I have 11 vulnerabilities that I have to sort out manually and can't use npm audit fix
Based on this page there's no remediation, however the package's page says the issue has been patched in the latest version.
Doing npm update or placing "safe-eval": "^0.4.1", in my package.json doesn't resolve the vulnerability.
How can patched vulnerability be fixed in my project ?
Related
I am getting 6 vulnerabilities after running npm audit report:
I tried a solution and overridden the vulnerable versions of a particular package with their latest versions in package.json file like this:
"overrides": {
"nth-check": "2.1.1",
"#svgr/webpack": "6.5.1",
"#svgr/plugin-svgo": "6.5.1",
"svgo": "3.0.1",
"css-select": "5.1.0"
}
Then I updated the npm packages with npm update. But it did not change the result.
Tried another solution by making a resolution object in package.json and specified specific versions of a particular package, and ran it using npx i npm-force-resolutions but it gives this error:
npm ERR! could not determine executable to run.
But I am still unable to fix the npm vulnerabilities. Please help!
You should delete both node_modules and package-lock.json before launching npm install again; this will require more time to install all dependencies, but this will override all the version that are currently installed (it will bring also minor updates in dependencies).
Also, for this vulnerability, you only need to override nth-check. You can see the changes by executing npm list nth-check with and without the override (remember to delete both node_modules and package-lock.json).
I have some doubts regarding "how to fix vulnerabilities in Npm react app".
Almost all the vulnerable dependency libraries are present only in package-lock.json file, not in package.json.
Can i modify the dependency version in the package-lock.Json and give Npm install.? If so anything i have to worry about
any suggestions on how i can reduce vulnerabilities
Note: npm audit fix, nom audit fix --forse doesn't work
Thanks.
Tried npm audit fix and nom audit fix --force. Didnt resolve any vulnerabilities.
Changing version in package lock json is reducing vulnerabilities but I'm not sure i can do that.
I have been following codelab instructions to implement Real-time communication with WebRTC and while trying to run npm-install I am getting the following warnings.
npm WARN webrtc-codelab#0.0.1 No repository field.
npm WARN webrtc-codelab#0.0.1 No license field.
audited 52 packages in 0.81s
found 16 vulnerabilities (11 low, 1 moderate, 3 high, 1 critical)
run npm audit fix to fix them, or npm audit for details
Can someone help me with fixing this?
The first ones are because of the licence and repository fields of the package.json being empty, you can fill them using docs for licence and repository.
The latter ones are due to outdated dependencies used by the code sample, it is ok to ignore this warning for an educational project because the vulnerabilities often are not important if you are not planning to use the project on a production server. But if it is bothering you you can use npm audit fix as suggested by npm, it'll try to update dependencies if there are no breaking changes in the upgrade it might not succeed in doing so for some or all of those packages in which case you'll need to manually install the newer version of those packages but beware cause doing so COULD break the code sample to the point that it'll no longer work.
I recently updated my version of angular using ng update
and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
I thought of installing npm i tar but I am not sure.
The following worked for me:
Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.
Then run:
npm i
npm audit
npm audit fix
npm audit
you should see 0 vulnerabilities.
I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.
angular-cli relies on node-gyp, who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714
To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.
You should search in your package-lock.json this:
"tar": {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
And reemplace for that:
"tar": {
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
That worked for me
I have update the webpack-dev-server to the latest 3.1.14 but I am still getting vulnerability issue while using npm audit --fix. I have tries every thing. cleaning cache. clearing all modules and install again but all same.
Following is the error when I run npm audit
$ npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Missing Origin Validation
Package webpack-dev-server
Patched in >=3.1.11
Dependency of webpack-dev-server [dev]
Path webpack-dev-server
More info https://nodesecurity.io/advisories/725
found 1 high severity vulnerability in 60688 scanned packages
1 vulnerability requires manual review. See the full report for details.
Seems to be due to a typo in the npm vulnerability database. Hopefully fixed soon:
https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352