Stuck with Node and Bower - node.js

When I am giving npm install I am getting the below warning and it is not proceeding. It stuck in there.
npm WARN deprecated bower#1.8.0: ..psst! While Bower is maintained, we recommend Yarn and Webpack for *new* front-end projects! Yarn's advantage is security and reliability, and Webpack's is support for both CommonJS and AMD projects. Currently there's no migration path but we hope you'll help us figure out one.
Do anyone has any idea to proceed.

I waited for half an hour and it works ... the issue got resolved

Related

Error while installing multer packages using npm

I am getting the following error while installing the multer package using npm.
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
multer <=2.0.0-rc.3
Depends on vulnerable versions of busboy
node_modules/multer
3 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
you can update multer to 1.4.5 as the latest version with npm i multer#latest that uses
busboy#1.0.0
without any vulnerabilities.
This is due to vulnerability in dicer dependency. Multer will still work, right now no fix is available. Maybe it will be resolved in next update. Check this GitHub reviewed vulnerability
I am a novice and this is not advice on what you should do - I'm just relaying what I did and what the outcome was.
This is a duplicate of my post on the same issue, on GitHub
After deploying my Vuejs3 app a week ago to Firebase, I was prompted to upgrade to the newest version of Firebase Tools (11.0.1) via npm. After doing this, I began experiencing the problem detailed in my comment on GitHub.
Having no other solutions on the table, I decided to uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools#10.9.2).
BUT, after first time I did this, I ran npm audit fix (not npm audit fix --force) and all I got a ton of high severity warnings and problems.
So I decided to once again uninstall firebase tools (npm uninstall -g firebase-tools) and then reinstall the previous version (npm install -g firebase-tools#10.9.2) and that's it (did NOT run npm audit fix).
I proceeded to npm run build and firebase deploy --only hosting and it worked just fine. Definitely NOT a great or long-term solution. Good luck!

How do I resolve create-react-app (react-script) dependency vulnerabilities?

So basically, every time I run create-react-app with npx, npm or yarn (have tried them all), with both NodeJS 12 and NodeJS 16.3.0 and npm 7.15 (or something like this), it gives me multiple dependency vulnerabilities. With the newest versions of npm and nodeJS, I get 24 (11 moderate and 13 high). How do I resolve these dependencies? Or is it okay to just ignore them. I want to use the proposed app in production mode eventually, however I just can not for the life of me figure out how to resolve these dependences.
All the vulnerabilities seem to be related to react-scripts and denial of service. In the fixes, it suggests that an npx audit fix --force will fix it, by changing the react-scripts module to 1.1.5, however when i do this, even more vulnerabilities arise, suggesting the same solution but to revert back to react-script 4.0.3. Any advice would be great as I am driving myself mad here and finding next to 0 answers.
I posted my solution getting vulnerabilities down to one moderate risk due to the browserslist package here:
https://stackoverflow.com/a/68046680/1669123
Ultimately I think we'll need to wait on the CRA team to update react-scripts.

npm install required after upgrading node/npm?

I'm trying to understand if it is necessary to run a npm install after upgrading node/npm from 6.x to 8.x. If so, can you please explain why this is done? I had a hard time finding some documentation around this.
You should at least run npm rebuild.
Some packages may choose to do things differently in a different Node.js environment, particularly when it comes to binary modules.

gulp, command not found - Worked fine before, then suddenly stopped

A couple of months ago I was creating web apps with the MEAN stack on windows 10. Then I had a break and now I am trying to get back into it.
Back then I was using gulp, browsersync, webpack and nodemon to automate my server restarting-process and I remember everything working fine. But. when I tried this a week ago it just replied **"bash: gulp: command not found"
I uninstalled and reinstalled both gulp the other packages globally and locally, but no difference. I decided to try making an entirely new app and installing everything from scratch, but I got the same results. I have spent hours on this issue, but none of the solutions I can find online is working.
When I try to install gulp globally I get some warnings: (don't know if they have anything to do with it)
npm WARN deprecated minimatch#2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs#1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs#^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
Gulp is installed to this location:
C:\Users\<my username>\AppData\Roaming\npm\gulp -> C:\Users\<my username>\AppData\Roaming\npm\node_modules\gulp\bin\gulp.js
Do anyone know how what might be my issue?
If there is any other information you need, please let me know. Thanks in advance!
Try to uninstall all global packages before installing the gulp globally. If you need remote packages in the future, remember them to install after.
Perhaps it also will help: https://demisx.github.io/gulp4/2015/01/15/install-gulp4.html
It shows how to completely uninstall the gulp and install it again.

How can I successfully lock down node module dependencies in a monorepo?

I'm working on an open source project which is currently using lerna to help manage a single repository with multiple packages. So far, so good, except that every now and then something breaks because we don't currently shrinkwrap anything. I've been trying to do some monorepo version of shrinkwrapping so that we're not at the mercy of all our dependencies (it's amazing how often everything goes wrong in the middle of a release!) but have hit a bit of a wall and wondered if I'm even on the right track.
I was originally hoping to use npm shrinkwrap which I was familiar with from previous projects. Unfortunately lerna doesn't appear to support shrinkwrap.
Plan B was to make use of yarn which, after some initial difficulties, seemed to be going ok after switching to using yarn workspaces- at least I think yarn install --frozen-lockfile was doing what I wanted.
Unfortunately, other than dependency locking, yarn doesn't seem to be helping- everything worked with npm and lerna, but lerna and yarn workspaces seems to be causing issues resolving modules (even resolving something in the same directory which is baffling).
Maybe switching to yarn is overkill anyway so I started wondering if more recent versions of npm and package-lock.json would be a better idea. Unfortunately that looks like it would need some work arounds with lerna at which point I'm beginning to wonder how much lerna is really adding. Maybe dropping lerna would help?
So, tl;dr, does anyone have a good way of locking down module dependencies in a monorepo?
I'd suggest simply using exact versioning; so in your package.json files where there are version numbers for dependencies like ^3.4.2, changing it to 3.4.2. The ^ (or ~) before the number suggest a version range. You can get that to happen with the save exact config option: --save-exact flag or by placing save-exact=true in a .npmrc file in the repo. lerna add also supports an exact option.
Hope that helps!
yarn is a production ready package manager that natively supports monorepos :)
When using yarn workspaces, there is no need to use lerna as a monorepo manager as well at the same time.
You can use other features of lerna if you want, but there is no reason to use lerna for installing monorepos (which are already uses yarn).
If there is a specific errors when installing/managing monorepo using yarn, please add them to the question.
Notes:
--frozen-lockfile doesn't do anything in yarn monorepo. yarn has a open issue on that which I think won't resolve soon.

Resources