Vulnerabilities problem using "npm install"

Question

I have installed an express server using express coserver command, then I used .npm install' command to install other node packages/dependencies, but I got this result:

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Low             Incorrect Handling of Non-Boolean Comparisons During
                  Minification

  Package         uglify-js

  Patched in      >= 2.4.24

  Dependency of   jade

  Path            jade > transformers > uglify-js

  More info       https://nodesecurity.io/advisories/39


  Low             Regular Expression Denial of Service

  Package         uglify-js

  Patched in      >=2.6.0

  Dependency of   jade

  Path            jade > transformers > uglify-js

  More info       https://nodesecurity.io/advisories/48


  Critical        Sandbox Bypass Leading to Arbitrary Code Execution

  Package         constantinople

  Patched in      >=3.1.1

  Dependency of   jade

  Path            jade > constantinople

  More info       https://nodesecurity.io/advisories/568


  Low             Regular Expression Denial of Service

  Package         clean-css

  Patched in      >=4.1.11

  Dependency of   jade

  Path            jade > clean-css

  More info       https://nodesecurity.io/advisories/785

found 4 vulnerabilities (3 low, 1 critical) in 194 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

My node --version is v10.15.0 and express --version is 4.16.1 and I use Windows 10. I don't know if other information is needed to put here but let me know that if so.

Answer 1

reason: Jade has been renamed to pug, please install the latest version of pug instead of jade

fix:

1. npm uninstall jade
2. npm install pug

Answer 2

When the problem occurs

You probably created the skeleton website by using the express application generator. This problem is faced when the app is created without specifying which view engine is to be used. express <appname> installs the packages below as dependencies (at the time of writing this post) and the problem is with the 'jade' package. 'jade' is the default view engine for express-generator tool but 'jade' was renamed to 'pug' and and jade is now deprecated.

"cookie-parser": "~1.4.4",
"debug": "~2.6.9",
"express": "~4.16.1",
"http-errors": "~1.6.3",
"jade": "~1.11.0",
"morgan": "~1.9.1"

how to fix

• with view engine

use 'pug' (renamed version of jade) as view engine

express myapp --view=pug

if 'pug' has low severity vulnerability, try

npm audit fix

• without view engine

generate app without view engine

exprees myapp --no-view

For more info about 'jade' package: https://www.npmjs.com/package/jade