I am using nsp to scan for vulnerabilities. I see a strange behavior.
In scripts, dependency, devDependency section I have the following content
{
"scripts": {
"security-scan:nsp": "nsp check --threshold 10 --reporter json"
},
"dependencies": {
"joi": "10.x",
"dotenv": "4.0.0",
"nsp": "3.2.1"
},
"devDependencies": {
"lab": "14.x",
"code": "4.x",
"eslint": "4.1.1",
"eslint-plugin-import": "2.7.0"
}
}
If I run npm run security-scan:nsp i am getting some vulnerability but now if I move the nsp from dependency to devDependency and run npm run security-scan:nsp i dont get any vulnerability.Can anyone help me out here.
Nsp doesn't scan Dev dependencies. The new npm audit command does and it uses the same database of vulnerabilities, but doesn't have any of the formatting options of nsp.
Related
I have 4 packages in my package.json:
"#CT/package-1": "*",
"#CT/package-2": "*",
"#CT/package-3": "*",
"#CT/package-4": "*",
All four packages are not on the NPM registry, but locally linked.
In each package directory I did:
sudo npm link
After that I went into my main project and linked all packages like so:
npm link #CT/package-1
npm link #CT/package-2
npm link #CT/package-3
npm link #CT/package-4
For each command it outputs the linked chain of the sym-links, I checked the paths of each one, and it's correct. If I go in the node_modules folder of my main project and follow #CT/package-X I will end up in my local package directory.
Now I expect that I can run npm i on my main project and it won't try to install those packages from the npm registry. This works for package 2-4, but it does not work for package-1:
npm ERR! code E404
npm ERR! 404 Not Found - GET https://npm.pkg.github.com/#CT%2fpackage-1 - npm package "package-1" does not exist under owner "CT"
As soon as I remove "#CT/package-1": "*", from my package.json, npm i will success, because it seems to right-fully skip package 2-4, just not package-1.
Now I inspected all four package projects, and it makes no sense to me. All projects compile, all package.json contain the correct package name. Here is the package.json of my first faulty package:
{
"name": "#CT/package-1",
"version": "0.0.2",
"description": "",
"main": "dist/plugin.cjs.js",
"module": "dist/esm/index.js",
"types": "dist/esm/index.d.ts",
"unpkg": "dist/plugin.js",
"files": [
"android/src/main/",
"android/build.gradle",
"dist/"
],
"author": "martin-braun",
"license": "ISC",
"keywords": [
"capacitor",
"plugin",
"native"
],
"scripts": {
"lint": "npm run prettier -- --check",
"prettier": "prettier \"**/*.{css,html,ts,js,java}\"",
"build": "npm run prettier && npm run clean && tsc && rollup -c rollup.config.js",
"clean": "rimraf ./dist",
"watch": "tsc --watch",
"prepublishOnly": "npm run build"
},
"devDependencies": {
"#capacitor/android": "^3.0.0",
"#capacitor/core": "^3.0.0",
"#capacitor/docgen": "^0.0.18",
"#ionic/eslint-config": "^0.3.0",
"#ionic/prettier-config": "^1.0.1",
"eslint": "^7.11.0",
"prettier": "~2.2.0",
"prettier-plugin-java": "~1.0.0",
"rimraf": "^3.0.2",
"rollup": "^2.32.0",
"typescript": "~4.0.3"
},
"peerDependencies": {
"#capacitor/core": "^3.0.0"
},
"prettier": "#ionic/prettier-config",
"eslintConfig": {
"extends": "#ionic/eslint-config/recommended"
},
"capacitor": {
"android": {
"src": "android"
}
},
"publishConfig": {
"registry": "https://npm.pkg.github.com/CT"
},
"dependencies": {}
}
.npmrc
registry=https://npm.pkg.github.com/#CT
registry=https://registry.npmjs.org
When I linked the project on my main project it shew the right paths (i.e.)
/Users/mb/Projects/CT/MAIN/node_modules/#CT/package-1 -> /Users/mb/node_module_collections/ekol/lib/node_modules/#CT/package-1 -> /Users/mb/Projects/CT/package-1
What could I try to find the issue? Again, package 2-4 won't cause npm i to fail, but package.json and npmrc look similar. I'm thankful for any advice.
node v13.12.0
This time I am trying to use a npm web3 package in laravel 5.2 project. I am completely new using npm and that too inside laravel.
So far I have below things in my package.json file -
{
"private": true,
"devDependencies": {
"gulp": "^3.9.1"
},
"dependencies": {
"bootstrap-sass": "^3.0.0",
"laravel-elixir": "^2.0.0",
"web3": "^1.0.0-beta.36"
}
}
When I do npm install all the node dependencies are installed in node_modules inside root directory. Now I am trying to figure out how this packages can be bought in use inside public/assets/js/app.js file.
Do I also have to make node services running to use this packages?
npm version: 6.4.1
node version: v8.11.4
Your help is much appreciated.
Updated question - 10th Sep 2018
Downgraded my node package to 6.0 due to overcome few issues with 8.0 I was facing.
node version: v6.0.0
npm version: 3.8.6
New package.json:
{
"private": true,
"scripts": {
"prod": "gulp --production",
"dev": "gulp watch"
},
"devDependencies": {
"#types/node": "^10.9.4",
"gulp": "^3.9.1",
"laravel-elixir-rollup": "^0.3.3",
"laravel-elixir-webpack": "^1.0.1",
"require-dir": "^0.3.2"
},
"dependencies": {
"bootstrap-sass": "^3.0.0",
"laravel-elixir": "^5.0.0",
"web3": "^1.0.0-beta.36"
}
}
New gulpfile.json:
var elixir = require('laravel-elixir');
var path = require('path');
require('laravel-elixir-webpack');
elixir(function(mix) {
mix.webpack(
'./node_modules/web3/src/index.js',
'./public/js/web3-compiled.js'
);
});
When I run npm run dev in console, it stops finishes as below -
[digvijay#Digvijays-MacBook-Air:/var/www/html/estatebaron$ npm run dev
> # dev /private/var/www/html/estatebaron
> gulp watch
node_modules/nan
[17:10:07] Using gulpfile /private/var/www/html/estatebaron/gulpfile.js
[17:10:07] Starting 'watch'...
[17:10:07] Finished 'watch' after 18 ms
What I am expecting here is a js file name web3-compiled.js created in public/js directory, but that does not happen now. Am I missing anything here.
If you are using default laravel 5.2 configuration you're probably missing some lines in package.json see this
So to make it work run npm run dev, but make sure to configure your gulp correctly with gulpfile.js. Read more about this in the https://laravel.com/docs/5.3/elixir and https://github.com/gulpjs/gulp/tree/v3.9.1/docs
Question
What is wrong with my Dockerfile or bitbucket-pipelines.yml? Why are modules missing from the bitbucket pipelines environment?
Error
When I try to npm run build my Vue2 project with webpack using Bitbucket Pipelines, I get errors regarding missing modules.
From Logs
npm run build
> people-is#1.0.0 build /opt/atlassian/pipelines/agent/build
> node build/build.js
module.js:549
throw err;
^
Error: Cannot find module 'cli-spinners'
Files
Here are the files for configuration.
Dockerfile - builds cportwine/people-is
FROM node:8.10.0
RUN npm install
RUN npm install -g firebase-tools
CMD [ "npm", "run", "build" ]
bitbucket-pipelines.yml
image:
name: cportwine/people-is
pipelines:
default:
- step:
script:
- npm run build
package.json
{
"name": "people-is",
"version": "1.0.0",
"description": "A Vue.js project",
"author": "cportwine",
"private": true,
"scripts": {
"dev": "node build/dev-server.js",
"start": "node build/dev-server.js",
"build": "node build/build.js",
"deploy": "firebase deploy --token $FIREBASE_TOKEN"
},
"dependencies": {
"rxjs": "^5.5.8",
"uuid": "^3.2.1",
"vue": "^2.5.16",
"vue-json-excel": "^0.1.9",
"vue-router": "^2.8.1",
"vue-rx": "^5.0.0",
"vuefire": "^1.4.5",
"vuetify": "^0.15.2"
},
"devDependencies": {
"autoprefixer": "^7.2.6",
"babel-core": "^6.22.1",
"babel-loader": "^7.1.4",
"babel-plugin-transform-runtime": "^6.22.0",
"babel-preset-env": "^1.6.1",
"babel-preset-stage-2": "^6.22.0",
"babel-register": "^6.22.0",
"chalk": "^2.3.2",
"connect-history-api-fallback": "^1.5.0",
"copy-webpack-plugin": "^4.5.1",
"css-loader": "^0.28.11",
"cssnano": "^3.10.0",
"eslint": "^4.19.1",
"eslint-config-standard": "^11.0.0",
"eslint-friendly-formatter": "^3.0.0",
"eslint-loader": "^1.9.0",
"eslint-plugin-html": "^4.0.2",
"eslint-plugin-promise": "^3.7.0",
"eslint-plugin-standard": "^3.0.1",
"eventsource-polyfill": "^0.9.6",
"express": "^4.16.3",
"extract-text-webpack-plugin": "^2.0.0",
"file-loader": "^0.11.1",
"firebase": "^4.12.0",
"firebase-tools": "^3.17.7",
"friendly-errors-webpack-plugin": "^1.1.3",
"html-webpack-plugin": "^2.28.0",
"http-proxy-middleware": "^0.17.3",
"opn": "^5.3.0",
"optimize-css-assets-webpack-plugin": "^2.0.0",
"ora": "^1.4.0",
"rimraf": "^2.6.0",
"semver": "^5.5.0",
"shelljs": "^0.7.6",
"url-loader": "^0.5.8",
"vue-loader": "^13.7.1",
"vue-style-loader": "^3.1.2",
"vue-template-compiler": "^2.5.16",
"vuex": "^2.5.0",
"webpack": "^2.6.1",
"webpack-bundle-analyzer": "^2.11.1",
"webpack-dev-middleware": "^1.12.2",
"webpack-hot-middleware": "^2.21.2",
"webpack-merge": "^4.1.2"
},
"engines": {
"node": ">=8.10.0",
"npm": ">= 5.6.0"
},
"browserslist": [
"> 1%",
"last 2 versions",
"not ie <= 8"
],
"main": "index.js",
"repository": {
"type": "git",
"url": "git+https://chaddportwine#bitbucket.org/jahnelgroup/people-is.git"
},
"keywords": [],
"license": "ISC",
"homepage": "https://bitbucket.org/jahnelgroup/people-is#readme"
}
What I see
When I ls the node_modules folder in both environments, they do not match. Modules are missing from bitbucket pipelines.
local folder
people-is/node_modules
...
chalk
char-spinner
chardet
check-types
chokidar
chownr
cipher-base
circular-json
cjson
clap
class-utils
clean-css
cli-boxes
cli-cursor
cli-spinners
cli-table
cli-table2
cli-width
cliui
...
bitbucket folder
/opt/atlassian/pipelines/agent/build/node_modules
Woah, missing modules!
...
chalk
cli-cursor
co
...
What I have tried
I added a command to the bitbucket-pipelines.yml to npm install before I build.
bitbucket-pipelines.yml
image:
name: cportwine/people-is
pipelines:
default:
- step:
script:
- npm install
- npm run build
This adds some additional modules (like cli-spinners from the error) to /opt/atlassian/pipelines/agent/build/node_modules.
bitbucket folder
/opt/atlassian/pipelines/agent/build/node_modules
...
chalk
char-spinner
chardet
check-types
chokidar
chownr
cipher-base
circular-json
cjson
clap
class-utils
clean-css
cli-boxes
cli-cursor
cli-spinners
cli-table
cli-table2
cli-width
cliui
clone
clone-response
co
...
However, the build command still fails, due to a different missing module.
Error
> people-is#1.0.0 build /opt/atlassian/pipelines/agent/build
> node build/build.js
module.js:549
throw err;
^
Error: Cannot find module './_safeGet'
Solutions
I can now build the app, but I don't know why!
1 - Simplify the Dockerfile
I removed all the npm commands. Maybe the npm install commands were redundant? There was no advantage using the Docker Image to pre-install npm packages.
2 - Remove Node_Modules before install
Using the bitbucket-pipelines.yml, remove the node_modules folder, and then perform npm install -g npm and npm install and npm install -g firebase-tools.
File Changes
bitbucket-pipelines.yml (added lines)
image:
name: cportwine/people-is
pipelines:
default:
- step:
script:
- rm -r node_modules <---- remove
- npm install -g npm <---- install
- npm install <---- install
- npm install -g firebase-tools <---- install
- npm run build
Dockerfile (lines removed)
FROM node:8.10.0
<---- remove
CMD [ "npm", "run", "build" ]
Answer ?
I'm not sure why moving all the npm install stuff into the bitbucket.pipelines.yml solved my issue building the project. I thought Docker would enable me to define my environment, e.g., install a version of node/npm and firebase. And pipelines would "run" that.
If someone could explain what I am missing, I would accept that answer.
Answer
I received support from the Atlassian Team
Leave npm install -g firebase in the docker image.
Move npm install from the docker image to the
bitbucket-pipelines.yml file.
Reason
The node_modules folder was listed in .gitignore
tl;dr
My mistake - I forgot about .gitignore and how that affects the node_modules folder in source control, e.g., Bitbucket Pipelines.
I was looking at my local node_modules folder and building locally which worked.
However
The node_modules in source control, by design, is not in-sync with my local folder because it's included in the .gitignore file.
So
It was necessary for me to rm node_modules and npm install using the bitbucket-pipelines.yml. Now, BitPipes finds the modules I have installed locally.
This is sort of the point of maintaining the package.json, but I got confused.
I'm new to using gulp and browserify. I'm trying to follow a tutorial online which uses browserify and gulp.
Following is my package.json
{
"name": "progressive",
"version": "1.0.0",
"description": "Practcing a Progressive Web App",
"scripts": {
"start": "node ./index.js"
},
"author": "Indu Pillai",
"devDependencies": {
"browserify": "^13.1.0",
"gulp": "^3.8.8",
"gulp-browserify": "^0.5.1",
"gulp-clean-css": "^2.0.13",
"gulp-concat-css": "^2.3.0",
"gulp-if": "^2.0.1",
"gulp-sourcemaps": "^2.2.0",
"gulp-uglify": "^2.0.0",
"gulp-util": "^2.2.20",
"gulp-webserver": "^0.8.8",
"jquery": "^3.1.1",
"sw-precache": "^4.2.1"
},
"dependencies": {
"handlebars": "^4.0.5"
}
}
When I run npm install, it gives me the following error:
npm WARN browserify-shim#2.0.10 requires a peer of browserify#>= 2.3.0 < 4 but none was installed.
I don't know how to solve this problem, I'm not good at npm stuff either. I didn't ask for browserify-shim in my package.json, but may be some of the packages I asked depends on it.
Thank You!
I have the same problem
and I solve it with the following:
If you use the windows you should
Download the :(Windows Binary.Zip)
Then choose the correct architecture to your computer (32 or 64),
make it active
Open Command Prompt as Administrator
Execute this on the command line: npm install -g #angular/cli
I'm trying to deploy a Node app to Heroku, but I'm having an issue successfully running browserify when the app is deployed.
When I'm running locally, I browserify my script with npm run bundle like so (from package.json):
"bundle": "./node_modules/browserify/bin/cmd.js build/main.js -o public/scripts/bundle.js
which browserifies the script in build/main.js and puts it into public/scripts/bundle.js.
For deploying to Heroku, I added
"postinstall": "npm run bundle"
However, when I deploy, I get the following error:
Error: ENOENT: no such file or directory, open 'public/scripts/bundle.js.tmp-browserify-59309133185877094263'
Well, that's correct, that file shouldn't exist... yet. When I run npm run bundle locally, I do see that file briefly pop into existence, but then it is quickly removed and I'm left with a nice updated bundle.js.
I read through Heroku's docs on this, but I'm miffed... can anyone clarify how to get through this?
For reference, here are the relevant parts of my package.json:
"scripts": {
"bundle": "./node_modules/browserify/bin/cmd.js build/main.js -o public/scripts/bundle.js",
"postinstall": "npm run bundle"
},
"dependencies": {
"body-parser": "^1.17.1",
"browserify": "^14.1.0",
"ejs": "^2.5.6",
"express": "^4.15.2",
"jquery": "^3.2.1",
"path": "^0.12.7",
"superagent": "^3.5.2"
},
"devDependencies": {},
"engines": {
"node": "6.8.1",
"npm": "4.0.5"
}
Solved! I had bundle.js included in my global gitinore configuration. Just had to take that out, good to go!