Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

NPM-AUDIT find to high vulnerabilities. What am I supposed to do?

Tags:

npm

angular

npm-audit

angular-devkit

npm audit run on my project and got me this

High Command Injection
Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill

More info https://npmjs.com/advisories/1432

High Command Injection

Package tree-kill

Patched in >=1.2.2

Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > tree-kill

More info https://npmjs.com/advisories/1432

Tree-kill needs to be updated, but is a dep of angular, not mine. So what? Need to wait that angular-team update its own package.json to a newer version of tree-kill?

like image 618
Nemus Avatar asked Jan 11 '20 12:01

Nemus

People also ask

How do you deal with npm vulnerabilities?

If security vulnerabilities are found and updates are available, you can either: Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies. Run the recommended commands individually to install updates to vulnerable dependencies.

What can you do with npm audit?

Allow npm audit fix to install modules outside your stated dependency range (including SemVer-major changes). Allow unpublishing all versions of a published package. Allow conflicting peerDependencies to be installed in the root project. Implicitly set --yes during npm init .

2 Answers

You can fix this without waiting for a new version of the package @angular-devkit/build-angular.

Just do the following steps:

  1. Update your package.json file by adding resolutions section with proper version of package tree-kill:
"resolutions": {
  "tree-kill": "1.2.2"
}
  1. Update your package-lock.json by running command:
npx npm-force-resolutions
  1. Reinstall NPM packages in your project:
rm -r node_modules
npm install

Run npm audit to check that your project does not have anymore this problem. And don't forget to commit modified files package.json and package-lock.json.

More information about NPM Force Resolutions.

like image 96
Yuri Beliakov Avatar answered Sep 21 '22 18:09

Yuri Beliakov

Add below code to package.json 

"resolutions": {
"tree-kill":"1.2.2"
}

Remove all node modules:

rm -r node_modules

Update package-lock.json for new version 1.2.2 as :

npx npm-force-resolutions

Now install node modules:

npm install

This works for me.

like image 34
rohit Avatar answered Sep 24 '22 18:09

rohit
Sign in to Comment

Related questions

Angular2 material 'md-icon' is not a known element with Karma / Jasmine
Force collapse of Bootstrap 4 navbar on Angular 2 route change
How to import and use particles.js in an Angular/Angular2/Angular4 app
Angular 4 Data Binding over ng-repeat
Why use back tick with ${ in const in typescript
how to prevent onSubmit() function getting called on click of a cancel button
Bootstrap Navbar not working correctly: AngularCLI
Angular Material styles not being applied correctly
How to download an excel file in Angular 8 as an API response
Angular2 Currency Pipe change decimal separator
Angular2 How to clean up the AppModule
Angular Material: making a mat-card fill an entire mat-grid-tile
Error: cdk-table: Could not find column with id. Angular 2 Material Data Tables
How to use snapshotChanges() method to get both key value and filter the data?
rxjs - do something when observable starts executing
what does the multi: true attribute of HTTP_INTERCEPTORS mean?
Typescript type BeforeInstallPromptEvent
Angular 6 : Error handling with forkJoin
Display time/clock in angular
Angular 8 : TypeError: Found non-callable @@iterator

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!