After pushing a new repo to GitHub I got this security alert from GitHub:
According to GitHub, the effected file is package-lock.json.
To fix the issue, I did this:
Deleted the package-lock.json from remote repo on GitHub.
Found and replace tar versions inside my local package-lock.json to >=4.4.2.
Deleted node_modules folder from my local repo.
Ran npm install
Pushed package-lock.json to remote.
But it didn't help and I still get the same security alert from GitHub.
How can I fix this?
You should never need to delete or edit your package-lock.json manually. In this case, the file you want to edit is package.json (no -lock). Specifically:
Open package.json in your favorite editor.
Find the line for "tar": "…".
Replace whatever is in the right-hand string with ">=4.4.2".
Save the file and run npm install.
Check in the changes to package.json and package-lock.json.
Push to Github.
Related
I recently discovered the npm audit feature and ran the command to find vulnerabilities in a project I'm working on. Came across a bunch of them (over 100).
npm suggests that running npm audit fix will fix all vulnerabilities except those which have breaking changes. I didn't encounter any such vulnerability in my code and now it shows 0 vulnerabilities.
My question is that when I push the code to github will these vulnerabilities be fixed already for someone who clones/forks this repo?
For context, node_modules are ignored in my .gitignore file (Which means they are not pushed to github along with the code). Since node_modules is where these "vulnerability fixes" are applied, do they persist for everyone who then forks/clones this repo?
If so, how? Does it have something to do with package-lock.json?
If not, is there a way to make these changes persistent?
Yes it has to do with the package-lock.json, read more about package-locks here
According to the site currently, the package-lock represents a reproducible tree of your node_modules folder.
Yes, changes made by npm audit fix are persistent, but only if you commit your package-lock.json file to your git repository.
According to NPM, "this file is intended to be committed into source repositories."
If you commit your existing package-lock.json file to your repository and then run npm audit fix, you will see changes to your local package-lock.json file (assuming npm audit was able to fix any vulnerable packages). You can review these changes and then commit the package-lock.json file a second time to persist the changes.
The node module that I need has been updated, and there is an old version of it installed on the gitlab project. Is it possible to get the folder for that specific module as it is when it was installed?
Thank you
You dont't want to keep source code of external dependencies in your repo. You should add your node_modules to .gitignore and remove it from the repo. Instead, you just track your dependencies in your package.json file by installing them via npm install --save. Then, when someone checks out your project, he just runs npm install and all dependencies get resolved automatically. If you want to update any of the dependencies, you update it via npm cli, and commit the updated package.json to your repo.
We use NPM Shrinkwrap to lock down dependencies.
Not sure if this is a bug or a feature but when I run: npm install after deleting my node_modules directory everything works but my npm-shrinkwrap.json will always have a few changes that I have to commit to git...
The changes are usually minor, such as changing the "integrity" hash from sha-1 to sha-512 (or vice versa). Or a package will simply be moved to a new line in the file but the content does not change.
Again, nothing breaks when these changes happen, all the correct node_modules are installed, but it is annoying to keep committing this file to git when we are not making any changes.
Any feedback or help would be greatly appreciated...
I wouldn't hesitate to the use the git update-index --assume-unchanged npm-shrinkwrap.json command.
Then if you need to make changes and commit them run git update-index --no-assume-unchanged npm-shrinkwrap.json so Git will see the changes and enable you to stage and commit them.
npm 5 introduced package-lock.json, of which the documentation is here.
It states that the file is intended to be included with version control, so anyone cloning your package and installing it will have the same dependency versions. In other words, you should not add it to your .gitignore file.
What it does not state is wether or not the file is intended to be included with a published package. This question could be rephrased as; should package-lock.json be included in .npmignore?
It cannot be published.
From the npm documentation:
One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package
See package-lock.json documentation on docs.npmjs.com.
However, you should be commiting your package-lock.json to git as per the documentation.
This file is intended to be committed into source repositories
hence the common message presented by npm:
created a lockfile as package-lock.json. You should commit this file.
EDIT: A more detailed explanation can be found here.
I am a beginner with git and node. So I created a new repository in git, and installed react and babel, and git is telling me that the repository is too large. Literally all I did was run something like this:
created index.html
created app.js
> npm init (initialized package.json)
> npm install --save react react-dom
> npm install --save-dev babel_preset_react
> npm install --save-dev babel_preset_es2015
added babel config to package.json
Maybe I'm missing something, but I haven't even built anything yet, and I'm already getting complaints that my repo is too large. Git desktop is even throwing OutOfMemory exceptions! So I wondered, maybe I'm not supposed to check in the node_modules folder. Then I read this:
https://web.archive.org/posts/nodemodules-in-git.html
But I am even more confused now. The article says you should check in node_modules for projects that you deploy. But doesn't that mean it's still going to be a "large repository?"
At the bottom, the article says not to add node_modules to gitignore. I think gitignore just ignores the files in that folder from being committed to git. So is this telling us to not ignore node_modules? As in, check-in node_modules?
And what is that $ npm rebuild on deploy?
As a beginning to npm and git, can someone explain what I should do in simpler terms?
I just checked the link you shared is broken. We never check-in node_modules to repositories they easily add LOT of MBs to the overall size. Please add the node_modules in .gitignore. You should only checkin package.json to your repository. This is how my .gitignore in AngularJs project looks like,
.idea
node_modules
dist
npm-debug.log*
.DS_Store
If you are worried about the breaking changes due to version upgrade please specify the "~" sign in front of the version no. of packages (package.json) so only the patches will be considered.
Ex.,
"angular": "~1.5.6"
you don`t need to push node_modules into your repo . Add node_modules to gitignore and when you deploy your code on the server you have to install node_modules over there using command :
npm install
As your package.json is updated when you locally install node_modules and it is pushed to repo . When you run npm install on the server , all your packages will be installed which are mentioned in package.json