npm showing severity vulnerabilities Laravel - node.js

npm showing severity vulnerabilities, but using
npm chache clear
npm cache clear --force
npm audit fix
npm install
I have tried all of them but none of these solving my problem, please give some idea how I can solve it?
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
added 1505 packages from 755 contributors and audited 18951 packages in 378.007s
found 11 moderate severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
Running npm audit fix results
>npm audit fix npm WARN ajv-keywords#3.2.0 requires a peer of ajv#^6.0.0 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#1.2.4 (node_modules\fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}) up to date in 118.757s fixed 0 of 11 vulnerabilities in 18990 scanned packages 11 vulnerabilities required manual review and could not be updated
and my package.json
{
"private": true,
"scripts": {
"dev": "npm run development",
"development": "cross-env NODE_ENV=development node_modules/webpack/bin/webpack.js --progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js",
"watch": "npm run development -- --watch",
"watch-poll": "npm run watch -- --watch-poll",
"hot": "cross-env NODE_ENV=development node_modules/webpack-dev-server/bin/webpack-dev-server.js --inline --hot --config=node_modules/laravel-mix/setup/webpack.config.js",
"prod": "npm run production",
"production": "cross-env NODE_ENV=production node_modules/webpack/bin/webpack.js --no-progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js"
},
"devDependencies": {
"axios": "^0.18",
"babel-preset-react": "^6.24.1",
"bootstrap": "^4.0.0",
"cross-env": "^5.1",
"jquery": "^3.2",
"laravel-mix": "^2.0",
"lodash": "^4.17.4",
"popper.js": "^1.12",
"vue": "^2.5.7"
},
"dependencies": []
}

The current Laravel package.json has this vulnerabilities because of hoek and tunnel-agent. laravel-mix is using the packages and load them through their package.json.
See more information about the issues here:
https://nodesecurity.io/advisories/566
https://nodesecurity.io/advisories/598
If you remove "laravel-mix": "^2.0", the vulnerabilities are gone, but you can't use Laravel Mix any more.
As per discussion here, I think the issue is fixed.

if someone is still interested to solve this issue, I google it and found this solution
append this key value to the scripts section in "package.json" file
"scripts": {
...
"preinstall": "npx npm-force-resolutions", // <-- appended
},
then add a new section after the "scripts" section as below
"resolutions": { // <-- appended
"yargs-parser": "^18.1.3"
},
now save the file and run "npm install", the vulnerabilities are gone :)

That means, you have 11 severity vulnerabilities in your downloaded packages.
Run npm audit and it will show you which packages are affected. Then check clearly, if the author has provided an update. If not, you can fix it by yourself, which can be very hard because you're not deep in their sources...
However, most of the up-to-date packages provide fixed in newer versions.

try this :
npm install npm#latest -g
You can install lastest npm version. The vulnerabilities alerts will be gone.

Related

Error Could not resolve dependency: redux-react-session

I need to install this package https://www.npmjs.com/package/redux-react-session
installing it with npm npm i redux-react-session shows this error:
PS C:\Users\michael\Desktop\login and signup\client> npm i redux-react-session
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: client#0.1.0
npm ERR! Found: react#18.1.0
npm ERR! node_modules/react
npm ERR! react#"^18.1.0" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer react#"^0.14.0 || ^15.0.0 || ^16.0.0" from redux-react-session#2.6.1
npm ERR! node_modules/redux-react-session
npm ERR! redux-react-session#"*" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
package.json:
{
"name": "client",
"version": "0.1.0",
"private": true,
"dependencies": {
"#emotion/react": "^11.9.0",
"#emotion/styled": "^11.8.1",
"#mui/material": "^5.8.0",
"#mui/styled-engine-sc": "^5.8.0",
"#testing-library/jest-dom": "^5.16.4",
"#testing-library/react": "^13.2.0",
"#testing-library/user-event": "^13.5.0",
"antd": "^4.20.5",
"axios": "^0.27.2",
"formik": "^2.2.9",
"react": "^18.1.0",
"react-dom": "^18.1.0",
"react-icons": "^4.4.0",
"react-loader-spinner": "^5.1.5",
"react-redux": "^8.0.2",
"react-router-dom": "^6.3.0",
"react-scripts": "5.0.1",
"redux": "^4.2.0",
"redux-thunk": "^2.4.1",
"styled-components": "^5.3.5",
"web-vitals": "^2.1.4",
"yup": "^0.32.11"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"eslintConfig": {
"extends": [
"react-app",
"react-app/jest"
]
},
"browserslist": {
"production": [
">0.2%",
"not dead",
"not op_mini all"
],
"development": [
"last 1 chrome version",
"last 1 firefox version",
"last 1 safari version"
]
}
}
when installing npm packages?
There are two solutions to resolve this issue. Let us look at each of those in detail.
Solution 1: Ignore the peerDependencies
The easiest way to fix the issue is to pass an additional parameter –legacy-peer-deps to npm install. The --legacy-peer-deps tells the npm to ignore the peer dependencies and continue the installation of the package.
Try the below command to install the dependencies for your project.
npm install --save --legacy-peer-deps
You can also set this permanently by adding this into a configuration by running the below command.
npm config set legacy-peer-deps true
Note: In this solution, the peer dependencies will not be installed by default, even if you are using the latest version of NPM.
Solution 2: Using –force
The other solution is to use the --force flag. The -f or --force argument will force npm to fetch remote resources even if a local copy exists on disk.
Step 1: Delete the current node_modules. You can remove it by using the below command.
rm -rf node_modules
Step 2: Remove the package-lock.json by running the below command
rm package-lock.json
Step 3: Clear the npm cache and perform the clean installation with --force flag as shown below.
npm cache clean --force
npm install --force
By performing the above steps, you should resolve the issue successfully.

Fixing NPM vulnerabilities

I am following a TypeScript tutorial. Unfortunately, the packages are outdated and I got a warning about vulnerabilities.
I followed a bunch of suggestions from npm check and update package if needed, namely:
npm audit fix
npm audit fix --force
npm update
npm audit says there are still 24 vulnerabilities left. But none of the above commands will fix them.
npm outdated results in no output.
The vulnerable packages are:
ansi-regex
glob-parent
node-forge
nth-check
postcss
I don't actually know why they are part of my project, I don't have them in my package.json configuration.
What are the next steps of fixing these vulnerabilities?
I have tried:
How to fix npm vulnerabilities?
which has no answers.
updating the dependencies in package.json manually to newer versions and then running npm install. It didn't have an effect.
deleting package-lock.json according to a suggestion here and then run npm install again.
adding "ansi-regex": "^6.0.1", "glob-parent": "^6.0.2", "node-forge": "^1.3.0", "nth-check": "^2.0.1", "postcss": "^8.4.12" as as devDependencies and running npm install.
running npm i npm#latest as suggested in How to fix NPM vulnerabilities
How to fix npm vulnerabilities? I tried two methods, problems persist which didn't have any new suggestions
I have 5 moderate severity vulnerabilities when I checked the npm audit. How can I fix these errors given below? which also didn't suggest any new commands
running npm update glob-parent --depth 2 just to find out that --depth is deprecated and NPM always updates any depth [Github]
running npm prune
deleting the node_modules folder and running npm install again
You can reproduce my latest state with the following package.json in an empty directory and running npm install.
{
"name": "pacman",
"version": "0.0.1",
"description": "I just follow a tutorial. Nothing of interest.",
"keywords": ["game"],
"license": "MIT",
"author": "someone stupid",
"scripts": {
"build": "parcel build index.html",
"dev": "parcel index.html --open",
"start": "npm run build && npm run dev",
"test": "echo \"Error: no test specified\" && exit 1"
},
"devDependencies": {
"#typescript-eslint/eslint-plugin": "^5.16.0",
"#typescript-eslint/parser": "^5.16.0",
"ansi-regex": "^6.0.1",
"eslint": "^8.12.0",
"eslint-config-prettier": "^8.5.0",
"eslint-plugin-prettier": "^4.0.0",
"glob-parent": "^6.0.2",
"node-forge": "^1.3.0",
"nth-check": "^2.0.1",
"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",
"postcss": "^8.4.12",
"prettier": "^2.6.1",
"typescript": "^4.6.3"
},
"dependencies": {
"npm": "^8.5.5"
}
}
This should give you 24 vulnerabilities, 18 moderate and 6 high (at the time of writing, running npm 8.5.5).
As per the comments, I have already tried all commands for the general case, in which case you need to start analyzing individual packages.
So, what did I do?
Update all dependencies to the latest version.
Next, perform a binary search by removing half of the dependencies and repeating the following steps
delete the node_modules folder
run npm install
run npm audit to check for the vulnerabilities
If there are no vulnerabilites, add the half of the remaining packages you want to install.
If there are vulnerabilities, remove the half of the packages you are currently installing.
In my case, this process boiled it down to the following two lines:
"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",
For parcel-bundler, NPM spit out a warning:
npm WARN deprecated parcel-bundler#1.12.5: Parcel v1 is no longer maintained.
Please migrate to v2, which is published under the 'parcel' package.
So I guess I don't need parcel-bundler at all, because it has been integrated into the parcel package, which I had already updated to version 2 in an earlier step.
Try to update all your npm with this command. It helped me
npm install -g npm#latest

npm install command does not work with Laravel version 5.8

I created a Laravel 5.8 project, and I want to install npm. So I typed npm install but I get this message:
npm WARN deprecated popper.js#1.16.1: You can find the new Popper v2 at #popperjs/core, this package is dedicated to the legacy v1
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated chokidar#2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents#1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#^1.2.7 (node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN notsup Unsupported engine for watchpack-chokidar2#2.0.0: wanted: {"node":"<8.10.0"} (current: {"node":"12.18.3","npm":"6.14.6"})
npm WARN notsup Not compatible with your version of node/npm: watchpack-chokidar2#2.0.0
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#~2.1.2 (node_modules\watchpack\node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
added 1055 packages from 500 contributors and audited 1058 packages in 149.498s
37 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
So I saw this question related to my question, and he said run the npm install #popperjs/core --save command and after that npm uninstall popper.js --save in order to install Popper.
But as soon as I typed npm install #popperjs/core --save, I get this message:
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#1.2.13 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#2.1.3 (node_modules\watchpack\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
+ #popperjs/core#2.5.2
added 1 package from 1 contributor and audited 1059 packages in 9.5s
38 packages are looking for funding
run `npm fund` for details
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
So now I don't know really what should I do for installing npm, so if you know, please let me know, I would appreciate that!
Thanks in advance...
UPDATE #1:
Here is my package.json:
{
"private": true,
"scripts": {
"dev": "npm run development",
"development": "cross-env NODE_ENV=development node_modules/webpack/bin/webpack.js --progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js",
"watch": "npm run development -- --watch",
"watch-poll": "npm run watch -- --watch-poll",
"hot": "cross-env NODE_ENV=development node_modules/webpack-dev-server/bin/webpack-dev-server.js --inline --hot --config=node_modules/laravel-mix/setup/webpack.config.js",
"prod": "npm run production",
"production": "cross-env NODE_ENV=production node_modules/webpack/bin/webpack.js --no-progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js"
},
"devDependencies": {
"axios": "^0.19",
"bootstrap": "^4.1.0",
"cross-env": "^5.1",
"jquery": "^3.2",
"laravel-mix": "^4.0.7",
"lodash": "^4.17.13",
"popper.js": "^1.12",
"resolve-url-loader": "^2.3.1",
"sass": "^1.15.2",
"sass-loader": "^7.1.0",
"vue": "^2.5.17"
},
"dependencies": {
"#popperjs/core": "^2.5.2"
}
}
UPDATE 2:
I removed "popper.js": "^1.12", at package.json and node_modules folder and typed npm install but again I get the same error!
Remove "popper.js": "^1.12", line from package.json
then remove node_modules
then run cmd npm install

NPM errors while installing

I get the following errors while installing npm:
npm WARN worker-loader#0.8.1 requires a peer of webpack#>=0.9 <2 || ^2.1.0-beta || ^2.2.0 but none was installed.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#1.1.2 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})**
Here is my package.json:
{
"private": true,
"scripts": {
"dev": "npm run development",
"development": "cross-env NODE_ENV=development node_modules/webpack/bin/webpack.js --progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js",
"watch": "cross-env NODE_ENV=development node_modules/webpack/bin/webpack.js --watch --progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js",
"watch-poll": "npm run watch -- --watch-poll",
"hot": "cross-env NODE_ENV=development node_modules/webpack-dev-server/bin/webpack-dev-server.js --inline --hot --config=node_modules/laravel-mix/setup/webpack.config.js",
"prod": "npm run production",
"production": "cross-env NODE_ENV=production node_modules/webpack/bin/webpack.js --progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js"
},
"devDependencies":
{
"axios": "^0.16.2",
"bootstrap-sass": "^3.3.7",
"cross-env": "^5.0.1",
"jquery": "^3.1.1",
"laravel-mix": "^1.0",
"lodash": "^4.17.4",
"vue": "^2.1.10"
},
"dependencies": {
"latest-version": "^3.1.0",
"pdfjs-dist": "^1.9.528"
}
}
Versions: Windows 10, Node v8.4.0, Npm 5.3.0, Laravel: 4.4.
Firstly, these are just warnings, not errors - you've not broken anything!
That said, here's the reasoning behind them.
The first warning is telling you that worker-loader expects Webpack 2 to be installed alongside it. Laravel Mix uses Webpack 3, so you get a warning. That said, it shouldn't cause you any problems - worker-loader supports Webpack 3, they just haven't updated the peer dependency to reflect that yet.
The other warnings are very common - they're just telling you that the fsevents library, which is a Mac-only optional dependency of a lot of packages, couldn't be installed on your Windows machine.

Angular 2 Quick start tutorial issue

Hello everybody so i've ran into some issues as I am learning Angular. I initially watched thenewboston's Angular 2 tutorial. When i finished that I then proceeded to follow Angular's quick start tutorial.The two are very similar, but in bucky's its set up to make js files out of ts files. I updated the package.json by according to the errors, but when I run npm install it gives me errors that a certain package is need. More importantly i feel as if this is somehow affecting the behavior cause I cant nest the component as in Angular's hero list tutorial. package.json:
{
"name": "angular-2",
"version": "1.0.0",
"scripts": {
"start": "concurrently \"npm run tsc:w\" \"npm run lite\" ",
"tsc": "tsc",
"tsc:w": "tsc -w",
"lite": "lite-server",
"typings": "typings",
"postinstall": "typings install"
},
"license": "ISC",
"dependencies": {
"angular2": "2.0.0-beta.21",
"systemjs": "0.19.41",
"es6-shim": "^0.35.0",
"reflect-metadata": "0.1.9",
"rxjs": "5.0.0-rc.4",
"rxjs": "5.0.1",
"rxjs": "5.0.0-beta.6",
"zone.js": "0.6.12"
},
"devDependencies": {
"concurrently": "^3.1.0",
"lite-server": "^2.1.0",
"rxjs": "5.0.0-rc.4",
"typescript": "^2.1.4",
"typings": "^2.1.0"
}
}
npm WARN #angular/core#2.3.1 requires a peer of
rxjs#5.0.0-rc.4 but none was installed. npm WARN #angular/core#2.3.1
requires a peer of zone.js#^0.7.2 but none was installed. npm WARN
#angular/http#2.3.1 requires a peer of rxjs#5.0.0-rc.4 but none was
installed. npm WARN #angular/router#3.3.1 requires a peer of
rxjs#5.0.0-rc.4 but none was installed. npm WARN
angular-in-memory-web-api#0.2.2 requires a peer of rxjs#5.0.1 but none
was installed. npm WARN angular-in-memory-web-api#0.2.2 requires a
peer of zone.js#^0.7.4 but none was installed. npm WARN
angular2#2.0.0-beta.21 requires a peer of reflect-metadata#0.1.2 but
none was installed. npm WARN angular-2#1.0.0 No repository field.
Remove the extra rxjs entries in the dependencies. npm works by reading the dependencies list and semantic version numbers to determine what actual version of a particular dependency to install. Believe removing rxjs will alleviate the immediate issue of the npm warnings. Regarding the nested components it should probably be it's own question but either way would need to see the actual source.

Resources