I am a beginner to NodeJS and during the installation of packages I encountered some vulnerabilities error. I have encountered a few errors previously as well. And which were fixed by simply updating the packages. Also, 'npm audit fix' didn't help. Following is the result of 'npm audit'. Can anyone tell me, how can I update these dependencies manually?
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Command Injection
Package tree-kill
Patched in >=1.2.2
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > #ngtools/webpack > tree-kill
More info https://npmjs.com/advisories/1432
High Command Injection
Package tree-kill
Patched in >=1.2.2
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > tree-kill
More info https://npmjs.com/advisories/1432
found 2 high severity vulnerabilities in 16547 scanned packages
2 vulnerabilities require manual review. See the full report for details.
Also, can I update the 'tree-kill' package under the path '#angular-devkit/build-angular > #ngtools/webpack > tree-kill' and '#angular-devkit/build-angular > tree-kill' manually? If Yes, then how do I do it?
npm version - 6.12.1
node version - 12.13.1
Thank You for helping!
Related
Im having issues deploying my react app to Vercel. I believe it is failing to compile due to Vercel not being able to resolve './index.css', not sure what needs to be modified to fix this issue.
Here are the logs:
[12:22:08.385] Cloning completed: 1.218s
[12:22:08.459] Installing build runtime...
[12:22:10.412] Build runtime installed: 1.953s
[12:22:10.773] No Build Cache available
[12:22:10.926] Installing dependencies...
[12:22:20.413] npm WARN deprecated source-map-url#0.4.1: See https://github.com/lydell/source-map-url#deprecated
[12:22:20.902] npm WARN deprecated source-map-resolve#0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
[12:22:24.009] npm WARN deprecated formidable#1.2.6: Please upgrade to latest, formidable#v2 or formidable#v3! Check these notes:
[12:22:26.196] npm WARN deprecated superagent#5.3.1: Please upgrade to v7.0.2+ of superagent. We have fixed numerous issues with streams, form-data, attach(), filesystem errors not bubbling up (ENOENT on attach()), and all tests are now passing. See the releases tab for more information at <https://github.com/visionmedia/superagent/releases>.
[12:22:26.972] npm WARN deprecated svgo#1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
[12:22:34.604]
[12:22:34.604] added 1420 packages in 23s
[12:22:34.605]
[12:22:34.605] 170 packages are looking for funding
[12:22:34.605] run `npm fund` for details
[12:22:34.830] Detected `package-lock.json` generated by npm 7...
[12:22:34.830] Running "npm run build"
[12:22:35.098]
[12:22:35.098] > collage#0.1.0 build
[12:22:35.099] > react-scripts build
[12:22:35.099]
[12:22:36.313] Creating an optimized production build...
[12:22:37.029] Failed to compile.
[12:22:37.030]
[12:22:37.030] Module not found: Error: Can't resolve './index.css' in '/vercel/path0/src'
[12:22:37.030]
[12:22:37.030]
[12:22:37.046] Error: Command "npm run build" exited with 1
Resolved:
Case sensitivity issue. File name updated from 'Index.css' to 'index.css'.
I wanted to start learning React Native using Expo, but I cannot install it using npm.
When I run the command npm install -g expo-cli, it gives me the following error:
added 825 packages, and audited 826 packages in 53s
28 packages are looking for funding
run `npm fund` for details
10 vulnerabilities (4 low, 6 moderate)
To address all issues, run:
npm audit fix
Run `npm audit` for details.
It told me to run npm audit fix and I tried the command right away.
However, the error stills seem to remain
# npm audit report
node-fetch <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
Denial of Service - https://npmjs.com/advisories/1556
fix available via `npm audit fix --force`
Will install expo#1.0.0, which is a breaking change
node_modules/node-fetch
isomorphic-fetch 2.0.0 - 2.2.1
Depends on vulnerable versions of node-fetch
node_modules/isomorphic-fetch
fbjs 0.7.0 - 1.0.0
Depends on vulnerable versions of isomorphic-fetch
node_modules/fbjs
fbemitter 2.0.3 - 3.0.0-alpha.1
Depends on vulnerable versions of fbjs
node_modules/fbemitter
expo >=14.0.0
Depends on vulnerable versions of expo-constants
Depends on vulnerable versions of fbemitter
node_modules/expo
xmldom *
Severity: moderate
Misinterpretation of malicious XML input - https://npmjs.com/advisories/1769
fix available via `npm audit fix --force`
Will install expo#1.0.0, which is a breaking change
node_modules/xmldom
#expo/plist <=0.0.13
Depends on vulnerable versions of xmldom
node_modules/expo-constants/node_modules/#expo/plist
#expo/config-plugins <=3.0.8
Depends on vulnerable versions of #expo/plist
node_modules/expo-constants/node_modules/#expo/config-plugins
#expo/config 3.3.23-alpha.0 - 5.0.8
Depends on vulnerable versions of #expo/config-plugins
node_modules/expo-constants/node_modules/#expo/config
expo-constants >=10.1.2
Depends on vulnerable versions of #expo/config
node_modules/expo-constants
expo >=14.0.0
Depends on vulnerable versions of expo-constants
Depends on vulnerable versions of fbemitter
node_modules/expo
10 vulnerabilities (4 low, 6 moderate)
To address all issues (including breaking changes), run:
npm audit fix --force
I tried running npm audit fix --force and it gave me the following outcome.
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating expo to 1.0.0,which is a SemVer major change.
removed 824 packages, changed 1 package, and audited 2 packages in 19s
found 0 vulnerabilities
I thought it worked and I tried running the command expo and expo-cli and bash told me that the command could not be found.
When I try to run my expo project I get this message:
D:\React\myproject>npm start
> start
> expo start
Starting project at D:\React\myproject
Unable to find expo in this project - have you run yarn / npm install yet?
If I run npm install i get this:
D:\React\myproject>npm install
npm notice Beginning October 4, 2021, all connections to the npm registry - including for package installation - must use TLS 1.2 or higher. You are currently using plaintext http to connect. Please visit the GitHub blog for more information: https://github.blog/2021-08-23-npm-registry-deprecating-tls-1-0-tls-1-1/
up to date, audited 940 packages in 4s
18 packages are looking for funding
run `npm fund` for details
12 vulnerabilities (6 low, 6 moderate)
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
And this is what I get when I run npm audit:
D:\React\myproject>npm audit
npm notice Beginning October 4, 2021, all connections to the npm registry - including for package installation - must use TLS 1.2 or higher. You are currently using plaintext http to connect. Please visit the GitHub blog for more information: https://github.blog/2021-08-23-npm-registry-deprecating-tls-1-0-tls-1-1/
# npm audit report
node-fetch =0.22.0-rc
Depends on vulnerable versions of #react-native-community/cli
Depends on vulnerable versions of #react-native-community/cli-platform-ios
Depends on vulnerable versions of fbjs
node_modules/react-native
node_modules/react-native/node_modules/react-native
metro-config =0.3.2
Depends on vulnerable versions of xmldom
node_modules/plist
#react-native-community/cli-platform-ios *
Depends on vulnerable versions of plist
Depends on vulnerable versions of xcode
node_modules/#react-native-community/cli-platform-ios
react-native =0.22.0-rc
Depends on vulnerable versions of #react-native-community/cli
Depends on vulnerable versions of #react-native-community/cli-platform-ios
Depends on vulnerable versions of fbjs
node_modules/react-native
node_modules/react-native/node_modules/react-native
#react-native-community/cli *
Depends on vulnerable versions of metro
Depends on vulnerable versions of react-native
node_modules/react-native/node_modules/#react-native-community/cli
simple-plist *
Depends on vulnerable versions of plist
node_modules/simple-plist
xcode >=0.8.3
Depends on vulnerable versions of simple-plist
node_modules/xcode
12 vulnerabilities (6 low, 6 moderate)
Some issues need review, and may require choosing
a different dependency.
This happens since I tried to update expo sdk, but I don't know what I did wrong. Can someone help me with this?
Run npm config set registry https://registry.npmjs.org/
Some computers are still running with http://registry.npmjs.org/ which is not going to be allowed anymore for security reasons.
You may try adding a .npmrc file and update the repo allocation under the user\xxx directory.
registry=https://registry.npmjs.org/
I recently updated my version of angular using ng update
and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
I thought of installing npm i tar but I am not sure.
The following worked for me:
Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.
Then run:
npm i
npm audit
npm audit fix
npm audit
you should see 0 vulnerabilities.
I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.
angular-cli relies on node-gyp, who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714
To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.
You should search in your package-lock.json this:
"tar": {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
And reemplace for that:
"tar": {
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
That worked for me
I got 18 vulnerabilities by giving npm audit , then i went for the one which is labeled as high.
here is its detail,
High Denial-of-Service Memory Exhaustion
Package qs
Patched in >= 1.x
Dependency of google-search-scraper
Path google-search-scraper > request > qs
More info https://nodesecurity.io/advisories/29
it seems like we need to update request package , so by >npm i request
i have installed it.
now what next, the audit command is giving same results again
please help ,
Thank you
EDIT
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of botkit
Path botkit > botbuilder > jsonwebtoken > joi > hoek
More info https://nodesecurity.io/advisories/566
As the report says, qs vulnerability has been fixed in 1.x. It's not a problem for latest request versions. google-search-scraper has request#~2.33.0 dependency that depends on qs#~0.6.0. Regardless of which request version is installed in the project, google-search-scraper will continue to use 2.33.x version that contains vulnerability.
google-search-scraper should be forked and used instead of original package, request dependency version should be updated in a fork, e.g. to request#^2.33.0. Additionally, an issue can be opened in package repository and supplemented with a PR.
A solution that has worked for me is by initially creating JSON file which will be the manifest. Before installing the npm package start with the followingnpm init -y
that way you agree to all the details that will be added by the JSON file, you can edit them afterwards.
Then proceed with npm install <package name>