Menu
After each installation of a new NPM module in my project I get the following error :
[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
Severity: 8 Low | 24 Moderate | 8 High
So then I run npm audit and I get the details for each of the 40 vulnerabilities such as :
# Run npm install [email protected] to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk > │
│ │ boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
or this :
# Run npm update fsevents --depth 2 to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ chokidar > fsevents > node-pre-gyp > tar-pack > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
So I run npm install [email protected] (even though I already had 6.0.1) then npm update fsevents --depth 2 But after that I re-run npm audit and nothing has changed, I still have the same 40 vulnerabilities and some of them are really scary. What should I do ?
404
NPM Audit Fix Fixing NPM Dependencies Vulnerabilities 1 TLDR; Manually run the command given in the text to upgrade one package at a time, e.g. npm i --save-dev [email protected] 2 The Fix. Manually upgrade the packages one at a time with the command suggested by NPM instead of running the npm audit fix --force command. 3 Summary. ...
This isn't a fix for npm, but it worked for me for now: 1 Do the npm audit suggestions that aren't npm update s 2 Delete package-lock.json 3 Delete the node_modules folder 4 (I didn't have to clear my npm cache, but if you continue to run into issues, you may want to look into that) 5 Run npm install again More ...
If our package manager isn't able to fix these vulnerabilities then surely we're out of luck and must find a way to survive with these vulnerabilities hoping nobody decides to exploit them against our project. Manually upgrade the packages one at a time with the command suggested by NPM instead of running the npm audit fix --force command.
But if you can’t update your Node.js version yet, then installing the build tools manually should help you fix this error. The npm install command may fail to work because of many reasons. When the command doesn’t work, you need to check the output first and see what specific error you have.
This worked for me on MacOS:
When you run 'npm audit' again, the only vulnerabilities left should be "Manual Review" issues.
114
This seems to be a bug in npm 6.0.1 related to handling of optional dependencies: https://github.com/npm/npm/issues/20577
39
This worked for me:
Do the npm audit suggestions that aren't npm updates Delete package-lock.json Delete the node_modules folder Run npm install again
https://github.com/npm/npm/issues/20684
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
