NPM audit vulnerabilities - javascript

I was installing npm package for getting node module file but after I run npm install it is showing me 184 vulnerabilities(153 low, 1 moderate, 30 high), should i have to run npm audit fix in order to fix this, But my concern is that will it make any changes in the already installed dependencies, will it change my package.json file and package-lock.json file. I have attached the image below.
Please help me out with this Thank you. I just need to know whether will it change all the preinstalled dependencies or is it good to run npm audit fix command.Thanks.

I never encountered any problems running npm audit fix on my projects and didn't hear it from anyone else either so I recommend you try it in the worst-case scenario you can just uninstall your packages and install them again using npm install just know that npm audit fix may not fix all of you're vulnerabilities you may need to replace the specific package.
cheers.

Related

Npm audit fix --force does apply its own recommendations

there are plenty of similar questions but they have not helped me at all.
I try to get rid off critical vulnerabilities. I have run npm update, npm audit fix and npm audit fix --force many times but it is stalled. I see the same warnings again though the out says it is a fixable trouble. Is there a way to finish it?
>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating update to 0.7.4,which is a SemVer major change.
npm WARN deprecated set-value#0.4.3: Critical bug fixed in v3.0.1, please upgrade to the latest version.
npm WARN deprecated set-value#0.4.3: Critical bug fixed in v3.0.1, please upgrade to the latest version.
assign-deep <1.0.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1014
fix available via `npm audit fix`
set-value <=2.0.0 || 3.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1012
fix available via `npm audit fix --force`
Will install update#0.4.2, which is a breaking change
Update: I can see too much various versions (even 0.2) of set-value in package.json. I have set all occurences with the version <= 2.0 to 2.0.1. Tests passed through.
TL;DR: Try npm uninstall update.
Using the package.json in the repo that you linked to and npm#7, running npm install and then npm audit reported:
46 vulnerabilities (3 low, 11 moderate, 32 high)
Running npm audit fix didn't change that, which is indeed irksome, but also a known issue.
Running npm audit fix --force actually somehow made things worse:
55 vulnerabilities (9 low, 10 moderate, 36 high)
So I started over again with your package.json and ran npm install and npm audit again. The output for npm audit includes this:
set-value <=2.0.0 || 3.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1012
fix available via `npm audit fix --force`
Will install update#0.7.4, which is a breaking change
So it wants to update the update module to version 0.7.4, which is the latest version. I did that manually like this:
npm uninstall update && npm install update
That got the same result (an increase in vulnerabilities) as npm audit fix --force but I did notice that after uninstalling update, 0 vulnerabilities were reported.
$ npm uninstall update
removed 584 packages, and audited 870 packages in 4s
56 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
$
Looking at the npm page for update, it hasn't been updated itself in 5 years. So maybe replacing that package with something else is your best option here.
Back to your package.json, the update package is in your dependencies which seems wrong as it seems to be a command-line tool. A quick scan of the repo seems to indicate it's not actually used anywhere.
So I'm going to posit that the best solution is npm uninstall update.

App created with npx create-react-app failed to start,

Greatings,
a few months ago i created an app via create-react-app. This app did not run when i entered npm start. And i get the following error message:
react-scripts start
There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix locally.
The react-scripts package provided by Create React App requires a dependency:
"babel-loader": "8.1.0"
Don't try to install it manually: your package manager does it automatically.
However, a different version of babel-loader was detected higher up in the tree:
/Users/kevinmotzkus/Documents/projects/node_modules/babel-loader (version: 8.0.6)
Manually installing incompatible versions is known to cause hard-to-debug issues.
If you would prefer to ignore this check, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That will permanently disable this message but you might encounter other issues.
To fix the dependency tree, try following the steps below in the exact order:
1. Delete package-lock.json (not package.json!) and/or yarn.lock in your project folder.
2. Delete node_modules in your project folder.
3. Remove "babel-loader" from dependencies and/or devDependencies in the package.json file in your project folder.
4. Run npm install or yarn, depending on the package manager you use.
In most cases, this should be enough to fix the problem.
If this has not helped, there are a few other things you can try:
5. If you used npm, install yarn (http://yarnpkg.com/) and repeat the above steps with it instead.
This may help because npm has known issues with package hoisting which may get resolved in future versions.
6. Check if /Users/kevinmotzkus/Documents/projects/node_modules/babel-loader is outside your project directory.
For example, you might have accidentally installed something in your home folder.
7. Try running npm ls babel-loader in your project folder.
This will tell you which other package (apart from the expected react-scripts) installed babel-loader.
If nothing else helps, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That would permanently disable this preflight check in case you want to proceed anyway.
P.S. We know this message is long but please read the steps above :-) We hope you find them helpful!
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! womd#0.1.0 start: `react-scripts start`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the womd#0.1.0 start script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/kevinmotzkus/.npm/_logs/2020-07-10T20_09_39_848Z-debug.log
I followed the steps, but it isn´t working. I dont know what to look for.
do i need to install package managements into the app folder? Im kinda new to react and coding so be patient and gentle please ^^
Im happy if you give me critic about my question too, is it understandable, do you need more or specific information?
You could delete the package-lock.json file and the node_modules folder and then run
npm install
Also, this is a pretty similar issue
Create React App requires a dependency: “babel-loader”: “8.1.0”

Parcel.js. Error EPERM: operation not permitted, rename Cache

I'm using Parcel.js. When I'm trying to run Parcel and build my project via yarn parcel ./src/index.html
the EPERM error happens regarding parcel cache.
The error
Error: EPERM: operation not permitted, rename
'E:webproject-landing.parcel-cache65ca36a4b4620013e0950eda4009b3b2.blob.22060.1.6'
-> 'E:webproject-landing.parcel-cache65ca36a4b4620013e0950eda4009b3b2.blob'
OS: Windows 10
Execution ENV: Bash terminal/VSCode terminal
Could someone, please, give to me some advice?
Thanks for any help.
P.S. Also, I don't understand why the Path of the project, etc. is so strange, without any separators. Is this the Parcel specific?
I just solved it, I uninstall parcel, npm uninstall pacel, then installed it again, npm install parcel-bundler --save-dev
Answer
Ctrl-C or cancel the server you might have running and restart the dev. server and see if it fixes itself. It did for me.
Not sure if this is still an issue or if anyone else finds themselves here, but Parcel 2 is currently being developed and known bugs are at the github repo and there's a docs/blog for the project both linked below! It has been helping me a bunch!
https://v2.parceljs.org/
https://github.com/parcel-bundler/parcel
npm cache clean --force
npm install -g npm#latest --force
This works for me!

There might be a problem with the project dependency tree. It is likely not a bug in Create React App, but something you need to fix locally

There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix locally.
The react-scripts package provided by Create React App requires a dependency:
"babel-loader": "8.0.5"
Don't try to install it manually: your package manager does it automatically.
However, a different version of babel-loader was detected higher up in the tree:
/Users/moeismail/node_modules/babel-loader (version: 8.0.6)
Manually installing incompatible versions is known to cause hard-to-debug issues.
If you would prefer to ignore this check, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That will permanently disable this message but you might encounter other issues.
To fix the dependency tree, try following the steps below in the exact order:
Delete package-lock.json (not package.json!) and/or yarn.lock in your project folder.
Delete node_modules in your project folder.
Remove "babel-loader" from dependencies and/or devDependencies in the package.json file in your project folder.
Run npm install or yarn, depending on the package manager you use.
In most cases, this should be enough to fix the problem.
If this has not helped, there are a few other things you can try:
If you used npm, install yarn (http://yarnpkg.com/) and repeat the above steps with it instead.
This may help because npm has known issues with package hoisting which may get resolved in future versions.
Check if /Users/moeismail/node_modules/babel-loader is outside your project directory.
For example, you might have accidentally installed something in your home folder.
Try running npm ls babel-loader in your project folder.
This will tell you which other package (apart from the expected react-scripts) installed babel-loader.
If nothing else helps, add SKIP_PREFLIGHT_CHECK=true to an .env file in your project.
That would permanently disable this preflight check in case you want to proceed anyway.
P.S. We know this message is long but please read the steps above :-) We hope you find them helpful!
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! exported-from-react-studio#0.0.1 start: PORT=3000 react-scripts start
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the exported-from-react-studio#0.0.1 start script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/moeismail/.npm/_logs/2020-01-11T14_27_54_274Z-debug.log

npm wont start a react app, requires a dependency: "webpack-dev-server": "3.1.14"

I am trying to create a new react-app and start it, I have created react apps before with no errors but this time when i npm start i get this error
There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix
locally.
The react-scripts package provided by Create React App requires a
dependency:
"webpack-dev-server": "3.1.14"
Don't try to install it manually: your package manager does it
automatically.
However, a different version of webpack-dev-server was detected higher up
in the tree:
C:\Users\ashraf\node_modules\webpack-dev-server (version: 3.1.9)
Manually installing incompatible versions is known to cause hard-to-debug
issues.
If you would prefer to ignore this check, add SKIP_PREFLIGHT_CHECK=true to
an .env file in your project.
That will permanently disable this message but you might encounter other
issues.
To fix the dependency tree, try following the steps below in the exact
order:
1. Delete package-lock.json (not package.json!) and/or yarn.lock in your
project folder.
2. Delete node_modules in your project folder.
3. Remove "webpack-dev-server" from dependencies and/or devDependencies in
the package.json file in your project folder.
4. Run npm install or yarn, depending on the package manager you use.
In most cases, this should be enough to fix the problem.
If this has not helped, there are a few other things you can try:
5. If you used npm, install yarn (http://yarnpkg.com/) and repeat the
above steps with it instead.
This may help because npm has known issues with package hoisting which may
get resolved in future versions.
6. Check if C:\Users\ashraf\node_modules\webpack-dev-server is outside
your project directory.
For example, you might have accidentally installed something in your home
folder.
7. Try running npm ls webpack-dev-server in your project folder.
This will tell you which other package (apart from the expected react-
scripts) installed webpack-dev-server.
If nothing else helps, add SKIP_PREFLIGHT_CHECK=true to an .env file in
your project.
That would permanently disable this preflight check in case you want to
proceed anyway.
P.S. We know this message is long but please read the steps above :-) We
hope you find them helpful!
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! learnreact#0.1.0 start: `react-scripts start`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the learnreact#0.1.0 start script.
npm ERR! This is probably not a problem with npm. There is likely
additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\ashraf\AppData\Roaming\npm-cache\_logs\2019-02-
04T20_36_39_924Z-debug.log
PS C:\Users\ashraf\Desktop\Files\LearnReact\learnreact>
i have tried all the steps in detail in the error log but its still not working, any thoughts on what is causing this error? Thanks in advance
It seems like you want to depend on webpack-dev-server inside your local project.
Perhaps you need to run npm install in your project, instead of your ~ home directory?
from your output, notice these lines.
However, a different version of webpack-dev-server was detected higher up
in the tree:
C:\Users\ashraf\node_modules\webpack-dev-server (version: 3.1.9)
...
6. Check if C:\Users\ashraf\node_modules\webpack-dev-server is outside
your project directory.
For example, you might have accidentally installed something in your home
folder.
so I would
cd ./my-project
npm i
Did you install webpack-dev-server on its own? It seems it has been installed either by you or by another project install. Webpack is for your local development environment so the other install is close enough to your project to interfere with the copy that react is trying to install in your project folder. Steps 1-4 in your error message should resolve your issue. If you have done that and its still not working, did you get different error messages with your next attempt to install your react package?
I have faced the same issue and this method worked for me.
Do follow the steps:
Start terminal from the desktop and write this command:
npm uninstall webpack-dev-server
This will uninstall webpack-dev-server package globally from you node modules.
Go back to you the terminal of your project and install webpack-dev-server package:
npm install webpack-dev-server#version
Note: The version part (above) should equal the versions asked for in the error message.
npm install webpack-dev-server
Now start npm:
npm start
This error mostly occurs when you have created your project using the
npx create-react-app command instead of the npm create-react-app command.

Categories

Resources