After installing NPM 6 almost every NPM package that I install on an Angular 6 project has vulnerabilities.
Should I "npm audit fix" every package each time?
Should I reinstall NPM 5? Other solution?
This is the terminal sequlize code I used with its vulnerabilities:
npm i sequelize --save
npm WARN #angular/material#6.2.1 requires a peer of #angular/cdk#6.2.1
but none is installed. You must install peer dependencies yourself.
+ sequelize#4.37.10
added 16 packages from 39 contributors and audited 22308 packages in
10.659s
found 9 vulnerabilities (3 low, 5 moderate, 1 high)
run `npm audit fix` to fix them, or `npm audit` for details
Try performing the below cmd's :
* npm i karma#3.0.0 --save and
* npm install --save-dev protractor#5.4.0
Related
Little background for the issue I am facing with npm install:
While installing npm dependencies with npm i --legacy-peer-deps - which updates the package-lock.json as expected.
We have a pre-commit hook, that does the npm install --package-lock-only --legacy-peer-deps to sync package.json changes to the package-lock.json -- this second command is reverting the changes/or removing some sub-set of dependencies fromnpm i --legacy-peer-deps
As I was not able to find a way to capture the changes to package-lock.json changes, so I have tried running the same npm i --legacy-peer-deps twice in a row - which in a way replicates the problem I am observing with npm i --legacy-peer-deps.
Issue:
The packages that were added and removed during the first run are toggled during the second run.
The bash command output is provided in the trailing part here.
We have preinstall and postinstall scripts - to address a known security issue with request module that was being used in koa-proxy and to resolve a buggy version of http-signature#1.2.0 - which is a transitive dependency.
$ node -v
v18.12.1
$ npm -v
8.19.2
$ npm i --legacy-peer-deps
> ************ preinstall
> npx npm-force-resolutions
> ************ postinstall
> npx patch-package
patch-package 6.5.1
Applying patches...
request#2.88.2 ✔
> ************ prepare
> node_modules/.bin/husky-run install
added 33 packages, removed 7 packages, and audited 1519 packages in 28s
7 packages are looking for funding
run `npm fund` for details
9 vulnerabilities (3 low, 1 moderate, 4 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
$ npm i --legacy-peer-deps
> ************ preinstall
> npx npm-force-resolutions
> ************ postinstall
> npx patch-package
patch-package 6.5.1
Applying patches...
request#2.88.2 ✔
> ************ prepare
> node_modules/.bin/husky-run install
added 7 packages, removed 33 packages, and audited 1493 packages in 29s
7 packages are looking for funding
run `npm fund` for details
9 vulnerabilities (3 low, 1 moderate, 4 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
$
I have repeated the test with npm 9.x version and the behaviour is observed there as well
Expected Behavior
Re-running npm install on a code base, should not remove/install the packages that were updated in the previous run
Steps To Reproduce
npm install --legacy-peer-deps
npm install --legacy-peer-deps
Environment
npm: 8.19.2 & 9.4.1
Node.js: v18.12.1
OS Name: Mac Ventura 13.1
System Model Name: Macbook M1
npm config:
engine-strict = true
legacy-peer-deps = true
I have tried with different versions of npm, but not tried with different versions of Node - Node18 is a minimum requirement with my codebase at present.
Need help with the package toggling issue or any alternative to get package-lock.json upgraded to get the package changes synched without running npm install again.
I keep getting this npm warning after running npm install. I have deleted and reinstalled npm. Nothing seems to work.
npm WARN deprecated fsevents#1.2.4: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
up to date, audited 2107 packages in 26s
94 packages are looking for funding
run `npm fund` for details
68 vulnerabilities (14 low, 18 moderate, 32 high, 4 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
first try to reset npm cache
npm cache clean --force
then retry to install npm packages
if nothing happens, try npm install --no-optional or npm install --force
hope that works
The problem isn't with npm, but with your project. It requires (possibly indirectly), fsevents#1.2.4, which is deprecated. You'll need to update your project to require a newer version, e.g.:
"fsevent": "^2.3.2"
and of course, update your project to work with this version.
I was trying to download EJS and i got this error:
npm WARN deprecated transformers#2.1.0: Deprecated, use jstransformer
npm WARN deprecated constantinople#3.0.2: Please update to at least constantinople 3.1.1
npm WARN deprecated jade#1.11.0: Jade has been renamed to pug, please install the latest version of pug instead of jade
added 115 packages, and audited 116 packages in 5s
2 packages are looking for funding
run `npm fund` for details
5 vulnerabilities (1 low, 4 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details
someone can help me?
below in my VS code i wanted to add node modules folder but it gives me error below and it's not adding it
node#17.7.1 preinstall C:\Users\saad\node_modules\node
node installArchSpecificPackage
node-win-x64#17.7.1
added 1 package in 7.696s
found 0 vulnerabilities
npm WARN #vue/compiler-sfc#3.0.4 requires a peer of vue#3.0.4 but none is installed. You must install peer dependencies yourself.
npm WARN saad#1.0.0 No description
npm WARN saad#1.0.0 No repository field.
node#17.7.1
module#1.2.5
added 4 packages from 1 contributor, removed 6 packages, updated 2 packages, moved 6 packages and audited 1219 packages in 44.799s
70 packages are looking for funding
run npm fund for details
found 13 vulnerabilities (2 low, 5 moderate, 5 high, 1 critical)
run npm audit fix to fix them, or npm audit for details
is there a way to solve this?
bootstrap#4.1.1
updated 1 package and audited 1932 packages in 17.046s
145 packages are looking for funding
run npm fund for details
found 6 vulnerabilities (4 moderate, 2 high)
run npm audit fix to fix them, or npm audit for details
Delete folder 'node_modules' and run in console:
npm install // or yarn install
This isn't an error, this message is normal.
145 packages are looking for funding run npm fund for details
This line is a donation call (not mandatory)
found 6 vulnerabilities (4 moderate, 2 high) run npm audit fix to fix them, or npm audit for details
This line informs you that some of your package.json modules have vulnerabilities. Run npm audit to view a list of them and the associated vulnerabilities.
If you run the mentioned command npm audit fix, it will try to automatically fix it for you by updating your package.json with new versions for these modules.
Delete node_modules and package-lock.json after taht:
npm audit fix
npm install