How do I sort out npm vulnerabilities dependent on another package.
For example I am getting the below error where the package undici is dependent on the prismix package.
Thinks I have tried:
Running npm audit fix
Prismix is already updated to the latest version
Moderate undici before v5.8.0 vulnerable to CRLF injection in request headers
Package undici
Patched in >=5.8.0
Dependency of prismix
Path prismix > #prisma/sdk > #prisma/engine-core > undici
More info https://github.com/advisories/GHSA-3cvr-822r-rqcc
The authors of prismix may not have updated their dependencies yet.
You might need to wait for their dependencies to be updated, or you could try installing the version 5.8.0 of undici nonetheless and cross your finger that they are compatible.
To specify a version:
npm install undici#5.8.0
Related
What am I supposed to do with these warnings, given the libs in question belong to 3rd party libs?
> npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Denial of Service
Package node-fetch
Patched in >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9
Dependency of aspnet-prerendering
Path aspnet-prerendering > domain-task > isomorphic-fetch >
node-fetch
More info https://npmjs.com/advisories/1556
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > resolve-url-loader > postcss
More info https://npmjs.com/advisories/1693
found 2 vulnerabilities (1 low, 1 moderate) in 1514 scanned packages
2 vulnerabilities require manual review. See the full report for details.
I'm not impacted by this. I was just striving for zero warnings on all fronts.
I can't/don't want to fiddle with a dependency's dependency! Do I just need to upgrade my dependency?
Technically, there is no silver bullet to solve the vulnerabilities report from npm audit. Here is the "Rule of Thumb" I am following:
Usually, I always do npm audit fix after npm audit. Note that: this one will not solve all reports.
Update my dependencies to the latest stable. Be careful about the compatibility. (Hope you understand the SEMVER). The cost you spend to keep your system up to date and stable is always cheaper than the cost you need to spend to handle vulnerable issues.
Reduce the number of your dependencies. Note everything you need to use the library. You can build yourself a simpler version.
Learn to separate dependencies and dev dependencies. If the issue is reported for a dev tool, you can skip it. As I said above, there is no silver bullet so give yourself relaxation instead of fixing all of them. Just fix the necessary ones.
Finally, follow this: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
You can make your dependencies to use other (current / secure) version of their dependencies.
Let's say you have a warning about postcss package, which I solved a moment ago so I can describe the process and you can proceed analogically.
After npm audit I got a warning like:
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of laravel-mix [dev]
Path laravel-mix > cssnano > cssnano-preset-default >
postcss-svgo > postcss
More info https://npmjs.com/advisories/1693
Notice! You have to be aware that when you'll make your package to use a newer version of its dependency it can break things, but it's worth trying.
So you see that the laravel-mix package uses old version of the postcss and that the issue is fixed in version >=8.2.10 of postcss so you want to install a newer version of the postcss package which you can achieve by:
npm install postcss --save-dev
Then you need to add a new section to your package.json file instructing npm that you want dependencies to use your specific version of the library. It goes in my case like this:
{
"resolutions": {
"postcss": "^8.2.15",
}
}
Then you have to add a new script to force npm usage of this new "resolutions" section like this:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
Notice! You have to run this script every time before running your regular npm install. It goes like this:
npm run preinstall
npm install
More info can be found in the npm docs.
You might just need to edit your package.json, update the version for the offending package to the latest stable version (in this case https://www.npmjs.com/package/node-fetch), and then run "npm install" from the terminal.
I'm trying to install a package 'Kurento-client' via npm but it gives error in installing its own dependencies (bufferutil and utf-8-validate). Error also mentions 'node-gyp rebuild'
Here is the screenshot of the error:
Can you please tell, what should I do or change?
When I install those 2 dependencies separately (bufferuil and utf-8-validate), they install successfully with the latest version.
But the Kurento-client is installing their old version. I don't know why. I need only kurento-client to be installed.
After searching for a while, I solved it by dropping the npm version. The reason is that some packages have dependencies which they need to install, and in our case, those dependencies were of the old version which cannot correlate with the newer version of npm. Either you have to update those ones separately or drop your npm version. Hope it helps someone!
Npm audit returns output with some valid warnings, but also with weird dependencies that look like random hexadecimal strings. That string changes every time when I run npm audit and is identical for all packages, referenced in audit.
How can I get rid of that? Npm version is 6.8.0
High Cross-Site Scripting (XSS)
Package jquery
Patched in >=3.0.0
Dependency of 28941ae593a0bfccfbff69e6c9be45d3edb864692c815174fff557331de…
Path 28941ae593a0bfccfbff69e6c9be45d3edb864692c815174fff557331de…
>
39e4d897653a99aeb635bac80469694d1066d648e1fc9d3ac63ded7789c…
> jquery
More info https://npmjs.com/advisories/328
Moderate Prototype Pollution
Package lodash
Patched in >=4.17.11
Dependency of browserify-resolutions [dev]
Path browserify-resolutions > lodash
More info https://npmjs.com/advisories/782
Moderate Prototype Pollution
Package lodash
Patched in >=4.17.11
Dependency of 28941ae593a0bfccfbff69e6c9be45d3edb864692c815174fff557331de…
Path 28941ae593a0bfccfbff69e6c9be45d3edb864692c815174fff557331de…
> lodash
More info https://npmjs.com/advisories/782
I just ran into the same issue. After looking into the npm docs this has been resolved in Version 7. I just ran npm audit using npm 7+ and it has pointed to the exact packages that are the culprit with no hash.
How to install latest stable version of a Javascript package via a package manager?
(no alphas, betas, etc.)
I tried NPM and did not find a solution. This question is similar.
I tried Bower and find nothing. Here is a question with no answer here.
Please help. Which package manager should I choose? Maybe there are another options around?
PS
For example: knockout.js, npm givers beta for latest. I don't want beta! I also would like to set the same limitation for dependencies - pull only stable versions.
Installing a package without specifying a version will always install the latest version published to npm, including pre-releases (alpha, beta etc.):
npm install knockout
However, if you specify the version range, even only as a wildcard *, pre-release versions are explicitly excluded:
npm install knockout#*
See the npm docs for more info. Also, you can test this in npm's semver calculator.
My Node version : v0.12.2
My npm version: 2.7.4
I ran the following command: npm install gulp -g
Should I care ? I get these warnings:
C:\Users\Maddy\Desktop\PublicServer\skill_tests>npm install gulp -g
npm WARN deprecated graceful-fs#3.0.8: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs#^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated minimatch#2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch#0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated lodash#1.0.2: lodash#<3.0.0 is no longer maintained. Upgrade to lodash#^4.0.0.
npm WARN deprecated graceful-fs#1.2.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs#^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
Those error warnings are not a major issue. I get the same warnings when I install gulp. I have been using it for a while. It has to do with the libraries that support gulp. Gulp has dependencies and those dependencies are "packaged" together to create gulp. For example lodash is a javascript library that has a lot of array utilities. But lodash is maintained by the person who developed it
If you look in the node_modules folder you can see all the dependencies that make up gulp. I just pointed out lodash because you can find the link here and review it yourself. Gulp is not one javascript library it's a compilation of several projects that make up one tool.
Since npm has no kind of a rating system -- or anything remotely similar, there are a lot of "old" packages out there that refer to other "old" packages.
And, for the most part, that is fine.
For the most part being the key phrase.
Once in a rare while there may be a breaking change to node which causes one of these old packages to fail and you can get a cascading error upwards. However, it doesn't seem to happen too often -- I've only run into it once.
The bottom line is: Unless you are able to maintain the packages, there isn't really anything you can do about it.
All of these are warnings, which means you should be fine. If you encounter an error run:
npm list
which will give you a list of dependencies and packages. Generally speaking, these have to be updated by the author. So you if it's mission critical give them a ping on their repos or find alternatives that are maintained.