The package manager npm gives a high severity vulnerability which I don't know how to fix. The advised forced fix wants to install a very old version of expo. Node is up to date (v18.14.1). There seems to be an outdated version reference in 'find-babel-config' to JSON5.
Does anyone have an idea how to fix this dependency? I tried reinstalling and updating npm, including manually deleting node_modules and package-lock.json, cleaning npm cache and updating expo.
npm audit
# npm audit report
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install expo#1.0.0, which is a breaking change
node_modules/babel-preset-expo/node_modules/json5
find-babel-config <=1.2.0
Depends on vulnerable versions of json5
node_modules/babel-preset-expo/node_modules/find-babel-config
babel-plugin-module-resolver 2.3.0 - 4.1.0
Depends on vulnerable versions of find-babel-config
node_modules/babel-preset-expo/node_modules/babel-plugin-module-resolver
babel-preset-expo *
Depends on vulnerable versions of babel-plugin-module-resolver
node_modules/babel-preset-expo
expo >=14.0.0
Depends on vulnerable versions of babel-preset-expo
node_modules/expo
Related
I'm trying to install firebase tools.
However I am presented with this error:
# npm audit report
express <=4.17.2 || 5.0.0-alpha.1 - 5.0.0-alpha.8
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/firebase-tools/node_modules/express
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install firebase-tools#1.2.0, which is a breaking change
node_modules/firebase-tools/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/firebase-tools/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/firebase-tools/node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/firebase-tools/node_modules/superstatic/node_modules/update-notifier
node_modules/firebase-tools/node_modules/update-notifier
firebase-tools >=2.0.0
Depends on vulnerable versions of update-notifier
node_modules/firebase-tools
superstatic >=0.12.11
Depends on vulnerable versions of update-notifier
node_modules/firebase-tools/node_modules/superstatic
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/firebase-tools/node_modules/minimatch
qs 6.5.0 - 6.5.2 || 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/firebase-tools/node_modules/qs
node_modules/firebase-tools/node_modules/request/node_modules/qs
body-parser 1.19.0
Depends on vulnerable versions of qs
node_modules/firebase-tools/node_modules/body-parser
express <=4.17.2 || 5.0.0-alpha.1 - 5.0.0-alpha.8
Depends on vulnerable versions of qs
node_modules/firebase-tools/node_modules/express
10 vulnerabilities (6 moderate, 4 high)
When I run:
npm audit fix // or
npm audit fix --force
I get the exact same error.
I then tried to see if updating the packages manually would help, for example by running:
npm install qs#latest
But I get the exact same issues.
I have also
deleted my package.json-lock file and the nodule modules folder and tried a fresh install. still yada
Why can't I seem to break out of this loop?
SOLVED:
I managed to get around it by using the auto install script and not npm from https://firebase.google.com/docs/cli#mac-linux-auto-script:
curl -sL https://firebase.tools | bash
I am able now to use firebase init log in and deploy.... phew!
When I run
npm audit
It tells me I have a critical vulnerability in lodash. When I run
npm ls lodash
I have 47 instances of lodash being deduped.
How can I tell which of my dependencies are holding on to the vulnerable version?
If you temporarily add the vulnerable package at the patched version:
"lodash": ">=4.17.21",
to your package.json and then run npm update <VULNERABLE_PACKAGE> for the vulnerable package. NPM will update all the child dependencies it can.
You can then run npm outdated --depth=5 <VULNERABLE_PACKAGE> and it will show which dependencies are forcing an earlier version.
npm audit report:
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
No fix available
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/webpack-dev-server/node_modules/chokidar
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/webpack-dev-server
#angular-devkit/build-angular <=13.0.0-next.2
Depends on vulnerable versions of #angular-devkit/build-webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-angular
#angular-devkit/build-webpack <=0.1300.0-next.2
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-webpack
5 moderate severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
These are vulnerabilities discovered and reported for dependencies your application is using. Generally, you will want to fix these by updating packages to the latest versions containing fixes for the vulnerabilities.
There is a command, npm audit fix, which can update the affected dependencies for you in most cases (It took me personally from 10.000+ to roughly 10 reports). This however by default will only use non-breaking version jumps (so by semantic versioning it will not jump a major version for example).
You can use npm audit fix --force to fix the remaining vulnerabilities (including semver-incompatible ones) if there are package updates, however you will need to look for breaking changes in the updated packages that may conflict with your program logic.
I highly recommend you look at the NPM Docs article below, it explains the whole process very well.
Also see:
Auditing package dependencies for security vulnerabilities
What does "npm audit fix" exactly do?
I created the project with jhipster when I installed npm failed to perform a repair log as follows
I don't know what to do, please help me
npm audit fix --force
log
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating generator-jhipster-vuejs to 0.0.3,which is a SemVer major change.
npm WARN deprecated formatio#1.1.1: This package is unmaintained. Use #sinonjs/formatio instead
npm WARN deprecated samsam#1.1.2: This package has been deprecated in favour of #sinonjs/samsam
npm WARN deprecated cross-spawn-async#2.2.5: cross-spawn no longer requires a build toolchain, use it instead
npm WARN deprecated gulp-util#3.0.8: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
added 374 packages, removed 88 packages, changed 14 packages, and audited 2751 packages in 44s
101 packages are looking for funding
run `npm fund` for details
# npm audit report
axios <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix`
node_modules/generator-jhipster/node_modules/axios
generator-jhipster 2.19.0 - 7.0.0-beta.0
Depends on vulnerable versions of axios
Depends on vulnerable versions of jhipster-core
Depends on vulnerable versions of lodash
node_modules/generator-jhipster
braces <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
fix available via `npm audit fix`
node_modules/glob-stream/node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
node_modules/glob-stream/node_modules/micromatch
glob-stream 5.3.0 - 5.3.5
Depends on vulnerable versions of micromatch
node_modules/glob-stream
vinyl-fs 2.4.2 - 2.4.4
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
decompress <4.2.1
Severity: high
Arbitrary File Write - https://npmjs.com/advisories/1217
fix available via `npm audit fix --force`
Will install generator-jhipster-vuejs#1.9.2, which is a breaking change
node_modules/decompress
gulp-decompress <=1.2.0
Depends on vulnerable versions of decompress
node_modules/gulp-decompress
download 4.0.0 - 5.0.0
Depends on vulnerable versions of caw
Depends on vulnerable versions of gulp-decompress
node_modules/download
yeoman-generator <=0.24.1
Depends on vulnerable versions of download
Depends on vulnerable versions of html-wiring
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of lodash
node_modules/generator-jhipster-vuejs/node_modules/yeoman-generator
generator-jhipster-vuejs <=0.0.3
Depends on vulnerable versions of yeoman-generator
node_modules/generator-jhipster-vuejs
deep-extend <=0.5.0
Prototype Pollution - https://npmjs.com/advisories/612
fix available via `npm audit fix`
node_modules/generator-jhipster-vuejs/node_modules/deep-extend
mem-fs-editor 2.1.0 - 3.0.2
Depends on vulnerable versions of deep-extend
node_modules/generator-jhipster-vuejs/node_modules/mem-fs-editor
lodash <=4.17.18
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
fix available via `npm audit fix --force`
Will install generator-jhipster-vuejs#1.9.2, which is a breaking change
node_modules/cheerio/node_modules/lodash
node_modules/generator-jhipster-vuejs/node_modules/lodash
node_modules/generator-jhipster/node_modules/lodash
node_modules/jhipster-core/node_modules/lodash
cheerio 0.14.0 - 0.19.0
Depends on vulnerable versions of lodash
node_modules/cheerio
html-wiring *
Depends on vulnerable versions of cheerio
node_modules/html-wiring
yeoman-generator <=0.24.1
Depends on vulnerable versions of download
Depends on vulnerable versions of html-wiring
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of lodash
node_modules/generator-jhipster-vuejs/node_modules/yeoman-generator
generator-jhipster-vuejs <=0.0.3
Depends on vulnerable versions of yeoman-generator
node_modules/generator-jhipster-vuejs
generator-jhipster 2.19.0 - 7.0.0-beta.0
Depends on vulnerable versions of axios
Depends on vulnerable versions of jhipster-core
Depends on vulnerable versions of lodash
node_modules/generator-jhipster
inquirer <=0.11.4
Depends on vulnerable versions of lodash
node_modules/generator-jhipster-vuejs/node_modules/inquirer
jhipster-core *
Depends on vulnerable versions of lodash
node_modules/jhipster-core
tunnel-agent <0.6.0
Severity: moderate
Memory Exposure - https://npmjs.com/advisories/598
fix available via `npm audit fix --force`
Will install generator-jhipster-vuejs#1.9.2, which is a breaking change
node_modules/caw/node_modules/tunnel-agent
caw <=2.0.0
Depends on vulnerable versions of tunnel-agent
node_modules/caw
download 4.0.0 - 5.0.0
Depends on vulnerable versions of caw
Depends on vulnerable versions of gulp-decompress
node_modules/download
yeoman-generator <=0.24.1
Depends on vulnerable versions of download
Depends on vulnerable versions of html-wiring
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of lodash
node_modules/generator-jhipster-vuejs/node_modules/yeoman-generator
generator-jhipster-vuejs <=0.0.3
Depends on vulnerable versions of yeoman-generator
node_modules/generator-jhipster-vuejs
20 vulnerabilities (7 low, 2 moderate, 11 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
I have a few react projects that were started using "npx create-react-app" and if I run "npm audit" they come back with:
# npm audit report
immer <8.0.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1603
fix available via `npm audit fix --force`
Will install react-scripts#2.0.5, which is a breaking change
node_modules/react-dev-utils/node_modules/immer
react-dev-utils >=6.0.6-next.9b4009d7
Depends on vulnerable versions of immer
node_modules/react-dev-utils
react-scripts >=2.0.6-next.9b4009d7
Depends on vulnerable versions of react-dev-utils
node_modules/react-scripts
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
I have tried running npm audit fix and that doesn't fix the issue.
I have tried running npm audit fix --force which results in even more errors.
I have tried running npm i immer#8.0.1 which also does not work.
I am using nvm with node version 14.15.5 and npm version 7.5.4. I recently updated nvm to the latest version (0.37.2) and changed the default to the latest node lts (14.15.5), so I believe this may be the culprit but I can't figure out how to fix these 3 vulnerabilities.
A possibility is that there's an issue with me having not moved my global packages to the newer version of node.
Any help is much appreciated.
The issue has now been fixed. Just run npm audit fix.