above warning.
Further information
https://github.com/npm/npm/issues/14185
https://github.com/npm/npm/issues/5095
If you want to hide this warn, you just need to install fsevents as a optional dependency.
Just execute:
npm i fsevents#latest -f --save-optional
..And the warn will no longer be a bother.
npm i -f
I'd like to repost some comments from this thread, where you can read up on the issue and the issue was solved.
This is exactly Angular's issue. Current package.json requires fsevent
as not optionalDependencies but devDependencies. This may be a problem
for non-OSX users.
Sometimes
Even if you remove it from package.json npm i still fails because
another module has it as a peer dep.
So
if npm-shrinkwrap.json is still there, please remove it or try npm i
-f
package.json counts with a optionalDependencies key.
NPM on Optional Dependencies.
You can add fsevents to this object and if you find yourself installing packages in a different platform than MacOS, fsevents will be skipped by either yarn or npm.
"optionalDependencies": {
"fsevents": "2.1.2"
},
You will find a message like the following in the installation log:
info fsevents#1.2.11: The platform "linux" is incompatible with this module.
info "fsevents#1.2.11" is an optional dependency and failed compatibility check. Excluding it from installation.
info fsevents#2.1.2: The platform "linux" is incompatible with this module.
info "fsevents#2.1.2" is an optional dependency and failed compatibility check. Excluding it from installation.
Hope it helps!
I found the same problem and i tried all the solution mentioned above and in github. Some works only in local repository, when i push my PR in remote repositories with travic-CI or Pipelines give me the same error back. Finally i fixed it by using the npm command below.
npm audit fix --force
This no longer happens with npm v7. You can update your npm version or update to node v15 or higher, which by default installs npm v7.
Follow these steps -
Go to the project's "package.lock.json" file
Press "Ctrl+F" (to enable search)
Type "darwin"
Rename it to 'linux'
I also had the same issue though am using MacOS. The issue is kind of bug. I solved this issue by repeatedly running the commands,
sudo npm cache clean --force
sudo npm uninstall
sudo npm install
One time it did not work but when I repeatedly cleaned the cache and after uninstalling npm, reinstalling npm, the error went off. I am using Angular 8 and this issue is common
Instead of using --no-optional every single time, we can just add it to npm or yarn config.
For Yarn, there is a default no-optional config, so we can just edit that:
yarn config set ignore-optional true
For npm, there is no default config set, so we can create one:
npm config set ignore-optional true
Do this:
npm install --no-optional
For more info on this go through: https://github.com/npm/npm/issues/11632
I'm using,
Angular CLI: 8.1.2
Node: 12.14.1
OS: win32 x64
Strangely, this helped me
npm cache clean --force
npm uninstall #angular/cli
npm install #angular/cli#8.1.2
For anyone reading it recently, the simplest thing to do on Ubuntu is to install the latest LTS versions of nvm, node.js, and nmp. from version 7 of node.js, these issues have been sorted out.
Refer to this guide:
https://computingforgeeks.com/how-to-install-node-js-on-ubuntu-debian/
I solved this by deleting the node_modules folder and running npm i.
I got the same error. In my case, I was using a mapped drive to edit code off of a second computer, that computer was running linux. Not sure exactly why gulp-watch relies on operating system compatibility prior to install (I would assume it has to do with security purposes). Essentially the error is checking against your operating system and the operating system calling the node module, in my case the two operating systems were not the same so it threw it error. Which from the looks of your error is the same as mine.
The Error
Unsupported platform for fsevents#1.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
How I fixed it?
I logged into the linux computer directly and ran
npm install --save-dev <module-name>
Then went back into my coding environment and everything was fine after that.
Hope that helps!
run
npm install -D vue-loader vue-template-compiler
Vue CLI
If you are not interested in manually setting up webpack, it is recommended to scaffold a project with Vue CLI instead. Projects created by Vue CLI are pre-configured with most of the common development needs working out of the box.
Follow this guide if the built-in configuration of Vue CLI does not suit your needs, or you'd rather create your own webpack config from scratch.
#Manual Setup
#Installation
Unless you are an advanced user using your own forked version of Vue's template compiler, you should install vue-loader and vue-template-compiler together:
Check your node version and check if the package.json was generate using a different version of node.
I downloaded a repo created from Mac from a Linux and faced this error when trying to npm install. I was using node v14.15.0 and when I switched to v16.13.0, the error disappeared.
Yes, it works when with the command npm install --no-optional
Using environment:
iTerm2
macos login to my vm ubuntu16 LTS.
I had got this error, Linux system(Ubuntu) and This might happen when you run :
npm install
1) If the project is not present in your localdisk/computer, copy it to your computer and try again. So you get the permission to access folder (Just make sure you have access permission).
2) If you still get some warnings or errors, run:
npm audit fix
This will solve vulnerabilities in your dependencies and can help you fix a vulnerability by providing simple-to-run npm commands and recommendations for further troubleshooting.
Hope it helps!
Switch to PNPM: https://pnpm.js.org/
The fsevents warnings are gone (on Linux).
Even the latest yarn (2.x) shows the warnings.
If anyone get this error for ionic cordova install . just use this code npm install --no-optional in your cmd.
And then run this code npm install -g ionic#latest cordova
Use sudo npm install -g appium.
I have a repository containing a package.json which contains scoped dependencies. I also have an .npmignore file intended to whitelist all files and subdirectories in dist/. The problem is all of the scoped dependencies are included when running npm install #private/a another repository. This includes both private npm packages and public packages such as #uirouter.
package.json:
{
"name": "#private/a",
"version": "1.0.0",
"description": "",
"main": "dist/index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"repository": {
"type": "git",
"url": "git+ssh://git#bitbucket.org/private/a.git"
},
"author": "",
"license": "ISC",
"homepage": "https://bitbucket.org/private/a#readme",
"devDependencies": {
"gulp": "^3.9.1",
"gulp-angular-embed-templates": "^2.3.0",
"gulp-concat": "^2.6.1",
"gulp-jshint": "^2.0.4",
"gulp-rename": "^1.2.2",
"gulp-sass": "^3.0.0",
"gulp-uglify": "^2.0.0",
"jshint": "^2.9.4"
},
"dependencies": {
"#private/b": "^1.0.0",
"#private/c": "^1.0.0"
}
}
.npmignore
**
!dist/**
Despite these two files when I run npm install #private/a --save within another repository it is installing the dependency along with all it's scoped dependencies:
/node_modules/#private/a/dist/index.js
/node_modules/dist/css/styles.css
/node_modules/#private/a/node_modules/#private/b
/node_modules/#private/a/node_modules/#private/c
package.json
It should only be this:
/node_modules/#private/a/dist/index.js
/node_modules/dist/css/styles.css
package.json
How can I achieve this? I have tried different variations of the .npmignore but have not had any luck.
.npmignore is irrelevant to what you are trying to do. This file only decides which parts of your npm package code ends up in npm registry. So it is working as advertised.
Your problem must be in your npmconfig or because of using an older version of npm. The latest version installs stuff as so:
/node_modules/#private/a/dist/index.js
/node_modules/#private/b/...
/node_modules/#private/c/...
package.json
I have verified that this is happening with latest npm. But there used to be a time when npm installed dependencies into a nested structure. See this for example. So I suggest:
Making sure you have latest node and npm.
Making sure your npm config is not forcing legacy bundling. Run npm get legacy-bundling. Make sure this is false.
There are few cases where the nesting of dependencies happens legitimately even with the latest npm. See this. But I am guessing your problem is not due to this. You can test by simply doing npm install #private/a in an empty folder.
Node will install your package files along with all the dependencies declared under dependencies field.
How the dependencies tree is build, depends on which version of npm do you use.
If your package doesn't need those dependencies to run, it means they are just dev dependencies and you can safely list them under devDependencies field.
Dev dependencies are only installed when you run an npm install inside the plugin directory.
You need to lock your dependency. You might want to check out npm shrinkwrap.
I have a project in a personal private git, I downloaded in another computer and when trying to download the packages in packages.json i got this error message:
pablo#debian:~/Documents/clients/stock$ npm install
npm WARN package.json Stock#0.0.1 No repository field.
npm WARN package.json Stock#0.0.1 No README data
This is the content of the packages.json
{
"name": "Stock",
"version": "0.0.1",
"description": "Stock App",
"devDependencies": {
"grunt": "~0.4.5",
"grunt-contrib-watch": "^0.6.1",
"grunt-execute": "^0.2.2",
"socket.io": "latest",
"mysql": "latest",
"express": "latest",
"path": "latest",
"express-session": "latest",
"cookie-parser": "latest",
"ejs": "latest"
},
"dependencies": {
"socket.io": "~1.3.7",
"body-parser": "~1.14.1"
}
}
What can I do, to packages to download, and why in my other computer I don't get this error?
These warnings are just warnings, and don't indicate anything reason that the dependencies would not have downloaded.
The package.json file shown is working perfectly for me. To debug your issue, try removing the node_modules folder and running npm install again. Note that if the packages are already in the node_modules folder, npm install won't download them again.
If you want to fix the warnings:
Before devDependencies, add a repository option; i.e. something like:
"repository": {
"type": "git",
"url": "[git-url-of-your-project]"
},
The URL doesn't have to be a github one, just whatever you use to git
clone the project on another computer.
Add a file called README or README.md and write a few words about what the project is in it.
Mark your application as private to suppress all warnings by adding "private": true
{
"name": "Stock",
"version": "1.0.1",
"private": true
}
I found removing the node_modules folder and doing 'npm install' from fresh seemed to fix my issues.
Just add your package.json file from
C:\Program Files\nodejs\node_modules\npm
to
C:\Windows\System32
and everything will be fine and working. Hope it helps.
I'm using npm v1.4.4 and node v0.10.25 on Mac OS X 10.9.2.
I've recently upgraded node and npm, and now npm install is no longer creating the .bin directory in node_modules.
I've deleted node_modules, tried npm install again, but the directory and binaries are never created.
Does anybody have any ideas as to why this is happening?
Here is my package.json:
{
"name": "redacted",
"author": {},
"description": "redacted",
"dependencies": {
},
"devDependencies": {
"karma": "*",
"karma-coverage": "0.1.2",
"karma-junit-reporter": "*",
"karma-coffee-preprocessor": "~0.1",
"grunt": "^0.4.2",
"grunt-contrib-requirejs": "^0.4.3",
"grunt-contrib-concat": "^0.3.0",
"grunt-contrib-sass": "^0.7.2",
"grunt-contrib-htmlmin": "^0.2.0",
"grunt-contrib-cssmin": "^0.7.0",
"grunt-contrib-coffee": "^0.10.1",
"grunt-contrib-uglify": "^0.3.3",
"grunt-contrib-jst": "^0.5.1",
"grunt-contrib-qunit": "^0.4.0",
"grunt-contrib-jshint": "^0.8.0",
"grunt-contrib-watch": "^0.5.3",
"grunt-contrib-jasmine": "^0.6.1",
"grunt-contrib-compress": "^0.6.1",
"grunt-contrib-handlebars": "^0.6.1",
"grunt-contrib-less": "^0.9.0",
"grunt-contrib": "^0.9.0"
}
}
I know this is an old post but I experienced the same issue recently. I had copied files from an existing project including package.json and package-lock.json. The package-lock.json was what prevented the node_module/.bin directory from being created.
The solution was to delete the node_modules directory and package-lock.json and run npm install again
The ./node_modules/.bin directory is where npm creates links to a node package's binary. From https://docs.npmjs.com/files/folders#executables
Executables
When in global mode, executables are linked into
{prefix}/bin on Unix, or directly into {prefix} on Windows.
When in local mode, executables are linked into ./node_modules/.bin so
that they can be made available to scripts run through npm. (For
example, so that a test runner will be in the path when you run npm
test.)
The package.json you pasted above do not have a bin section. Take a look at this example from npm's package.json
{
"version": "1.4.9",
"name": "npm",
"publishConfig": {
"proprietary-attribs": false
},
"description": "A package manager for node",
...
...
"main": "./lib/npm.js",
"bin": "./bin/npm-cli.js",
"dependencies": {
"abbrev": "~1.0.4",
"ansi": "~0.2.1",
...
...
Specifically the line "bin": "./bin/npm-cli.js" will tell npm to create a link at ./node_modules/.bin/npm to node_modules/npm/npm-cli.js
Seems that all your dependencies are dev dependencies.
Could you see if your NODE_ENV environment variable is set to production now? If yes you will need to change it back.
Also, any error happened during installation?
If all packages installed, only the .bin is gone.
you can just run npm rebuild
In my case I had webpack running in watch mode in another console window. I did not get any errors during npm install so it took me a moment to notice.
Ensure the dependencies are not in use, such as karma running tests or webpack running in watch mode
Delete the dependency folders, such as node_modules/karma, or the entire node_modules folder. NPM does not seem to create symlink files in .bin folder if dependency folder already exists.
Retry npm install
With NPM 6.7.0.
Not really an answer to your question, but because I had a similar situation: I run npm with the --no-bin-links option on my VM so my windows host doesn't complain. And then later I don't find the bin links folder... duh!
This could happen because of the broken npm. Try following command from the npm troubleshooting and it should just work fine.
curl -L https://www.npmjs.org/install.sh | sh