explain it my screensht
i don't know how to do it as i didn't know how to do it but i tried this 'npm audit fix --force' please help me
i get this error
npm WARN deprecated source-map-url#0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated opn#6.0.0: The package has been renamed to `open`
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-resolve#0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated chokidar#2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
changed 204 packages, and audited 205 packages in 9s
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details
DON'T PANIC! Just kidding of course...
npm has evolved during the years and protect it's users against potentials security risks. If the selected package is using old-versioned or risky dependencies, it may raise some warning regarding to the package integrity. First let's have a look on the official package page, and right up we see this:
This is a little development server with live reload capability. Use
it for hacking your HTML/JavaScript/CSS files, but not for deploying
the final site.
Now, we instantly know that the main purpose of this package is to mimic a live server for web apps, as well as we know that the author himself does not recommend using this in production
Why does this matter? Well, if we intended to use it locally, and build our production project without it, there is a very small risk of using it locally (as long as your local build is NOT deployed from your machine to a remote machine / service)
If we want to take it on the safe side, a quick search (using npm search) will result with similar yet better supported packages like livere-load. Just compare the weekly downloads stats and how much dependencies it got (the more dependencies a package use - the more risk you'll have that some of them are outdated and may result with security risks) to get an educated guess whenever the package you are using is suitable for your needs or not
Cheers
Related
I'm new to coding. I'm using Windows10 and just installed a WSL. I want to install Ganache using the command npm install -g ganache-cli but it says it has 8 vulnerabilities (7 moderate,1 high)
When I write npm audit fix or npm audit fix --force it says that there are no vulnerabilities. I don't understand where the problem is.
My NPM version is 8.3.0
There's no real reason to be alarmed about the vulnerabilities npm report, especially for a new project. Most of the time, these vulnerabilities won't actually affect your project. Be careful using npm audit fix especially npm audit fix --force because it can upgrade or downgrade packages, affecting functionality. If you do use it and it says 0 vulnerabilities after, that means it fixed all of them.
Packages are open-sourced so the community would spot any damaging or sneaky code, especially popular packages such as ganache-cli.
Read more here: https://www.voitanos.io/blog/don-t-be-alarmed-by-vulnerabilities-after-running-npm-install/
This question already has answers here:
npm WARN deprecated tar#2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap
(4 answers)
Closed 1 year ago.
npm WARN deprecated tar#2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
changed 67 packages, and audited 68 packages in 7s
4 packages are looking for funding
run `npm fund` for details
2 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
This kind of problem is quite common for npm users. Your package.json file mentions multiple npm packages you need. And, each of those package's package.json file in turn refers to other packages, and so on. Somewhere in there some package refers to version 2.2.2 of tar. But the current version of tar is 6.2.2.
You can, as the error message says, run npm audit to find the offending package: that is, the package that wants the old version of tar (tar#2.2.2).
How to try to fix this?
If it's your package.json that loads tar#2.2.2 try doing these two commands.
npm remove tar --save
npm install tar --save
to get the latest.
Try running npm update --save. It will examine your nest of npm packages, and bring them up to more recent versions. That may, or may not, replace the offending package with a more recent version. It does this by updating a file called package-lock.json containing the explicit versions. If that doesn't work ...
Try running npm audit again to see what the situation is. Then, try npm audit --fix . If that doesn't work ...
File an issue on the github repository of the offending package asking for an update.
Look for another package with the same functionality as the offending package and replace it.
Decide you will live with the warning. (If your software is used in production, that may be unwise, because cybercreeps.)
Ask another question here and mention the offending package.
My setup
MacOS = Catalina 10.15.4 (latest version)
nvm = 0.35.3 (latest version)
node.js = 12.16.3 (latest LTS version). Installed inside of nvm directories.
npm = 6.14.4 (latest version). Installed inside of nvm directories.
note: no global installations inside of usr/local.
My problem
I use npm init -y to create my package.json. No problems here.
I use npm install --save-dev #babel/core. No problems here. I get version 7.9.6.
Then when I use npm install --save-dev #babel/cli I am getting back:
npm WARN deprecated chokidar#2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents#1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
The #babel/cli version is 7.8.4.
My attempts to fix the problem
npm install chokidar#3 gives me the exact same warnings.
npm install chokidar followed by npm install --save-dev #babel/cli gives me the exact same warnings.
npm upgrade chokidar gives me absolutely nothing. The terminal simply starts a new line.
I have installed xcode's command line tools (version 11.4.1 - latest non-beta) and the problem persists.
I uninstalled node.js and npm and then re-installed using nvm. The problem still persists.
I have tried reading through the installation guides and documentation at www.babeljs.io but a lot of information seems to be out of date and/or are contradicting themselves. I can't find any youtube videos that may discuss the problem because they are also out of date. All the posts on stackoverflow.com that even slightly relate to this issue are also out of date. My biggest problem is trying to find information that isn't out of date.
I'm very stuck. I'm struggling to think of what direction to go in next to try and figure out how to fix these deprecation warnings.
Any help would be really appreciated.
As at 7.10.3, Babel requires the deprecated chokidar to provide backward compatibility for Node 6.
As I understand Babel 8 will drop support for Node 6.
Please see the following 2 babel issues for more information on this topic:
Babel issue 9981 and Babel issue 10684
Regarding urix and resolve-url, the Babel source tree references source-map-resolve#0.5.3 which in turn references the deprecated urix and resolve-url.
As shown in the warning message in your post, the links resolve-url and urix explain that "The solution is to make your dependency chain update to source-map-resolve version 0.6.0 or later, or switch to dependencies not using source-map-resolve at all." however whether you are keen to chance messing with the Babel dependency tree is another story.
Deprecated however does not mean broken and as you are using Node 12.16.3 and the warnings state failure only from Node 14+ my expectation is that they should still perform as desired in your scenario.
I am trying to install the expo-cli using nvm but for some reason it will get to a certain point during installation and then just stop.
I have tried using different node versions along with trying to remove the permissions that could of potentially been blocking the installation but still no luck. This is what shows in the console:
npm WARN deprecated joi#14.0.4: This version has been deprecated in accordance with the hapi support policy (hapi.im/sup
port). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable
to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated #babel/polyfill#7.4.4: ? As of Babel 7.4.0, this
npm WARN deprecated package has been deprecated in favor of directly
npm WARN deprecated including core-js/stable (to polyfill ECMAScript
npm WARN deprecated features) and regenerator-runtime/runtime
npm WARN deprecated (needed to use transpiled generator functions):
npm WARN deprecated
npm WARN deprecated > import "core-js/stable";
npm WARN deprecated > import "regenerator-runtime/runtime";
npm WARN deprecated joi#11.4.0: This version has been deprecated in accordance with the hapi support policy (hapi.im/sup
port). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable
to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated topo#2.0.2: This version has been deprecated in accordance with the hapi support policy (hapi.im/sup
port). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable
to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated hoek#4.2.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/sup
port). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable
to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated topo#3.0.3: This module has moved and is now available at #hapi/topo. Please update your dependencie
s as this version is no longer maintained an may contain bugs and security issues.
npm WARN deprecated hoek#6.1.3: This module has moved and is now available at #hapi/hoek. Please update your dependencie
s as this version is no longer maintained an may contain bugs and security issues.
npm WARN tarball tarball data for #expo/traveling-fastlane-linux#1.9.11 (sha512-xCHnqKfwWYygQfRbi9MGNSG28EHKDtzMB+QDklSH
1GeD90TA0beAjlNF+Z+KPxj28s3WZlQr9yw1AqBS7aipcw==) seems to be corrupted. Trying one more time.
Which terminal are you using ? If it's GitBash so the issue arises there try using any other terminal and it works.
I had this exact same problem ("tarball data for #expo/traveling-fastlane-linux#1.9.11 seems to be corrupted") on the command line (instead of powershell) on Windows 10, and running cmd as administrator solved the issue.
I have the same problem. It looks like is a permission issue. Following the documentation I reinstall npm with a node version manager. As I'm a linux user, I use nvm (check the documentation to chose the adequate manager for your system).
After uninstalled both npm and node, I ran:
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.1/install.sh | bash
Check installation using:
command -v nvm
The output must be nvm.
Finally, run:
npm install -g expo-cli
Say we publish an NPM package that ends up having a bug say it is version 1.0.056.
is there a way to tell NPM to blacklist it, meaning if users have this in package.json:
^1.0.05
that it would endeavor to only install 1.0.057 or 1.0.055?
The idea is when you patch the bug, if it doesn't impact any of the exposed API, then not much reason to make a big semver change? Or maybe on the other hand an important bugfix should call for a minor version change?
Obviously NPM doesn't encourage people to delete packages, we want immutability, but unless a user explicitly requests that version, I want NPM to avoid installing it at all costs?
npm deprecate covers a historical version when you discover problem later:
npm deprecate <pkg>[#<version>] <message>
This command will update the npm registry entry for a package, providing a deprecation warning to all who attempt to install it.
If it was only just published (72 hours) then there is also:
npm unpublish [<#scope>/]<pkg>[#<version>]
This removes a package version from the registry, deleting its entry and removing the tarball.
https://www.npmjs.com/policies/unpublish
https://docs.npmjs.com/cli/unpublish