How to fix these vulnerabilities by manual review? - javascript

I did npm audit and npm audit fix.
But some vulnerabilities needs manual review.
So, How to upgrade these packgaes by manually?
These packages needs manual upgrade.

The audit command will install semver-major updates when the --force flag is used. This is not default behavior because it may introduce breaking changes in updated dependencies.
npm audit fix --force
Alternatively, you can manually update a specific dependency with an install command.
npm install uglifyjs-webpack-plugin#latest --save-dev
In this particular case, uglifyjs-webpack-plugin is deprecated and suggests terser-webpack-plugin as an alternative. You may want to use that package instead.
npm uninstall uglifyjs-webpack-plugin --save-dev
npm install terser-webpack-plugin --save-dev

Related

Can you add "--legacy-peer-deps" to an individual package in package.json?

I want to to ignore the peer dependencies of only one of the libraries in my package.json (e.g.: theme-ui). Is there a way to add such flag to package.json?
I think using
--legacy-peer-deps
will allow us to install the package without meeting the peer dependency requirements.
If it doesn't work, try to use
--force will install
without regard to peer dependencies.
Hope it will be helpful. Thanks
Yes, You can add --legacy-peer-deps in individual packages.
$ npm install --legacy-peer-deps --save-dev theme-ui
OR
$ npm install --legacy-peer-deps --save theme-ui
I hope this will help.

how to install package under (as) peerDependencies?

I'm building a library and trying to understand how to install/specify a dependency under peerDependencies.
The npm docs don't talk about this under the command npm install:
npm install (with no args, in package dir)
npm install [<#scope>/]<name>
npm install [<#scope>/]<name>#<tag>
npm install [<#scope>/]<name>#<version>
npm install [<#scope>/]<name>#<version range>
npm install <git-host>:<git-user>/<repo-name>
npm install <git repo url>
npm install <tarball file>
npm install <tarball url>
npm install <folder>
alias: npm i
common options: [-P|--save-prod|-D|--save-dev|-O|--save-optional] [-E|--save-exact] [-B|--save-bundle] [--no-save] [--dry-run]
Any help?
As far as I know, there isn't a command line shortcut for installing a peer dependency. Some Googling dug up this old issue where the npm folks briefly discussed adding that functionality, but it doesn't seem to have been made it in as of npm#6.
It's less-than-ideal, but I think manually editing your package.json file to specify peer dependencies by hand may be your best bet. As of this 2013 blog post from the Node.js team, that approach almost seems sanctioned:
Peer dependencies are pretty simple to use. When writing a plugin, figure out what version of the host package you peer-depend on, and add it to your package.json: ...

Build Fails: `npm rebuild node-sass --force`

Using n to switch Node versions.
I've ran yarn, npm rebuild node-sass --force many many times. And still fails. Getting this error:
Node Sass could not find a binding for your current environment
This usually happens because your environment has changed since running `npm install`.
Run `npm rebuild node-sass --force` to build the binding for your current environment.
Anyone have any idea how to fix?
Also..
When running this command..
npm rebuild node-sass --force
I get..
npm WARN using --force I sure hope you know what you are doing.
Doens't seem like it is doing anything..
I did below to resolve the issue.
npm uninstall node-sass
npm i node-sass
npm rebuild node-sass
remove node-sass from your command and just run npm rebuild --force
If npm rebuild node-sass and npm rebuild node-sass --force doesn't work. Just uninstall node-sass and install again.
I have tried all options like:
npm rebuild --force
npm rebuild node-sass --force
npm rebuild node-sass &
also did try to install through Python &
updated VS Project links, but nothing worked..
EXCEPT running it manually:
node node_modules/node-sass/scripts/install.js
The main issue is that your node-sass and node-npm versions are incompatible.
Please see the chart on this site or on this.
So my suggestion is either adjust your node-npm version or adjust node-sass.
In my case I was using node-sassof version 4.9.4 with node version 8.12.0 and npm version 6.4.1, It was working fine without any issue, later on I got new system and I had installed the latest node(12.16.0) & npm(6.13.4) and issue started so I dug into this and found above links.
Hope this will help you.
I just ran the command npm install node-sass and my issue was resolved.
remove package-lock.json file
remove node_modules folder
then remove from package.json it devDependencies
"node-sass": "4...",
then
npm i node-sass -D
and
npm i
We are also facing the same issue many times, due to different versions of node and npm for numbers of web applications.
For that, we are just using the below command to take proper node-sass supported versions.
npm install node-sass or npm install node-sass -g
then try to rebuild the node-sass with,
npm rebuild node-sass or npm rebuild node-sass -f
After that all, if required then we can rebuild all packages and npm start or npm run watch and then the application is working properly.
try this, add/modify your package.json
"node-sass": "*",
and run
npm install
Uninstall and reinstall node-sass. Consider moving to dart sass because node-sass is now deprecated.
Switching Node version to 12.18.x worked for me.
I solved it with npm rebuild node-sass --force, in my case I had to do it as sudo

How to install gulp jshint using npm?

Unable to install JSHint. Can anyone suggest me what I am doing wrong?
I am using below command.
npm install --save-dev gulp-jshint gulp-jscs jshint-stylish
It is showing the following "gulp-jshint#2.0.4 requires a peer of jshint#2.x but none was installed-UNMET peer dependency"
Try executing the following command npm install --save-dev jshint gulp-jshint gulp-jscs jshint-stylish
peer dependency is not installed by npm you must install it manually before.
In your case :
npm install --save-dev jshint
Update
Peer dependency is a dependency for a library that is not required. It is considered as a plugin.
You can find more informations here for npm or here for nodejs

c9.io - npm installs outdated packages

I have a workspace on c9.io, and I am using node.js. I am trying to update socket.io from 0.9.17 to the latest version. However, whenever I run the command npm update socket.io it installs the same version. How can I fix this?
To install the latest available package:
npm install <package>
To install a version directly (no need to uninstall first):
npm install <package>#<version>
If you're not sure what versions of a package are available, you can use:
npm view <package> versions
Don't forget the --save flag to add dependencies to your package.json file.
Source: How do I install a previous version of an npm package?
About npm update
However, if app's package.json contains:
"dependencies": {
"dep1": "~1.1.1"
}
In this case, running npm update will install dep1#1.1.2. Even though the latest tag points to 1.2.2, this version does not satisfy ~1.1.1, which is equivalent to >=1.1.1 <1.2.0. So the highest-sorting version that satisfies ~1.1.1 is used, which is 1.1.2.
Source: npm update - Tilde Dependencies

Categories

Resources