need pinned resolution feature of yarn, but also want to audit with npm audit? Is there a yarn alternative to npm audit? Or, alternately, will pinning resolutions of dependencies of dependencies work in npm?
Yarn doesn't have npm audit fix.
But here's how to do it by using npm – temporarily.
Generate a package-lock.json file without installing node modules
npm i --package-lock-only
Fix the packages and update the package-lock.json file
npm audit fix
Delete the yarn.lock file and convert package-lock.json file into yarn.lock
rm yarn.lock
yarn import
Delete the package-lock.json file
rm package-lock.json
For example:
yarn audit
38363 vulnerabilities found - Packages audited: 908342
Severity: 38352 Low | 11 Moderate
(I know. react-scripts is crazy...)
npm audit
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm i --package-lock-only
...
added 266 packages, removed 354 packages, updated 1653 packages, moved 1 package and audited 913793 packages in 54.304s
found 495 low severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
npm audit fix
...
added 267 packages from 152 contributors, removed 355 packages and updated 1712 packages in 92.849s
50 packages are looking for funding
run `npm fund` for details
fixed 211 of 495 vulnerabilities in 913793 scanned packages
284 vulnerabilities required manual review and could not be updated
git status -s
?? package-lock.json
yarn import
yarn import v1.21.1
info found npm package-lock.json, converting to yarn.lock
...
success Saved lockfile.
✨ Done in 25.61s
rm package-lock.json
yarn audit / yarn install --audit has been available since yarn#1.12.0
https://github.com/yarnpkg/yarn/releases/tag/v1.12.0
Unfortunately no --fix option yet, but as workaround you can use https://www.npmjs.com/package/yarn-audit-fix
Yes, you can use yarn audit to audit for vulnerability but you can't fix the Vulnerabilities by using yarn audit fix as you can do in npm audit fix.
To fix the Vulnerabilities in yarn.lock file you have to reinstall the package(which is carrying the Vulnerability) to its newer version by using yarn add package_name
you can read the issue here => https://github.com/yarnpkg/yarn/issues/7075
I thinks that it's not ready on yarn. You can refer to the following issue.
https://github.com/yarnpkg/yarn/issues/5808
do a yarn audit and find the package(s) with vulnerabilities,
if they are in your package.json file
fix their version from there
else
they are dependencies of your packages so add this to package.json file
"resolutions": {
"**/package-name": "known-good-version",
"**/**/package-name": "known-good-version"
}
1st
Always use source control and check in your package.json as well as your yarn.lock and/or package-lock.json first and start with all committed files, so you can roll back if needed with ease.
How about a solution that does not add dependencies to your project (nor installing a third party library)?
yarn outdated # view
yarn audit # view
yarn install --audit # install
Prefer an interactive way to upgrade selectively with ease?
yarn upgrade-interactive
That might do all you require.
Oddly, you might find with a yarn audit following that command you still have some vulnerabilities not mentioned from the command yarn upgrade-interactive. In this case I'd first consider this:
yarn upgrade-interactive --latest
where that can be found
Still not quite good enough?
```
yarn upgrade --latest
```
I've seen a lot of other potential solutions, previously I'd just switch to npm from yarn temporarily as some users have suggested, then switch back to yarn. This has worked fine for me too. (Though annoying and not elegant)
There are packages out there that don't require install to run.
I haven't tried this one, it might be good too:
npm_config_yes=true npx yarn-audit-fix
ref
The key here is you are using npx to avoid installing as a dependency.
Many more solutions are possible. npm and yarn both are package managers, dependency management is a very difficult thing to do, automagically fixing these dependencies will always be a difficult problem to solve. Thus I recommend a little research on how they are actually solving these problems if you have the time. You might find yourself not liking how they do things.
Ultimately, as long as you can roll back you can try a lot of these out and see for yourself. Some packages severity might not need fixing, sometimes libraries do not have solutions available yet, then you need to consider removing their usage in your codebase. In theory, less is more, less dependency on libraries, which use libraries, which use libraries.... becomes a much smaller surface for attackers to target. Also, it's not advisable to use libraries from untrusted sources, npm, yarn and more cannot know everything, nor right away, so keep that in consideration too.
I created a script command into the package.json file to fix it. It creates a copy of yarn.lock as package-lock.json, removes the issues and then re-creates yarn.lock.
"resolve:security": "npm i --package-lock-only && npm audit fix && rm yarn.lock && yarn import && rm package-lock.json",
I hope it helps :)
You can use yarn audit as mentioned in the other answers, however, there is a different way to solve them...
You will need to add the resolution instruction to specify the version of the library that the vunerability was solved and the path of the dependency (because the library can be a dependency of another dependency, for example:
Considering part of some package.json below
{
"name": "project",
"version": "1.0.0",
"dependencies": {
"left-pad": "1.0.0",
"c": "file:../c-1",
"d2": "file:../d2-1"
},
"resolutions": {
"d2/left-pad": "1.1.1",
"c/**/left-pad": "^1.1.2"
}
}
More details can be checked directly in the documentation: Doc
Yarn doesn't support the fix at the moment,
Workaround
create a package-lock.json file using npm.
fix the packages
remove the package-lock.json.
.
npm i --package-lock-only
npm audit fix
rm package-lock.json
and start
yarn start
Yarn also has yarn audit mechanism, but it doesn't have yarn audit fix mechanism. So in most cases you have to fix these issues manually. This is how it works. For example we'll demonstrate it using minimist package:
Add a resolutions key in your package.json file:
Adding dependency(say minimist) directly as key value .This resolution will override minimist entirely in your project.
{
"resolutions": {
"minimist": "^1.2.5"
}
}
In most cases, there can be multiple dependencies in a project that use the same secondary dependency, however, they might use different versions of those dependencies. Thankfully, yarn/npm allows us to have selective dependency resolutions.
The format to define resolutions is the following:
/* package.json */
{
"resolutions": {
"<package>/**/<dependency>": "<version>"
}
}
Let’s say for example, we have a dependency A and B and both of them depend upon another dependency C.
Then our resolutions field would look like:
/* package.json */
{
"resolutions": {
"A/**/C": "2.0.3", // A works fine with the latest version of C
"B/**/C": "1.9.0" // latest stable version for C for dependency B
}
}
Let's further see how it works with an example of package-merge-lodash-4 package. If audit says that lodash#3.9.3 has vulnerabilities and suggests us to upgrade lodash#3.9.3 -> 4.17.12.
We can write our json file's resolutions only for the concerned package as below:
{
"resolutions": {
"package-merge-lodash-4/**/lodash": "4.17.12"
}
}
How to use Selective dependency resolutions in npm?
add npm-force-resolutions to the preinstall script after you added resolutions key to package.json file, so that it patches the package-lock file before every npm install you run:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
To confirm that the right version was installed, use the below command
npm ls <vulnerable dependency>
npm ls lodash
Resources:
Selective dependency resolutions
Yarn - How to fix security issues
How to fix security vulnerabilities in NPM/Yarn dependencies
Yarn audit fix: workaround
What's the difference between tilde(~) and caret(^) in package.json?
Semver explained - why is there a caret (^) in my package.json?
Try using,
yarn upgrade-interactive --latest
Will install all the latest dependencies.
Related
I am getting 6 vulnerabilities after running npm audit report:
I tried a solution and overridden the vulnerable versions of a particular package with their latest versions in package.json file like this:
"overrides": {
"nth-check": "2.1.1",
"#svgr/webpack": "6.5.1",
"#svgr/plugin-svgo": "6.5.1",
"svgo": "3.0.1",
"css-select": "5.1.0"
}
Then I updated the npm packages with npm update. But it did not change the result.
Tried another solution by making a resolution object in package.json and specified specific versions of a particular package, and ran it using npx i npm-force-resolutions but it gives this error:
npm ERR! could not determine executable to run.
But I am still unable to fix the npm vulnerabilities. Please help!
You should delete both node_modules and package-lock.json before launching npm install again; this will require more time to install all dependencies, but this will override all the version that are currently installed (it will bring also minor updates in dependencies).
Also, for this vulnerability, you only need to override nth-check. You can see the changes by executing npm list nth-check with and without the override (remember to delete both node_modules and package-lock.json).
I am trying to npm install vue-mapbox mapbox-gl, and I'm getting a dependency tree error.
I'm running Nuxt.js SSR with Vuetify and haven't installed anything related to Mapbox prior to running this install and am getting this error.
38 error code ERESOLVE
39 error ERESOLVE unable to resolve dependency tree
40 error
41 error While resolving: [1mexample[22m#[1m1.0.0[22m
41 error Found: [1mmapbox-gl[22m#[1m1.13.0[22m[2m[22m
41 error [2mnode_modules/mapbox-gl[22m
41 error [1mmapbox-gl[22m#"[1m^1.13.0[22m" from the root project
41 error
41 error Could not resolve dependency:
41 error [35mpeer[39m [1mmapbox-gl[22m#"[1m^0.53.0[22m" from [1mvue-mapbox[22m#[1m0.4.1[22m[2m[22m
41 error [2mnode_modules/vue-mapbox[22m
41 error [1mvue-mapbox[22m#"[1m*[22m" from the root project
41 error
41 error Fix the upstream dependency conflict, or retry
41 error this command with --force, or --legacy-peer-deps
41 error to accept an incorrect (and potentially broken) dependency resolution.
41 error
41 error See /Users/user/.npm/eresolve-report.txt for a full report.
42 verbose exit 1
What's the right way to go about fixing this upstream dependency conflict?
It looks like it's a problem with peer dependencies in the latest version of npm (v7) which is still a beta version.
Try with npm install --legacy-peer-deps. For detailed information check the blog post npm v7 Series - Beta Release! And: SemVer-Major Changes in npm v7.
Use --legacy-peer-deps after npm install. For example, if you want to install Radium, use:
npm install --legacy-peer-deps --save radium
There are two ways:
use npm install --legacy-peer-deps to install, and if this doesn't work use
the force method. Add --force next to npm install: npm install --force
You can follow these commands
First type:
npm config set legacy-peer-deps true
Then type:
npx create-react-app my-app
Your dependency mexample requires mmapbox-gl v1.13.0 and mvue-mapbox requires mmapbox-gl v0.53.0.
NPM doesn't know which version to install, so it gives a warning. You can bypass the errors using -- force or --legacy-peer-deps, but you are ignoring an error, and making unexpected results.
Production Options:
Probably one of your packages is outdated. Upgrading packages and fixing upgrade errors might fix the dependency conflict.
Overriding a dependency manually to avoid the warning and error. You are setting the version to a specific one that you know that works. Usually the newer version.
Example solution with override. Your package.json file will look like this:
{
"name": "my-app",
"version": "0.1.0",
"private": true,
"dependencies": {
"mexample": "^1.2.0",
"vue-mapbox": "*"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"overrides": {
"mmapbox-gl": "1.13.0"
}
}
The last option is bypassing using either:
--legacy-peer-deps completely ignores all peerDependencies using the newest version without pinning on file package-lock.json
--force forces the use of the newest, pinning all the versions on package-lock.json
Extra: You shouldn't use "*" as a version, because it might update major and break dependencies.
Until npm version 7.19.1, it still had the same issue. After upgrading to version 7.20.3, use command npm install -g npm#latest and npm audit fix. All packages will be fixed without error.
I tried multiple ways, but nothing was working for me. At last I tried this and it worked:
npm config set legacy-peer-deps true
Run this in the project folder and then try to install any package. It might work for you as well.
To solve it, fix the upstream dependency conflict installing NPM packages error
Method 1. Just use --legacy-peer-deps after npm install.
For example, if you want to install Axios, use
npm install --legacy-peer-deps --save axios.
Method 2. Updating npm and 'audit fix'
npm I -g npm#latest
npm audit fix --force
Method 3. Using --force to install packages
npm install axios --force
I was stuck on this issue for long which also makes error from other commands which calls for some install commands that was breaking.
The only solution that works (maybe suppresses the error) is
npm config set legacy-peer-deps true
This will set the configuration of legacy-peer-deps to true
To resolve npm dependencies and conflicts with npm packages, use npm-check-updates.
Almost all answers here suggest using force or legacy-peer-deps. Though this will technically work, please note that this is not recommended by NPM if you can avoid it anymore (source). Some folks may not have a choice, but I was able to resolve my dependency conflicts by deleting node-modules and package-lock.json then manually updating packages to their latest version one at a time until it stopped complaining (packages mentioned in the error messages after running npm i. Not a great or clean solution, but at least my packages are up-to-date and I'm not ignoring errors or using legacy solutions.
A lot of upvotes for using --legacy-peer-deps, but if --force works, I would recommend using that since it still pins many dependency versions while --legacy-peer-deps ignores peer dependencies entirely. See the example below:
npm: When to use --force and --legacy-peer-deps
I started getting this error on Azure DevOps a few days ago. I initially thought it was a glitch on the Azure side, but since it continued, we started looking into it a bit more.
It turns out the agent we are using, windows-2022, was updated a few days ago:
Updating readme file for win22 version 20220607.3 (#5713)
Node and NPM now match the latest Node.js LTS version: 16.15.1 (includes npm 8.11.0)
Downloads
You can view all agents-included software on Microsoft-hosted agents, Software.
After reading on Microsoft Visual Studio Developer Community, they recommend downgrading Node.js using Node.js Tool Installer task like this:
- task: NodeTool#0
inputs:
versionSpec: '16.14.2'
Node.js Tool Installer task
npm install fails in Azure DevOps Hosted Agent
However, we decided that we do not want to downgrade Node.js, so the first step was matching Node.js locally with LTS version 16.15.1 and npm 8.11.0.
When running npm ci, we then got the same error locally.
We tried npm ci --force and we then got this error:
npm ci can only install packages when your package.json and
package-lock.json or npm-shrinkwrap.json are in sync. Please update
your lock file with npm install before continuing.
npm install gave the same error even after node_modules was manually removed, but npm install --force worked, and it generated a new package-lock.json file.
npm ci still failed with the same error, but running npm ci --force worked. We decided to update Azure DevOps .yml to include --force and checked in the new package-lock.json file. After doing this, everything worked like before and we could now update our packages one by one.
delete the package-lock.json file
modify the package.json file, updating the version as indicated by the peer dependency
Add a tilde or caret for allowing install latest version and resolving dependency issues, for example :
~1.0.2 means to install version 1.0.2 or the latest patch version such as 1.0.4.
^1.0.2 means to install version 1.0.2 or the latest minor or patch version such as 1.1.0.
run npm install or npm udpate
I resolved this by adding
steps:
- task: NodeTool#0
inputs:
versionSpec: '12.x'
Nothing here worked for me.
After struggling with this issue for so long, I found a solution that worked.
Apparently I had some packages installed globally.
Listed them with:
npm list -g --depth=0
Then removed the unwanted packages with:
npm uninstall -g <package-name>
Finally I got the problem fixed
I am using express v4.16.4 in my node server.
It has pulled in cookie-signature v1.0.6.
I want to upgrade cookie-signature to v1.1.0 as it has a fix which I require.
What is the way to do that ?
I don't think i should do a npm install cookie-signature#1.1.0 as it would list cookie-signature in my app dependencies.
EDIT: this discusses the exact same problem that i am looking to solve. The accepted answer is using npm-shrinkwrap, and another top voted answer using package-lock.json , but both of these seem to have issues as discussed in respective comments.
Happy to close this as a duplicate.
You might also be able to solve the issue by adding a resolutions key in the package.json to "enforce" certain versions of dependencies:
{
"resolutions": {
"cookie-signature": "^1.1.0"
}
}
To actually make use of that, you have to use npm-force-resolutions in preinstall:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
See this post for further information: https://itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d
NPM 8 introduced "overrides" which allows you to override specific transitive dependencies of your direct dependency. For your usecase, you would declare something like below in your package.json.
{
"overrides": {
"express": {
"cookie-signature": "1.1.0"
}
}
}
More details # https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
We had a very similar problem. Protractor 5.4.2 has a dependency on webdriver-manager#^12.0.6. In package-lock.json webdriver-manager was fixed to 12.1.5. However, we needed 12.1.7 in order to make it work with all the latest chrome versions.
We noticed, that npm would install version 12.1.7 when removing node_modules and package-lock.json, but we did not find a way to automatically update package-lock.json. So these are the steps we took:
Remove node_modules
Remove package-lock.json
Run npm install
Open package-lock.json and copy the webdriver-manager section to another file
Undo (git checkout) all changes in package-lock.json
Copy the saved webdriver-manager part back into package-lock.json
Remove node_modules
Run npm install
Check node_modules/protractor/node_modules/webdriver-manager/package.json that the right version was installed.
I think this workaround should work for express and cookies-signature as well.
I recently updated my version of angular using ng update
and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
I thought of installing npm i tar but I am not sure.
The following worked for me:
Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.
Then run:
npm i
npm audit
npm audit fix
npm audit
you should see 0 vulnerabilities.
I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.
angular-cli relies on node-gyp, who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714
To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.
You should search in your package-lock.json this:
"tar": {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
And reemplace for that:
"tar": {
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
That worked for me
Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update, neither of them update the dependency in the package-lock.json file.
I've done a lot of googling on this, as well as deleted the file and done npm install.
If anyone can help resolve this I'd hugely appreciate it. The package in question is Hoek, which I don't actually have in my package.json file.
It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it's own package.json).
You've already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.
Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.
Edit:
To help you identify which packages are using which dependencies, you can use NPM's ls command: https://docs.npmjs.com/cli/ls
For example, to see which packages are using Hoek:
npm ls hoek
Edit 2:
As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fix to ask NPM to attempt to fix the vulnerabilities for you.
Edit 3:
Those reading this should also check out JBallin's answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP's question better. However - if you want a quick fix - this answer should suffice.
TLDR: Update the parent package using npm i $PARENT_PKG_NAME.
Note
When updating dependencies, you should review the CHANGELOG for any breaking changes.
Diagnosis
npm audit will reveal both the vulnerable package (note that you'll need a package-lock.json file for this, so you'll need to run npm i), as well as the package that it is a dependency of (if applicable). Note that you can also use npm ls $CHILD_PKG_NAME to see its parent dependencies.
Quick Fix Attempt
npm audit fix and npm audit fix --force are worth a try, but sometimes the fix will need to be done manually (see below).
Manual Fix
Most likely the parent package will have already fixed their dependencies (you can verify this by going to their GitHub and reviewing the recent commits--or just seeing if this fixes it), so you can just run npm i $PARENT_PKG_NAME #$NEW_VERSION and it will update your package-lock.json.
If parent has not fixed the vulnerability
If the maintainer doesn't seem to be responsive, you may consider using an alternative package that accomplishes the same thing or forking the package and updating the vulnerability yourself.
Verify Fix
You can now verify that it worked by running npm audit and ensuring that no vulnerabilities are showing up. Commit your changes, push them to GitHub, refresh your notifications/alerts and they should be gone!
Step 1: Install Peer Dependencies
npm i --legacy-peer-deps
Step 2: Change package manually
Edit package-lock.json manually and update the vulnerable package version to the fixed one.
npm ci
That will install the packages according to package-lock.json by ignoring package.json first.
Step 3: Control it again
Run
npm audit fix
to be sure if it's properly done. If it does not help so, then use other given solutions.
More Information here:
https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
or here: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
If you have npm#6 or later, you can use npm audit fix for your security issues.
Use:
npm i hoek
npm will install the latest version of hoek and your package.lock.json become updated.
To check vulnerable npm packages, just use following commands:
npm audit
To fix vulnerable npm packages, just use following commands which will fix package-lock.json too:
npm audit fix
I had this issue and found that it was because the server on which I was running npm had an old version of npm on it- package-lock.json is only supported by newer versions.
did you try this: go to your project root, delete the package-lock.json file, node_modules and .cache folders, and then npm install.
After installing new dependencies run the following command to update the package-lock.json file:
npm update package-lock.json