I am installing a module globally
$ npm install -g X
and NPM says
"npm WARN deprecated lodash#1.0.2: lodash#<3.0.0 is no longer
maintained. Upgrade to lodash#^4.0.0"
how can I find out which module has an dependency on this old version of lodash?
The warning message from NPM doesn't seem to give me any clue which module references this old version (I believe that the module X does not have a direct dependency on this old version of lodash.).
I got an answer for the similar question: https://stackoverflow.com/a/36335866/1115187
Briefly:
npm outdated --depth=3
This command will analyze installed NPM-packages and their versions. The report will contain:
package name
latest version
current version
dependency path (down to depth level)
Hope, this information could help you to gather info about outdated packages.
Next step - get in touch with maintainers of the appropriate package, and ask them to update the package (maybe, you would like to send a pull request).
UPD: npm-check
There is a great npm package: npm-check, that allows checking outdated dependencies. Probably
My favorite feature: Interactive Update — run npm-check -u in the project folder. An interactive menu shows all required information about dependencies in the current folder and allows to update all dependencies in 3 seconds.
npm la <package-name>
also works, and will give you the most details about the dependency graph of a dependency.
npm ls <package-name>, does something similar but gives you less details
Use npm list. It will print out all of the packages your module depends on as well as your dependencies dependencies and so forth. Maybe redirect output to a file or grep it so you can search it more easily.
use this
sudo npm install --unsafe-perm -g expo-cli
You could search through all the package.json files under node_modules and see which ones are dependent on lodash 1.0.2.
For deprecated files you should use the "npm i [package]" syntax, in this case you should use: npm i X and it will fetch all necessary packages, including deprecated ones, but which are required for your installation.
Npm documentation link: https://docs.npmjs.com/using-deprecated-packages
Related
I'm trying to learn node and npm, using express for a little project.
When i install it, i got
npm WARN deprecated core-js#2.6.10: core-js#<3.0 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js#3.
I understood that if everything works, it's not necessary to update everything, but i'm trying to learn and go the extra, unnecessary, mile.
How can i update only core-js?
npm install core-js#^3
will update it adding it to the dependencies in package.json.
Is this the right way to do it?
Or it's better to update the parent package that use it? If so, how can i understand which is the package that need an update and how to update it?
Or is there a way to update only the modules listed in package-lock.json.
Thanks.
You provided one way to update a package. However, there are a few more.
To update a global package, you could run:
npm update -g <package_name>
To update a package that's in your package.json (i.e., local to your project), run:
npm update <package_name>
You could also see what outdated package are there as follows:
npm outdated
You could again add -g option to check outdated global packages.
Sources: https://docs.npmjs.com/updating-packages-downloaded-from-the-registry
Also: man npm may help (in Linux).
To update to a new major version all the packages, install the npm-check-updates package globally:
npm install -g npm-check-updates
this will upgrade all the version hints in the package.json file, to dependencies and devDependencies, so npm can install the new major version.
You are now ready to run the update:
npm update
or npm install
Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update, neither of them update the dependency in the package-lock.json file.
I've done a lot of googling on this, as well as deleted the file and done npm install.
If anyone can help resolve this I'd hugely appreciate it. The package in question is Hoek, which I don't actually have in my package.json file.
It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it's own package.json).
You've already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.
Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.
Edit:
To help you identify which packages are using which dependencies, you can use NPM's ls command: https://docs.npmjs.com/cli/ls
For example, to see which packages are using Hoek:
npm ls hoek
Edit 2:
As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fix to ask NPM to attempt to fix the vulnerabilities for you.
Edit 3:
Those reading this should also check out JBallin's answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP's question better. However - if you want a quick fix - this answer should suffice.
TLDR: Update the parent package using npm i $PARENT_PKG_NAME.
Note
When updating dependencies, you should review the CHANGELOG for any breaking changes.
Diagnosis
npm audit will reveal both the vulnerable package (note that you'll need a package-lock.json file for this, so you'll need to run npm i), as well as the package that it is a dependency of (if applicable). Note that you can also use npm ls $CHILD_PKG_NAME to see its parent dependencies.
Quick Fix Attempt
npm audit fix and npm audit fix --force are worth a try, but sometimes the fix will need to be done manually (see below).
Manual Fix
Most likely the parent package will have already fixed their dependencies (you can verify this by going to their GitHub and reviewing the recent commits--or just seeing if this fixes it), so you can just run npm i $PARENT_PKG_NAME #$NEW_VERSION and it will update your package-lock.json.
If parent has not fixed the vulnerability
If the maintainer doesn't seem to be responsive, you may consider using an alternative package that accomplishes the same thing or forking the package and updating the vulnerability yourself.
Verify Fix
You can now verify that it worked by running npm audit and ensuring that no vulnerabilities are showing up. Commit your changes, push them to GitHub, refresh your notifications/alerts and they should be gone!
Step 1: Install Peer Dependencies
npm i --legacy-peer-deps
Step 2: Change package manually
Edit package-lock.json manually and update the vulnerable package version to the fixed one.
npm ci
That will install the packages according to package-lock.json by ignoring package.json first.
Step 3: Control it again
Run
npm audit fix
to be sure if it's properly done. If it does not help so, then use other given solutions.
More Information here:
https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
or here: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
If you have npm#6 or later, you can use npm audit fix for your security issues.
Use:
npm i hoek
npm will install the latest version of hoek and your package.lock.json become updated.
To check vulnerable npm packages, just use following commands:
npm audit
To fix vulnerable npm packages, just use following commands which will fix package-lock.json too:
npm audit fix
I had this issue and found that it was because the server on which I was running npm had an old version of npm on it- package-lock.json is only supported by newer versions.
did you try this: go to your project root, delete the package-lock.json file, node_modules and .cache folders, and then npm install.
After installing new dependencies run the following command to update the package-lock.json file:
npm update package-lock.json
So I've been using node v 0.10x and 0.12x for dev and prod environments.
Now we need to upgrade to v4x and as I'm doing so, I'm finding that is not so easy, gcc compiler issues, deprecated libs...
Here are some of the messages I'm getting
I was able to overcome the c++11 problems
Updating to Node.js 4
Node on old distributions
Now what I would like is to have the builds as clean as possible,
as well as to know what is the impact of having this deprecated libraries in the project in the short/long term,
is it possible to completely get rid of them? if so is there a kind of best practices approach for this?
For instance I updated lodash#1.0.2 to version 4 in the main package.json file just to find/get more deprecated libraries like a nested deprecated libraries, so is it really possible to get rid of this deprecated libraries?
If you are migrating from v0.1 to v.0.2, you need create a node link between the local and the global modules.
About the warnings,
npm WARN optional Skipping failed optional dependency /chokidar/fsevents:
npm WARN notsup Not compatible with your operating system or architecture: fsevents#1.0.8
Don-t be afraid about the after update all the packages, some packages are marked as deprecated but the doesn't have any update available, then if you tried update them, don't worry, that doesn't affect your project.
And releated with the last of your issues:
UNMET PEER DEPENDENCY kerberos#~0.0
First one you need update your kerberos development package:
apt-get install libkrb5-dev
And running the command:
npm install --save kerberos mongod
If that doesn't fix your issue, you could try in a manual way intall all the packages with:
git clone https://github.com/christkv/kerberos.git
cd kerberos
npm install
npm install -g node-gyp
cd ~/JesusTheProject
npm install mongodb --save
npm --loglevel verbose install mongodb
Hard to google the subj — too many user questions, mine is about package development. I want a user of my package see "npm WARN prefer global" when installing it not globally.
I thought npm install yo used to have such a warning but now it does not. At least I cannot see it.
My environment:
› npm --version
1.4.10
› node -v
v0.10.28
Ben Fortune's answer specifies how an npm package author can designate a package as preferring global installation (by adding key-value pair "preferGlobal": true to the package.json file).
Sadly, as the OP herself points out in a comment, this is NOT enough to always trigger a warning for users installing such a package locally.
As of npm 2.3.0, the behavior is as follows when installing a global-installation-preferred package locally, using npm install <pkgName> (i.e., without -g):
The warning - npm WARN prefer global <pkgName>#<ver> should be installed with -g - is only triggered, if:
there is a valid package.json file in the current directory,
AND it contains a dependencies and/or optionalDependencies key whose value is an object (whether empty or not) - unless the package at hand happens to be contained therein.
Pragmatically, this means that you will NOT see the warning when running npm install <pkgName> (i.e., without -g) in the following scenarios:
in a directory that's not an npm package project (no package.json file).
in an npm package-project directory that happens to have no runtime dependencies at all (no dependencies and/or optionalDependencies key - by contrast, keys devDependencies and/or peerDependencies alone do not trigger the warning).
in an npm package-project directory that happens to have pkgName already installed as a (by definition local) runtime dependency (in key dependencies or optionalDependencies).
Note that even --loglevel silly does not alter this behavior, so there is currently no way to enforce unconditional display of the warning.
Designating a package as global does have one unconditional side effect, however: in the npm registry (http://npmjs.com), the installation command shown in the sidebar on the right for such a package is npm install <pkgName> -g; i.e., it does include the -g.
[Update: This functionality broke some time ago and is still broken as of 14 Sep 2015 - see https://github.com/npm/newww/issues/1017 ]
You need to specify
"preferGlobal": true
in your package.json.
Documentation
preferGlobal is now deprecated:
This option used to trigger an npm warning, but it will no longer
warn. It is purely there for informational purposes. It is now
recommended that you install any binaries as local devDependencies
wherever possible.
We need to integrate Karma test runner into TeamCity and for that I'd like to give sys-engineers small script (powershell or whatever) that would:
pick up desired version number from some config file (I guess I can put it as a comment right in the karma.conf.js)
check if the defined version of karma runner installed in npm's global repo
if it's not, or the installed version is older than desired: pick up and install right version
run it: karma start .\Scripts-Tests\karma.conf.js --reporters teamcity --single-run
So my real question is: "how can one check in a script, if desired version of package installed?". Should you do the check, or it's safe to just call npm -g install everytime?
I don't want to always check and install the latest available version, because other config values may become incompatible
To check if any module in a project is 'old':
npm outdated
'outdated' will check every module defined in package.json and see if there is a newer version in the NPM registry.
For example, say xml2js 0.2.6 (located in node_modules in the current project) is outdated because a newer version exists (0.2.7). You would see:
xml2js#0.2.7 node_modules/xml2js current=0.2.6
To update all dependencies, if you are confident this is desirable:
npm update
Or, to update a single dependency such as xml2js:
npm update xml2js
To update package.json version numbers, append the --save flag:
npm update --save
npm outdated will identify packages that should be updated, and npm update <package name> can be used to update each package. But prior to npm#5.0.0, npm update <package name> will not update the versions in your package.json which is an issue.
The best workflow is to:
Identify out of date packages with npm outdated
Update the versions in your package.json
Run npm update to install the latest versions of each package
Check out npm-check-updates to help with this workflow.
Install npm-check-updates with npm i npm-check-updates -g
Run npm-check-updates to list what packages are out of date (basically the same thing as running npm outdated)
Run npm-check-updates -u to update all the versions in your package.json (this is the magic sauce)
Run npm update as usual to install the new versions of your packages based on the updated package.json
There is also a "fresh" module called npm-check:
npm-check
Check for outdated, incorrect, and unused dependencies.
It also provides a convenient interactive way to update the dependencies with npm-check -u.
One easy step:
$ npm i -g npm-check-updates && ncu -u && npm i
That is all. All of the package versions in package.json will be the latest major versions.
Edit:
What is happening here?
Installing a package that checks updates for you.
Use this package to update all package versions in your package.json (-u is short for --updateAll).
Install all of the new versions of the packages.
To update a single local package:
First find out your outdated packages by:
npm outdated
Then update the package or packages that you want manually as:
npm update --save <package_name>
This way it is not necessary to update your local package.json
file manually.
Note that the above command will update your package to the latest version.
If you write some version in your package.json file and do:
npm update <package_name>
In this case you will get just the next stable version (wanted) regarding the version that you wrote in your package.json file.
And with npm list <package_name> you can find out the current version of your local package.
You can try either of these options:
Check outdated packages
npm outdated
Check and pick packages to update
npx npm-check -u
No additional packages, to just check outdated and update those which are, this command will do:
npm install $(npm outdated | cut -d' ' -f 1 | sed '1d' | xargs -I '$' echo '$#latest' | xargs echo)
NPM commands to update or fix vulnerabilities in some dependency manifest files
Use below command to check outdated or vulnerabilities in your node modules.
npm audit
If any vulnerabilities found, use below command to fix all issues.
npm audit fix
If it doesn't work for you then try
npm audit fix -f, this command will almost fix all vulnerabilities. Some dependencies or devDependencies are locked in package-lock.json file, so we use -f flag to force update them.
If you don't want to use force audit fix then you can manually fix your dependencies versions by changing them in package-lock.json and package.json file. Then run
npm update && npm upgrade
When installing npm packages (both globally or locally) you can define a specific version by using the #version syntax to define a version to be installed.
In other words, doing:
npm install -g karma#0.9.2
will ensure that only 0.9.2 is installed and won't reinstall if it already exists.
As a word of a advice, I would suggest avoiding global npm installs wherever you can. Many people don't realize that if a dependency defines a bin file, it gets installed to ./node_modules/.bin/. Often, its very easy to use that local version of an installed module that is defined in your package.json. In fact, npm scripts will add the ./node_modules/.bin onto your path.
As an example, here is a package.json that, when I run npm install && npm test will install the version of karma defined in my package.json, and use that version of karma (installed at node_modules/.bin/karma) when running the test script:
{
"name": "myApp",
"main": "app.js",
"scripts": {
"test": "karma test/*",
},
"dependencies": {...},
"devDependencies": {
"karma": "0.9.2"
}
}
This gives you the benefit of your package.json defining the version of karma to use and not having to keep that config globally on your CI box.
As of npm#5.0.0+ you can simply do:
npm update <package name>
This will automatically update the package.json file. We don't have to update the latest version manually and then use npm update <package name>
You can still get the old behavior using
npm update --no-save
(Reference)
A different approach would be to first uprade the package.json file using,
ncu -u
and then simply run,
npm install
to update all the packages to the latest version.
ps: It will update all the packages to the latest version however if the package is already up to date that package will not be affected at all.
3 simple steps you can use for update all outdated packages
First, check the packages which are outdated
sudo npm i -g npm-check-updates
Second, put all of them in ready
ncu -u
Results in Terminal will be like this:
Third, just update all of them.
npm install
That's it.
Just do this to update everything to the latest version -
npx npm-check-updates -u
Note - You'll be prompted to install npm-check-updates. Press y and enter.
Now run npm i. You're good to go.
To really update just one package install NCU and then run it just for that package. This will bump to the real latest.
npm install -g npm-check-updates
ncu -f your-intended-package-name -u
You can do this completely automatically in 2022
Install npm-check-updates
Run the command
ncu --doctor -u
It will first try every dependency you have and run tests, if the tests fail it will update each dependency one by one and run tests after each update
One more for bash:
npm outdated -parseable|cut -d: -f5|xargs -L1 npm i
I'm just interested in updating the outdated packages using the semantic versioning rules in my package.json.
Here's a one-liner that takes care of that
npm update `npm outdated | awk '{print $1}' | tr '\n' ' '`
What it does:
takes the output from npm outdated and
pipes that into awk where we're grabbing just the name of the package (in column 1)
then we're using tr to convert newline characters into spaces
finally -- using backticks -- we're using the output of the preceding steps as arguments to npm update so we get all our needed updates in one shot.
One would think that there's a way to do this using npm alone, but it wasn't here when I looked, so I'm just dropping this here in case it's helpful to anyone 😀.
** I believe there's an answer that MikeMajara provides here that does something similar, but it's appending #latest to the updated package name, which I'm not really interested in as a part of my regularly scheduled updates.
If you want to upgrade a package to the latest release, (major, minor and patch), append the #latest keyword to the end of the package name, ex:
npm i express-mongo-sanitize#latest
this will update express-mongo-sanitize from version 1.2.1 for example to version 2.2.0.
If you want to know which packages are outdated and which can be updated, use the npm outdated command
ex:
$ npm outdated
Package Current Wanted Latest Location Depended by
express-rate-limit 3.5.3 3.5.3 6.4.0 node_modules/express-rate-limit apiv2
helmet 3.23.3 3.23.3 5.1.0 node_modules/helmet apiv2
request-ip 2.2.0 2.2.0 3.3.0 node_modules/request-ip apiv2
validator 10.11.0 10.11.0 13.7.0 node_modules/validator apiv2
If you have multiple projects with the same node-modules content, pnpm is recommended. This will prevent the modules from being downloaded in each project. After the installation the answer to your question is:
pnpm up