Npm audit fix --force does apply its own recommendations - javascript

there are plenty of similar questions but they have not helped me at all.
I try to get rid off critical vulnerabilities. I have run npm update, npm audit fix and npm audit fix --force many times but it is stalled. I see the same warnings again though the out says it is a fixable trouble. Is there a way to finish it?
>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating update to 0.7.4,which is a SemVer major change.
npm WARN deprecated set-value#0.4.3: Critical bug fixed in v3.0.1, please upgrade to the latest version.
npm WARN deprecated set-value#0.4.3: Critical bug fixed in v3.0.1, please upgrade to the latest version.
assign-deep <1.0.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1014
fix available via `npm audit fix`
set-value <=2.0.0 || 3.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1012
fix available via `npm audit fix --force`
Will install update#0.4.2, which is a breaking change
Update: I can see too much various versions (even 0.2) of set-value in package.json. I have set all occurences with the version <= 2.0 to 2.0.1. Tests passed through.

TL;DR: Try npm uninstall update.
Using the package.json in the repo that you linked to and npm#7, running npm install and then npm audit reported:
46 vulnerabilities (3 low, 11 moderate, 32 high)
Running npm audit fix didn't change that, which is indeed irksome, but also a known issue.
Running npm audit fix --force actually somehow made things worse:
55 vulnerabilities (9 low, 10 moderate, 36 high)
So I started over again with your package.json and ran npm install and npm audit again. The output for npm audit includes this:
set-value <=2.0.0 || 3.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1012
fix available via `npm audit fix --force`
Will install update#0.7.4, which is a breaking change
So it wants to update the update module to version 0.7.4, which is the latest version. I did that manually like this:
npm uninstall update && npm install update
That got the same result (an increase in vulnerabilities) as npm audit fix --force but I did notice that after uninstalling update, 0 vulnerabilities were reported.
$ npm uninstall update
removed 584 packages, and audited 870 packages in 4s
56 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
$
Looking at the npm page for update, it hasn't been updated itself in 5 years. So maybe replacing that package with something else is your best option here.
Back to your package.json, the update package is in your dependencies which seems wrong as it seems to be a command-line tool. A quick scan of the repo seems to indicate it's not actually used anywhere.
So I'm going to posit that the best solution is npm uninstall update.

Related

Npm install Error | 69 vulnerabilities (12 low, 28 moderate, 26 high, 3 critical)

Hey Guy's Help Me plase To solve this problem ...!
My Problem is :
> npm i
up to date, audited 1879 packages in 13s
90 packages are looking for funding
run `npm fund` for details
69 vulnerabilities (12 low, 28 moderate, 26 high, 3 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
More Info :
Npm Version : 8.13.2
OS : Windows
Node : v18.4.0
WARNING : npm audit fix --force NOT WORKING
WARNING : This error for Update and Install !!
Screenshot Error
This seems to work fine as long as there are no security vulnerabilities, in that case you can use this package npm force resolutions
I had those issues as well, and if npm audit fix --force is not working then I suggest running just npm audit you will get detailed information about what is wrong and what should be updated hope it will help.

Unable to run the command 'npm i -g expo-cli'

I'm trying to run npm install - g expo-cli on a windows 10 but it doesn't work. I keep getting this error message.
Please Help!
npm WARN deprecated source-map-url#0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated chokidar#2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated chokidar#2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated source-map-resolve#0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated querystring#0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated subscriptions-transport-ws#0.9.8: The `subscriptions-transport-ws` package is no longer maintained. We recommend you use `graphql-ws` instead. For help migrating Apollo software to `graphql-ws`, see https://www.apollographql.com/docs/apollo-server/data/subscriptions/#switching-from-subscriptions-transport-ws For general help using `graphql-ws`, see https://github.com/enisdenjo/graphql-ws/blob/master/README.md
npm WARN deprecated svgo#1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated graphql-tools#3.0.0: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as #graphql-tools/schema, #graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
changed 1556 packages, and audited 1557 packages in 2m
118 packages are looking for funding
run `npm fund` for details
26 vulnerabilities (10 moderate, 16 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
acutely your NPM install work and you install your package successfully these warning and error just say some package that's you use in project are deprecated and you can install new versions. and you can audit these with NPM audit. so just ignore this and resume you work:)

NPM audit vulnerabilities

I was installing npm package for getting node module file but after I run npm install it is showing me 184 vulnerabilities(153 low, 1 moderate, 30 high), should i have to run npm audit fix in order to fix this, But my concern is that will it make any changes in the already installed dependencies, will it change my package.json file and package-lock.json file. I have attached the image below.
Please help me out with this Thank you. I just need to know whether will it change all the preinstalled dependencies or is it good to run npm audit fix command.Thanks.
I never encountered any problems running npm audit fix on my projects and didn't hear it from anyone else either so I recommend you try it in the worst-case scenario you can just uninstall your packages and install them again using npm install just know that npm audit fix may not fix all of you're vulnerabilities you may need to replace the specific package.
cheers.

How to fix these vulnerabilities by manual review?

I did npm audit and npm audit fix.
But some vulnerabilities needs manual review.
So, How to upgrade these packgaes by manually?
These packages needs manual upgrade.
The audit command will install semver-major updates when the --force flag is used. This is not default behavior because it may introduce breaking changes in updated dependencies.
npm audit fix --force
Alternatively, you can manually update a specific dependency with an install command.
npm install uglifyjs-webpack-plugin#latest --save-dev
In this particular case, uglifyjs-webpack-plugin is deprecated and suggests terser-webpack-plugin as an alternative. You may want to use that package instead.
npm uninstall uglifyjs-webpack-plugin --save-dev
npm install terser-webpack-plugin --save-dev

Maximum call stack size exceeded on npm install

I'm trying to run npm install, this is output from console:
npm ERR! Linux 4.8.0-27-generic
npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "install"
npm ERR! node v6.9.1
npm ERR! npm v3.10.8
npm ERR! Maximum call stack size exceeded
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
and this is content of npm-debug.log:
113791 verbose stack RangeError: Maximum call stack size exceeded
113791 verbose stack at Object.color (/usr/lib/node_modules/npm/node_modules/npmlog/node_modules/console-control-strings/index.js:115:32)
113791 verbose stack at EventEmitter.log._format (/usr/lib/node_modules/npm/node_modules/npmlog/log.js:252:51)
113791 verbose stack at EventEmitter.<anonymous> (/usr/lib/node_modules/npm/node_modules/npmlog/log.js:138:24)
113791 verbose stack at emitThree (events.js:116:13)
113791 verbose stack at emit (events.js:194:7)
113791 verbose stack at .<anonymous> (/usr/lib/node_modules/npm/node_modules/npmlog/node_modules/are-we-there-yet/tracker-group.js:23:18)
113791 verbose stack at emitThree (events.js:116:13)
113791 verbose stack at emit (events.js:194:7)
113791 verbose stack at .<anonymous> (/usr/lib/node_modules/npm/node_modules/npmlog/node_modules/are-we-there-yet/tracker-group.js:23:18)
113791 verbose stack at emitThree (events.js:116:13)
113791 verbose stack at emit (events.js:194:7)
113792 verbose cwd /home/giorgi/AdMove/dev/web-advertiser-admove
113793 error Linux 4.8.0-27-generic
113794 error argv "/usr/bin/nodejs" "/usr/bin/npm" "install"
113795 error node v6.9.1
113796 error npm v3.10.8
113797 error Maximum call stack size exceeded
113798 error If you need help, you may report this error at:
113798 error <https://github.com/npm/npm/issues>
113799 verbose exit [ 1, true ]
Removed node_modules several times and tried to reinstall. Can't understand what's the reason that causes this and how to fix it.
metzelder's answer helped me fix the issue. however if you run the command npm cache clean, it will give you a message
As of npm#5, the npm cache self-heals from corruption issues and data extracted from the cache is guaranteed to be valid
So, as of npm5 you can do by adding a --force flag to the command.
So the command is:
npm cache clean --force
npm rebuild
it has solved my problem
Try removing package-lock.json and the node_modules folder:
rm package-lock.json
rm -r node_modules
I had the same issue with npm install.
After a lot of search, I found out that removing your .npmrc file or its content (found at %USERPROFILE%/.npmrc), will solve this issue. This worked for me.
npm uninstall
npm cache clean --force
I tried these two methods but they didn't work. After, I deleted the node_modules directory and ran npm install again, it still didn't work. Lastly, I deleted package-lock.json and created a new package-lock.json file using
npm install
I have overcome this issue by doing following:
Delete all the content of the npm dependencies. You can find the default install location according to this thread:
https://stackoverflow.com/a/5926706/1850297
Before you run npm install command, I suggest to run npm cache clean --force
npm rebuild will work for sure
In my case, update to the newest version:
npm install -g npm
I deleted
node_modules
and then reinstalled by
npm install
It worked for me
I have also faced the same problem and this is how i resolved it.
First of all you need to make sure that your node and npm versions are up to date. if not please upgrade your node and npm packages to latest versions.
nvm install 12.18.3 // update node version through node version manager
npm install npm // update your npm version to latest
Delete your node_modules folder and package-lock.json file.
Force clean the entire NPM cache by using following comand.
npm cache clean --force
Re-Install all the dependencies.
npm install
If above step didn't resolve your problem, try to re-install your dependencies after executing following command.
npm rebuild
This issue can also happen if you're trying to install a package that doesn't exist or if you're trying to install a version that doesn't exist.
npm cache clean returns below message
As of npm#5, the npm cache self-heals from corruption issues and data extracted from the cache is guaranteed to be valid. If you want to make sure everything is consistent, use 'npm cache verify' instead. On the other hand, if you're debugging an issue with the installer, you can use npm install --cache /tmp/empty-cache to use a temporary cache instead of nuking the actual one.
If you run npm cache verify, as specified above, then it actually runs cache verification and garbage collection which fixes the problem.
Cache verified and compressed (~\AppData\Roaming\npm-cache_cacache):
Content verified: 6183 (447214684 bytes) Content garbage-collected: 16
(653745 bytes) Index entries: 9633
Happened in docker (node:15-buster) for me.
Remember to use WORKDIR /<folder> so that it doesn't conflict with original npm libraries installed.
The folder can be anything but system folders, so that includes using /.
In case none of these answer work for you, it may be because the terminal you're using isn't the right one/ your node_modules is used by another part of your computer.
In my case I kept juggling between this error (maximum call stack size exceeded) and the access error event when I did a sudo npm i.
The fix was to close my IDE (which was WebStorm), run npm i in a basic terminal, and that was it.
I'm not a Windows user, so if you are, try to check Rene Knop comment.
For Unix/OSX users, I've removed the root .npmrc file ~/.npmrc.
Before you're going to try it, please,
check if there is nothing necessary over there
you can use this command to bring all content into your terminal: cat ~/.npmrc .
If you have got something like:
cat: /Users/$USER/.npmrc: No such file or directory
to save a copy:
cp ~/.npmrc ~/.npmrc_copy
Now, try to remove it (Works for bash users: Unix / Ubuntu / OSX ...):
rm -f ~/.npmrc
This worked for me.
Hope this will be helpful for others.
I also had the same problem. I had tried the previous solutions, but the solution for me was much simpler. I only had to remove the space in the directory and then run npm i again
Thanks to: https://github.com/nodejs/node-gyp/issues/809#issuecomment-155019383 for pointing this out.
In my case I had a custom .npmrc file that included an auth token for authenticating with a private npm registry.
The token had expired, which helpfully returned code E401: Incorrect or missing password locally, but ERR! Maximum call stack size exceeded from the CI build.
You uninstall npm package and force clean the cache and close terminal and reinstall whichever package be.
$sudo npm uninstall <package - name>
$sudo npm cache clean --force
Then restart terminal and check
Still not working upgrade both npm and node to the latest version
Today we encountered this error when running an npm prune even after running an npm cache clean --force.
Versions:
node 13.8.0
npm 6.13.6
Deleting the package-lock.json worked for this case as well. Thank you all!
In general, once a module has been installed, it's much more convenient to use npm ci instead of npm install. Please check out this SO answer for the advantages of the former with respect to the later in a production environment.
So please just run
npm ci
All dependencies will be updated, and the problem will disappear. Or it will error in the case there's some grave de-synchronization between one and the other.
Most of the times, this issue occurs if you are using the system provided by the organization you work for and it's vpn restricts the use of this command.
In this case, you may try to disconnect from organization vpn and then execute this command.
I tried everything to fix this issue on my Mac. I think the issue started when I had already downloaded npm from Node.js and then reinstalled it with Homebrew while following along with a Team Treehouse video.
Here's what I tried:
From https://docs.npmjs.com/misc/removing-npm
sudo npm uninstall npm -g
sudo make uninstall
sudo rm -rf /usr/local/{lib/node{,/.npm,_modules},bin,share/man}/npm*
From How do I completely uninstall Node.js, and reinstall from beginning (Mac OS X)
sudo rm -rf /usr/local/{lib/node{,/.npm,_modules},bin,share/man}/{npm*,node*,man1/node*}
Here's what worked:
In the end, the only thing that worked for me was to clone down the npm-reinstall repo from GitHub that completely removed everything related to npm on my Mac.
https://github.com/brock/node-reinstall
I then had to reinstall node and npm from Node.js.
I tried everything to fix this issue on my windows 7 machine like
Reinstalling and rebuilding npm
At last, I fixed this small configuration setting issue by wasting my entire day.
How I resolved this issue
Removing my project specific configurations in global .npmrc
at location like drive:/Windows/Users/../.npmrc
I solved it 100% I had this problem with gulp version: 3.5.6.
You should clean the package-lock.js and then run npm install and It worked form
Our company dev environment uses Artifactory as the default registry for our NPM dependencies, and when running npm install it was defaulting to this, which did not work... so manually specifying the main npm registry via npm install --registry https://registry.npmjs.org fixed this issue for me...
I was facing the same error, I was trying to install jest into to one of the packages in a monorepo project.
If you are using Yarn + Learna to package a monorepo project, you will have to navigate to the package.json inside the target package and then run npm install or npm install <package name>.
I don't know why, but I ran npm install with sudo and it worked.
sudo npm install
I had this problem and it was due to an upgrade of my git executable. I rolled back to Git-2.21.0.rc1.windows.1-64-bit and added this to my environment path and it fixed my issue.
The one thing that finally worked for me on Mac was upgrading from node 8.12 to 10.x using NVM.
I uninstalled all other versions of Node with NVM, then installed 10.x, then ran nvm alias default node, which tells NVM to always default to the latest available node version on a shell.
After that, my live reloading issue went away!
Switching to yarn solved the issue for me.

Categories

Resources