So I run npm audit and all of the vulnerabilities are due to some dependency in npm, particularly node-gyp which is using a vulnerable version of tar. Note that I don’t have node-gyp in my package.json.
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.2.2 <3.0.0 || >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
I tried updating to the latest version of npm but I still get the same audit report. It’s quite nested. How do I resolve this?
Related
I try install my project in prod:
$ cat package.json
{
"name": "socket-server",
"version": "1.0.0",
"description": "real time server",
"main": "package",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.13.3",
"socket.io": "^2.1.1",
"uglify": "^0.1.5"
}
}
with cmd : sudo npm install but there is error :
$sudo npm audit
=== npm audit security report ===
# Run npm install socket.io#2.1.1 to resolve 9 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ socket.io > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ socket.io > engine.io > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ socket.io > socket.io-adapter > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ socket.io > socket.io-client > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ socket.io > socket.io-client > engine.io-client > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ socket.io > socket.io-adapter > socket.io-parser > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ socket.io > socket.io-client > socket.io-parser > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ socket.io > socket.io-parser > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ parsejson │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ socket.io > socket.io-client > engine.io-client > parsejson │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/528 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ uglify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ uglify > grunt > findup-sync > glob > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ uglify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ uglify > grunt > glob > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ uglify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ uglify > grunt > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ uglify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ uglify > grunt > findup-sync > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ uglify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ uglify > grunt > grunt-legacy-log > grunt-legacy-log-utils > │
│ │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ uglify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ uglify > grunt > grunt-legacy-log > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ uglify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ uglify > grunt > grunt-legacy-util > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ uglify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ uglify > grunt > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ uglify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ uglify > grunt-contrib-uglify > uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/48 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 18 vulnerabilities (14 low, 4 high) in 291 scanned packages
9 vulnerabilities require semver-major dependency updates.
9 vulnerabilities require manual review. See the full report for details.
I try like it said :
$ sudo npm audit fix --force
npm WARN using --force I sure hope you know what you are doing.
npm WARN socket-server#1.0.0 No repository field.
+ socket.io#2.1.1
added 2 packages from 2 contributors, removed 16 packages and updated 18 packages in 2.228s
fixed 9 of 18 vulnerabilities in 291 scanned packages
9 vulnerabilities required manual review and could not be updated
1 package update for 9 vulns involved breaking changes
(installed due to `--force` option)
So how can I do?
$ npm -v
6.4.1
$ node -v
v8.11.3
I've started making a habit of regularly checking npm audit on most of my projects, and if I find one of my dependencies has a vulnerability I either try to patch it for them (via pull request) or report the issue (via GitHub issue)
However I recently installed a package and noticed some really quirky behavior:
$ > npm install --save fingerprintjs2
+ fingerprintjs2#1.8.0
added 564 packages from 744 contributors and audited 4667 packages in 6.341s
found 9 vulnerabilities (2 low, 5 moderate, 2 high)
run `npm audit fix` to fix them, or `npm audit` for details
$ > npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Out-of-bounds Read │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > libcipm > npm-lifecycle > node-gyp > │
│ │ request > stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/664 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Out-of-bounds Read │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > node-gyp > request > stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/664 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Out-of-bounds Read │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > npm-lifecycle > node-gyp > request > │
│ │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/664 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Out-of-bounds Read │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > npm-registry-client > request > │
│ │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/664 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Out-of-bounds Read │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.0.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > request > stringstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/664 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ http-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.1.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > npm-profile > make-fetch-happen > │
│ │ http-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/607 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ https-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.2.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > npm-profile > make-fetch-happen > │
│ │ https-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/593 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > cli-table2 > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fingerprintjs2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fingerprintjs2 > npm > npm-audit-report > cli-table2 > │
│ │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 9 vulnerabilities (2 low, 5 moderate, 2 high) in 4667 scanned packages
9 vulnerabilities require manual review. See the full report for details.
At first glance it looks like fingerprintjs2 may have many poor dependencies, but looking closer at the specific dependencies -- all of the vulnerabilities are reported to be within npm itself!. Worse yet, they all seem to be basically the same 3 dependencies
stringstream
fingerprintjs2 > npm > libcipm > npm-lifecycle > node-gyp > request > stringstream
fingerprintjs2 > npm > node-gyp > request > stringstream
fingerprintjs2 > npm > npm-lifecycle > node-gyp > request > stringstream
fingerprintjs2 > npm > npm-registry-client > request > stringstream
fingerprintjs2 > npm > request > stringstream
http-proxy-agent
fingerprintjs2 > npm > npm-profile > make-fetch-happen > http-proxy-agent
fingerprintjs2 > npm > npm-profile > make-fetch-happen > https-proxy-agent
lodash
fingerprintjs2 > npm > cli-table2 > lodash
fingerprintjs2 > npm > npm-audit-report > cli-table2 > lodash
I didn't get this strange behavior from any of my other packages (I've installed vue, vuex, vue-router, jquery, bootstrap, fontawesome, sha1, express, gulp,.... just tons of stuff -- but I've never seen this) so I knew that it had to somehow be related to FIngerprintJS
Looking at their package.json file for a lead, they actually have no dependencies, and only a handful of devDependencies (all build tools):
{
"name": "fingerprintjs2",
"version": "1.8.0",
"description": "Modern & flexible browser fingerprinting library",
"repository": {
"type": "git",
"url": "https://github.com/Valve/fingerprintjs2.git"
},
"keywords": [
"browser",
"identification",
"fingerprint",
"fingerprinting",
"privacy"
],
"author": "Valentin Vasilyev",
"license": "MIT",
"bugs": {
"url": "https://github.com/Valve/fingerprintjs2/issues"
},
"homepage": "https://github.com/Valve/fingerprintjs2",
"main": "dist/fingerprint2.min.js",
"devDependencies": {
"gulp": "^3.9.1",
"gulp-rename": "^1.2.2",
"gulp-standard": "^10.1.1",
"gulp-uglify": "^3.0.0",
"standard": "^10.0.3"
},
"scripts": {
"test": "specs/phantomjs.runner.sh specs/spec_runner.html",
"gulp": "gulp",
"lint": "standard --fix"
},
"standard": {
"ignore": [
"specs/lib",
"specs/phantomjs-testrunner.js"
]
}
}
What is going on here?
I've tried upgrading NodeJS (now on version v10.4.0) and NPM (now on version 6.1.0) but it didn't help.
The only clue I have is the following:
$ > npm ls npm
test-audit#1.0.0 /home/sbarnett/src/test-audit
└─┬ fingerprintjs2#1.8.0
└── npm#5.10.0
For some reason FingerprintJS seems to require NPM version 5.10.0 even though I have 6.1.0 installed. I have no idea why it would require this version, though, as there's no mention in the package.json file
Update
Whatever the cause was of this strange bug, it's no longer happening when I start a new project and install fingerprintjs2 - so I believe one of the dependencies of fingerprintjs2 was updated and corrected the issue
After each installation of a new NPM module in my project I get the following error :
[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
Severity: 8 Low | 24 Moderate | 8 High
So then I run npm audit and I get the details for each of the 40 vulnerabilities such as :
# Run npm install npm#6.0.1 to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk > │
│ │ boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
or this :
# Run npm update fsevents --depth 2 to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ chokidar > fsevents > node-pre-gyp > tar-pack > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
So I run npm install npm#6.0.1 (even though I already had 6.0.1) then npm update fsevents --depth 2 But after that I re-run npm audit and nothing has changed, I still have the same 40 vulnerabilities and some of them are really scary. What should I do ?
This worked for me on MacOS:
Update NPM to the new 6.1.0. It introduces a 'npm audit fix' command, more info here.
Run 'npm audit fix'.
When you run 'npm audit' again, the only vulnerabilities left should be "Manual Review" issues.
This seems to be a bug in npm 6.0.1 related to handling of optional dependencies: https://github.com/npm/npm/issues/20577
This worked for me:
Do the npm audit suggestions that aren't npm updates
Delete package-lock.json
Delete the node_modules folder
Run npm install again
https://github.com/npm/npm/issues/20684
Source: https://github.com/npm/npm/issues/20675.
One fsevents issue may do with the fact that
fsevents can't be installed on windows, so you will have to update it on a macOS machine.
That's a bit strange, since looking at exhnozoaa's solution, as of this date seems to imply otherwise:
I was able to work around this on Windows with the following steps.
Open package-lock.json in an editor.
Search for "fsevents". Find the one that is an object directly under "dependencies".
Delete "fsevents" (the key and the whole object).
From the terminal, run npm install.
This should regenerate that section with the latest version that is compatible with the other packages. I don't really think this is a good way to fix it, but it is one that worked for me.
This is a followup question to my earlier question (but is an independent question)
I am trying to install react and react-dom on a Mac:
npm install --save react react-dom
but get the following warnings (path names replaced with ...):
npm WARN saveError ENOENT: no such file or directory, open '/Users/../Z/package.json'
/Users/.../Z
├─┬ react#15.4.1
│ ├─┬ fbjs#0.8.8
│ │ ├── core-js#1.2.7
│ │ ├─┬ isomorphic-fetch#2.2.1
│ │ │ ├─┬ node-fetch#1.6.3
│ │ │ │ ├─┬ encoding#0.1.12
│ │ │ │ │ └── iconv-lite#0.4.15
│ │ │ │ └── is-stream#1.1.0
│ │ │ └── whatwg-fetch#2.0.1
│ │ ├─┬ promise#7.1.1
│ │ │ └── asap#2.0.5
│ │ ├── setimmediate#1.0.5
│ │ └── ua-parser-js#0.7.12
│ ├─┬ loose-envify#1.3.0
│ │ └── js-tokens#2.0.0
│ └── object-assign#4.1.0
└── react-dom#15.4.1
npm WARN enoent ENOENT: no such file or directory, open '/Users/.../Z/package.json'
npm WARN Z No description
npm WARN Z No repository field.
npm WARN Z No README data
npm WARN Z No license field.
I searched around a bit but did not find a good reason for these warnings. SO posts like these seem to suggest installing react in the same directory where node modules are installed. My node is installed in usr/local/bin but package.json does not appear anywhere on the machine even on a global search. I just installed npm before trying to install react so don't think its a versioning issue.
If this is a brand new project, it can be resolved by running npm init from the root directory of your project (where you want package.json to be created), and press "ENTER" at all of the prompts to accept the default answers. (It is easy to change your responses by directly modifying the package.json file later.)
Once the package.json has been created, you will be able to run npm install commands!
Actually for me it just worked like this :
I ran npx create-react-app "nameOfProject" , if you type npm start in the same folder it won't work because it tries to find the package.json in the same folder , when your package.json is in the subfolder ( the folder of the "nameOfProject" ).
Run cd "nameOfProject" to change the directory and them run npm start .
Check the folder you're in. Usually after using npx create-react-app, you'll be in the same folder. you will be needed to cd into the new folder that is created after running above command. there you'll find package.json.
I'm trying to learn how to use gulp / sass / and all the other fun tools with Nodejs and I'm having an issue installing gulp-sass. The process I'm using to install everything is:
1. Start Git Bash in the project folder
2. npm init
3. npm install gulp -g
4. npm install gulp --save-dev
5. npm install gulp-sass <- this is where I get errors
Once I get to step five, I get the following error:
$ npm install gulp-sass
npm WARN package.json project#1.0.0 No repository field.
npm WARN package.json project#1.0.0 No README data
-
> node-sass#3.2.0 install \\primary\home\mendsley\profile\Desktop\project\node_modules\gulp- sass\node_modules\node-sass
> node scripts/install.js
'\\primary\home\mendsley\profile\Desktop\project\node_modules\gulp- sass\node_modules\node-sass'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
module.js:338
throw err;
^
Error: Cannot find module 'C:\Windows\scripts\install.js'
at Function.Module._resolveFilename (module.js:336:15)
at Function.Module._load (module.js:278:25)
at Function.Module.runMain (module.js:501:10)
at startup (node.js:129:16)
at node.js:814:3
npm ERR! Windows_NT 6.1.7601
npm ERR! argv "c:\\Program Files\\nodejs\\node.exe" "c:\\Users\\mendsley\\AppData\\Roaming\\npm\\node_modules\\npm\\bin\\npm-cli.js" "install" "gulp-sass"
npm ERR! node v0.12.1
npm ERR! npm v2.13.1
npm ERR! code ELIFECYCLE
npm ERR! node-sass#3.2.0 install: `node scripts/install.js`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the node-sass#3.2.0 install script 'node scripts/install.js'.
npm ERR! This is most likely a problem with the node-sass package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node scripts/install.js
npm ERR! You can get their info via:
npm ERR! npm owner ls node-sass
npm ERR! There is likely additional logging output above.
npm ERR! Please include the following file with any support request:
npm ERR! \\primary\home\mendsley\profile\Desktop\project\npm-debug.log
I'm trying this on my work computer, so I'm not sure if that matters. The system admin says there should not be any issue and other people have no issue with same package...and talking to them, they offer no help. I tried everything on my personal laptop and gulp-sass installs just fine, so it is something with my work pc.
My initial thought is it's a path issue, but then why do other packages install okay?
I did uninstall/reinstall Nodejs, but that didn't help.
Does anyone have an idea?
Thanks in advance!
Your first guess was good as it is a matter of path name. From the error message :
UNC paths are not supported. Defaulting to Windows directory.
Npm needed to access \\primary\home\mendsley\...\node_modules\node-sass so as to execute the gulp-sass installation script. But this path is a UNC path (Uniform Naming Convention) and therefore is not supported.
As a consequence, the npm command defaulted to C:/Windows instead and tries to execute the installation script of gulp-sass (install.js) but this script is, as you might guess, not present in this directory.
It could be a dependency hell problem with an older NodeJS or NPM version, too. gulp-sass depends on node-sass, which in turn depends on other packages, and they also depend on the right NodeJS and NPM version. For version 0.7.3 the full dependencies look like this:
├─┬ gulp-sass#0.7.3
│ ├── map-stream#0.1.0
│ └─┬ node-sass#0.9.6
│ ├─┬ chalk#0.5.1
│ │ ├── ansi-styles#1.1.0
│ │ ├── escape-string-regexp#1.0.3
│ │ ├─┬ has-ansi#0.1.0
│ │ │ └── ansi-regex#0.2.1
│ │ ├─┬ strip-ansi#0.3.0
│ │ │ └── ansi-regex#0.2.1
│ │ └── supports-color#0.2.0
│ ├── get-stdin#3.0.2
│ ├─┬ mkdirp#0.5.1
│ │ └── minimist#0.0.8
│ ├─┬ mocha#1.21.5
│ │ ├── commander#2.3.0
│ │ ├─┬ debug#2.0.0
│ │ │ └── ms#0.6.2
│ │ ├── diff#1.0.8
│ │ ├── escape-string-regexp#1.0.2
│ │ ├─┬ glob#3.2.3
│ │ │ ├── graceful-fs#2.0.3
│ │ │ ├── inherits#2.0.1
│ │ │ └─┬ minimatch#0.2.14
│ │ │ ├── lru-cache#2.7.3
│ │ │ └── sigmund#1.0.1
│ │ ├── growl#1.8.1
│ │ ├─┬ jade#0.26.3
│ │ │ ├── commander#0.6.1
│ │ │ └── mkdirp#0.3.0
│ │ └─┬ mkdirp#0.5.0
│ │ └── minimist#0.0.8
│ ├── nan#1.3.0
│ ├── node-sass-middleware#0.3.1
│ ├── node-watch#0.3.5
│ ├── object-assign#1.0.0
│ ├─┬ sinon#1.10.3
│ │ ├─┬ formatio#1.0.2
│ │ │ └── samsam#1.1.3
│ │ └─┬ util#0.10.3
│ │ └── inherits#2.0.1
│ └── yargs#1.3.3
I had trouble to install version 0.7.3 of gulp-sass with the latest versions of NodeJS 5.2.0 and NPM 3.5.2. This older version of gulp-sass worked only with the older version of NodeJS 0.12.9 and NPM 2.14.9, see also https://github.com/sass/node-sass/issues/1166
Look at this:
"CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory."
You can use the pushd command. As example for --global Installation for a domain user on network share:
pushd \\server\yourpath\user\AppData\Roaming\npm
hint: you could figure out the right path for global npm installations by using %appdata%\npm in your Explorer, the cmd answers:
Z:\user\AppData\Roaming\npm>
now you can type "npm install node-sass" (or gulp-sass or whatever)
Z:\user\AppData\Roaming\npm>npm install node-sass
without --global or -g, in this path you are "global"
if finished, then popd to disconnect the Z:
I had the same issue and I fixed it with simple step.
The real problem is with autorun to set the path of your command prompt. It is related to your registry.
i just deleted the autorun file in registry for command processor and it started working normally.
Hop in this link