Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update, neither of them update the dependency in the package-lock.json file.
I've done a lot of googling on this, as well as deleted the file and done npm install.
If anyone can help resolve this I'd hugely appreciate it. The package in question is Hoek, which I don't actually have in my package.json file.
It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it's own package.json).
You've already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.
Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.
Edit:
To help you identify which packages are using which dependencies, you can use NPM's ls command: https://docs.npmjs.com/cli/ls
For example, to see which packages are using Hoek:
npm ls hoek
Edit 2:
As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fix to ask NPM to attempt to fix the vulnerabilities for you.
Edit 3:
Those reading this should also check out JBallin's answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP's question better. However - if you want a quick fix - this answer should suffice.
TLDR: Update the parent package using npm i $PARENT_PKG_NAME.
Note
When updating dependencies, you should review the CHANGELOG for any breaking changes.
Diagnosis
npm audit will reveal both the vulnerable package (note that you'll need a package-lock.json file for this, so you'll need to run npm i), as well as the package that it is a dependency of (if applicable). Note that you can also use npm ls $CHILD_PKG_NAME to see its parent dependencies.
Quick Fix Attempt
npm audit fix and npm audit fix --force are worth a try, but sometimes the fix will need to be done manually (see below).
Manual Fix
Most likely the parent package will have already fixed their dependencies (you can verify this by going to their GitHub and reviewing the recent commits--or just seeing if this fixes it), so you can just run npm i $PARENT_PKG_NAME #$NEW_VERSION and it will update your package-lock.json.
If parent has not fixed the vulnerability
If the maintainer doesn't seem to be responsive, you may consider using an alternative package that accomplishes the same thing or forking the package and updating the vulnerability yourself.
Verify Fix
You can now verify that it worked by running npm audit and ensuring that no vulnerabilities are showing up. Commit your changes, push them to GitHub, refresh your notifications/alerts and they should be gone!
Step 1: Install Peer Dependencies
npm i --legacy-peer-deps
Step 2: Change package manually
Edit package-lock.json manually and update the vulnerable package version to the fixed one.
npm ci
That will install the packages according to package-lock.json by ignoring package.json first.
Step 3: Control it again
Run
npm audit fix
to be sure if it's properly done. If it does not help so, then use other given solutions.
More Information here:
https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
or here: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
If you have npm#6 or later, you can use npm audit fix for your security issues.
Use:
npm i hoek
npm will install the latest version of hoek and your package.lock.json become updated.
To check vulnerable npm packages, just use following commands:
npm audit
To fix vulnerable npm packages, just use following commands which will fix package-lock.json too:
npm audit fix
I had this issue and found that it was because the server on which I was running npm had an old version of npm on it- package-lock.json is only supported by newer versions.
did you try this: go to your project root, delete the package-lock.json file, node_modules and .cache folders, and then npm install.
After installing new dependencies run the following command to update the package-lock.json file:
npm update package-lock.json
Related
I'm upgrading dependencies and was wondering why these two workflows don't lead to the same result.
Option 1 - Delete package-lock.json and npm install.
Completely upgrades/changes majority of the package-lock.json in addition to the dependencies I upgraded in the package.json
Source: https://poanchen.github.io/blog/2020/04/13/how-to-update-package-lock-json-file-in-order-to-honour-the-and-~-symbol
Option 2 - Not deleting package-lock.json and npm install
Upgrades the dependencies in package-lock.json that I changed in the package.json.
Source: https://betterprogramming.pub/how-to-upgrade-dependencies-in-package-json-e5546804187f
I've searched stackoverflow and no one seems to be asking this. Can someone please explain the difference between the two and possibly recommend the ideal workflow for upgrading a few dependencies?
react-dev-utils#11.0.4 installing a vulnerable version of browserlist, browserslist#4.14.2, although we have updated package on github. https://github.com/facebook/create-react-app/blob/main/packages/react-dev-utils/package.json#L57
[to test out, you may simple create any folder and do npm i react-dev-utils and then check it using npm ls browserlist]
I dont get, what all are the constraint for this. (I dont see any package-lock.json for this package, which could be a potential reason for the vuln). older version has reported vulnerability CVE-2021-23364.
react-dev-utils#11.0.4 installing a vulnerable version of browserlist, browserslist#4.14.2, although we have updated package on github
This is because that package.json file resides in the default branch which usually contains the latest or development code. At the time you posted the question, that change was not published to the npm registry.
react-dev-utils#11.0.4 has browserslist#4.14.2 listed in its package so that's the version that will be installed. Reference: https://cdn.jsdelivr.net/npm/react-dev-utils#11.0.4/package.json
You need atleast react-dev-utils#12.0.0 to fix that vulnerability. See the versions tab.
[to test out, you may simple create any folder and do npm i react-dev-utils and then check it using npm ls browserlist]
Running that command will install the latest version of react-dev-utils, which now has no vulnerability. So it will fix your issue.
I dont see any package-lock.json for this package, which could be a potential reason for the vuln
package-lock.json cannot be published to registry, only the top level lock file is respected. Reference: Should package-lock.json also be published?
this may be an example package, but how in general we update to latest package? have tried npm update as well.
npm update respects the semver range that you've set in your package.json. If its like "react-dev-utils": "11.0.4" that command won't do anything. If its "react-dev-utils": "^11.0.4", it will try to update to the latest 11.x.x version which you are already on, so again it won't do anything. Reference: npm update does not do anything
In general if you want to upgrade every direct dependency to latest version you can use npm-check-updates before running npm update. Refer https://nodejs.dev/learn/update-all-the-nodejs-dependencies-to-their-latest-version for detailed guide. Related: How to update each dependency in package.json to the latest version?
Now, if it is not a direct dependency, as was in your case, you can force resolutions. This is natively supported in Yarn and NPM v8.3.0 and above. In older NPM versions you need to use a dependency like npm-force-resolutions. Related thread: npm equivalent of yarn resolutions?
There are much more related threads that you can easily find by searching on the web.
I am trying to update dependencies for various projects I have on GitHub. I wanted to update them one at a time. I went through these steps:
npm update (from master)
npm update dependency-name (from folder containing the json files)
npm install dependency-name --save
npm fix --force (don't remember this command exactly. It was similar to that)
Then I got a message that said "--force. I hope you know what you're doing." I knew immediately that I'd made a mistake because I didn't know what I was doing. I found that command while Googling solutions, so I stopped there.
How can I update a specific dependency in a package-lock.json file?
Also, could I have done significant damage with the --force command?
Thank you.
--force is a flag which forces a particular operation/process to run
So I think to fix the dependencies you would have used npm audit fix --force
You wouldn't have done any damage to your dependency tree.
The npm docs say:
npm audit fix
Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies
Please refer https://docs.npmjs.com/cli/audit
npm version 6.0.1
Run npm audit
As many projects we have some vulnerabilities in ours.
First thing the report suggests is:
# Run npm update fsevents --depth 4 to resolve 65 vulnerabilities
I did this for several times decrementing the number of the issues but this time doesn't work.
Any idea why?
You already have fsevents installed, the lock file has the outdated values. If you manually change them in your lock file your npm audits would look clean, the problem being when you run npm install again it won't matter and they will install it again. Make sure to check your node_modules and the version of the libraries being used are in fact the ones without any vulnerabilities
It's a problem npm audit/update have with some optional packages like fsevents. if you clear all those packages inside package.lock or yarn.lock or if you don't care about the lock just remove the file and run npm install or yarn install again to have the updated inner packages
I am installing a module globally
$ npm install -g X
and NPM says
"npm WARN deprecated lodash#1.0.2: lodash#<3.0.0 is no longer
maintained. Upgrade to lodash#^4.0.0"
how can I find out which module has an dependency on this old version of lodash?
The warning message from NPM doesn't seem to give me any clue which module references this old version (I believe that the module X does not have a direct dependency on this old version of lodash.).
I got an answer for the similar question: https://stackoverflow.com/a/36335866/1115187
Briefly:
npm outdated --depth=3
This command will analyze installed NPM-packages and their versions. The report will contain:
package name
latest version
current version
dependency path (down to depth level)
Hope, this information could help you to gather info about outdated packages.
Next step - get in touch with maintainers of the appropriate package, and ask them to update the package (maybe, you would like to send a pull request).
UPD: npm-check
There is a great npm package: npm-check, that allows checking outdated dependencies. Probably
My favorite feature: Interactive Update — run npm-check -u in the project folder. An interactive menu shows all required information about dependencies in the current folder and allows to update all dependencies in 3 seconds.
npm la <package-name>
also works, and will give you the most details about the dependency graph of a dependency.
npm ls <package-name>, does something similar but gives you less details
Use npm list. It will print out all of the packages your module depends on as well as your dependencies dependencies and so forth. Maybe redirect output to a file or grep it so you can search it more easily.
use this
sudo npm install --unsafe-perm -g expo-cli
You could search through all the package.json files under node_modules and see which ones are dependent on lodash 1.0.2.
For deprecated files you should use the "npm i [package]" syntax, in this case you should use: npm i X and it will fetch all necessary packages, including deprecated ones, but which are required for your installation.
Npm documentation link: https://docs.npmjs.com/using-deprecated-packages