Background
If I do npm audit on a ReactJS application we haven't touched in a year (until recently), I get the following summary:
found 356 vulnerabilities (321 low, 20 moderate, 14 high, 1 critical)
in 11345 scanned packages run `npm audit fix` to fix 3 of them.
353 vulnerabilities require semver-major dependency updates.
If I do that npm audit fix those 3 vulnerabilities are resolved, the others are not because they are breaking changes.
Doing another npm audit I get this summary:
found 71 vulnerabilities (36 low, 20 moderate, 14 high, 1 critical) in 11345 scanned packages
71 vulnerabilities require semver-major dependency updates.
At the top of the audit:
Run npm install react-scripts#2.1.2 to resolve 71 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change
After I do that npm install react-scripts#2.1.2 the vulnerabilities are reduced to only 1:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of react-scripts
Path react-scripts > webpack-dev-server
More info https://nodesecurity.io/advisories/725
After I do a npm install webpack-dev-server#3.1.14, I get 2 new issues:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of react-scripts
Path react-scripts > webpack-dev-server
More info https://nodesecurity.io/advisories/725
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of webpack-dev-server
Path webpack-dev-server
More info https://nodesecurity.io/advisories/725
That more info link suggests an update to version 3.1.6 or later. What I do is way higher than that ...
Questions
To have a better understanding of what npm audit does, I'd like to discuss the following remarks:
Why does doing npm install webpack-dev-server#3.1.14 add an issue, rather than fix the one mentioned before? Looks like the previous issue remains even ...
Why does the vulnerabilities count drop from 356 to 71 after fixing only 3 issues while the total packages count is the same?
Why did the audit not suggest me to do npm install webpack-dev-server#3.1.11 or higher if it knows the issue is patched since 3.1.11? it did know npm install react-scripts#2.1.2 was necessary earlier.
What should I do to fix the issue mentioned in question #1?
PS: That nodesecurity link suggests to update webpack-dev-server to version 3.1.6 or higher. I'm doing much higher than that ...
PPS: I tried npm install webpack-dev-server#3.1.11 as well, no difference.
The advisory page for the webpack-dev-server vulnerability listed the latest version as an affected version. This has been caused by a typo in the npm security repository, as reported in a thread in the npm community forum. The typo has been fixed a few hours later.
Related
This is the error I get when running the command npm i axios:
up to date, audited 1469 packages in 6s
226 packages are looking for funding
run `npm fund` for details
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
Here, I use VS code and typed that command on its terminal.
I keep getting this error when trying to install axios, and I am not sure how to fix this.
Could this be a problem for my future coding?
This is a result of the new npm version including the audit command.
It isn't some new issue with the CLI, npm just introduced new functionality in npm to warn users about vulnerabilities in the packages they're installing - so there's no "new" vulnerability, it's just that now npm is now warning you about vulnerabilities that already existed: https://blog.npmjs.org/
If you have run npm audit and got vulnerabilities, then you can have different scenarios:
Security vulnerabilities found with suggested updates
Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies.
Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see "SEMVER warnings".)
Security vulnerabilities found requiring manual review
If security vulnerabilities are found, but no patches are available, the audit report will provide information about the vulnerability so you can investigate further.
You can read more about it here.
Even after running npm audit fix if it is not fixed, then you can Turn off npm audit. Use the below command to turn off the npm audit.
When installing a single package:
npm install example-package-name --no-audit
To turn off npm audit when installing all packages:
npm set audit false
It will set the audit setting to false in your user and global npmrc config files.
If you still want to fix them, you can refer to this article about how to.
Hoping you can help me figure mimelib out.
Trying to install this REACT script with my limited react xp and have a myriad of errors doing different things...
I'm running this script:
https://github.com/webdesignleader/referBeam
Getting this console error:
$ npm update
npm WARN deprecated mimelib#0.3.1: This project is unmaintained
npm WARN deprecated mailparser#0.6.2: Mailparser versions older than v2.3.0 are deprecated
changed 10 packages, and audited 760 packages in 27s
12 packages are looking for funding
run `npm fund` for details
48 vulnerabilities (4 low, 12 moderate, 27 high, 5 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
Please help me fix this the right way.
Thank you!!!
This is not an error. But just a warning, because mimelib package is not getting maintained anymore and you will not get any updates for it in the future. You can check over here as well.
Your project can still work. But this warning is basically telling you to remove this package as no one is maintaining it and I just checked it's not even updated from the last 5 years.
I wanted to start learning React Native using Expo, but I cannot install it using npm.
When I run the command npm install -g expo-cli, it gives me the following error:
added 825 packages, and audited 826 packages in 53s
28 packages are looking for funding
run `npm fund` for details
10 vulnerabilities (4 low, 6 moderate)
To address all issues, run:
npm audit fix
Run `npm audit` for details.
It told me to run npm audit fix and I tried the command right away.
However, the error stills seem to remain
# npm audit report
node-fetch <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
Denial of Service - https://npmjs.com/advisories/1556
fix available via `npm audit fix --force`
Will install expo#1.0.0, which is a breaking change
node_modules/node-fetch
isomorphic-fetch 2.0.0 - 2.2.1
Depends on vulnerable versions of node-fetch
node_modules/isomorphic-fetch
fbjs 0.7.0 - 1.0.0
Depends on vulnerable versions of isomorphic-fetch
node_modules/fbjs
fbemitter 2.0.3 - 3.0.0-alpha.1
Depends on vulnerable versions of fbjs
node_modules/fbemitter
expo >=14.0.0
Depends on vulnerable versions of expo-constants
Depends on vulnerable versions of fbemitter
node_modules/expo
xmldom *
Severity: moderate
Misinterpretation of malicious XML input - https://npmjs.com/advisories/1769
fix available via `npm audit fix --force`
Will install expo#1.0.0, which is a breaking change
node_modules/xmldom
#expo/plist <=0.0.13
Depends on vulnerable versions of xmldom
node_modules/expo-constants/node_modules/#expo/plist
#expo/config-plugins <=3.0.8
Depends on vulnerable versions of #expo/plist
node_modules/expo-constants/node_modules/#expo/config-plugins
#expo/config 3.3.23-alpha.0 - 5.0.8
Depends on vulnerable versions of #expo/config-plugins
node_modules/expo-constants/node_modules/#expo/config
expo-constants >=10.1.2
Depends on vulnerable versions of #expo/config
node_modules/expo-constants
expo >=14.0.0
Depends on vulnerable versions of expo-constants
Depends on vulnerable versions of fbemitter
node_modules/expo
10 vulnerabilities (4 low, 6 moderate)
To address all issues (including breaking changes), run:
npm audit fix --force
I tried running npm audit fix --force and it gave me the following outcome.
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating expo to 1.0.0,which is a SemVer major change.
removed 824 packages, changed 1 package, and audited 2 packages in 19s
found 0 vulnerabilities
I thought it worked and I tried running the command expo and expo-cli and bash told me that the command could not be found.
I have been following codelab instructions to implement Real-time communication with WebRTC and while trying to run npm-install I am getting the following warnings.
npm WARN webrtc-codelab#0.0.1 No repository field.
npm WARN webrtc-codelab#0.0.1 No license field.
audited 52 packages in 0.81s
found 16 vulnerabilities (11 low, 1 moderate, 3 high, 1 critical)
run npm audit fix to fix them, or npm audit for details
Can someone help me with fixing this?
The first ones are because of the licence and repository fields of the package.json being empty, you can fill them using docs for licence and repository.
The latter ones are due to outdated dependencies used by the code sample, it is ok to ignore this warning for an educational project because the vulnerabilities often are not important if you are not planning to use the project on a production server. But if it is bothering you you can use npm audit fix as suggested by npm, it'll try to update dependencies if there are no breaking changes in the upgrade it might not succeed in doing so for some or all of those packages in which case you'll need to manually install the newer version of those packages but beware cause doing so COULD break the code sample to the point that it'll no longer work.
I have update the webpack-dev-server to the latest 3.1.14 but I am still getting vulnerability issue while using npm audit --fix. I have tries every thing. cleaning cache. clearing all modules and install again but all same.
Following is the error when I run npm audit
$ npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of webpack-dev-server [dev]
Path webpack-dev-server
More info https://nodesecurity.io/advisories/725
found 1 high severity vulnerability in 60688 scanned packages
1 vulnerability requires manual review. See the full report for details.
Seems to be due to a typo in the npm vulnerability database. Hopefully fixed soon:
https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352