My npm audit report shows handsontable as "no fix available".
I am trying to ignore the handsontable package by running npm audit --ignore handsontable or npm audit --ignore=handsontable
It is not ignoring the package.
Is there any flag to ignore certain packages during npm audit and npm audit fix
As of today, 21 Sept 2022, npm audit has 2 ways to filter vulnerabilities:
audit-level - sets the minimum level of vulnerability for npm audit to exit with a non-zero exit code.
omit - selects dependency types (dev/prod) to omit from the installation tree on disk.
You can see more about npm audit flags here.
There is no way to ignore specific vulnerabilities yet. I believe npm will have it soon, the discussion is still ongoing.
I recommend you to use the npm package better-npm-audit. Link here.
You can create a file .nsprc and ignore vulnerabilities by ID, CWE ID or GHSA ID as shown below:
{
"1337": {
"active": true,
"notes": "Ignored since we don't use xxx method",
"expiry": 1615462134681
},
"4501": {
"active": false,
"notes": "Ignored since we don't use xxx method"
},
"CWE-471": "CWE ID is acceptable",
"GHSA-ww39-953v-wcq6": "GHSA ID is acceptable",
"https://npmjs.com/advisories/1213": "Full or partial URL is acceptable too"
}
Related
I have a private dummy project in gitlab which I want to publish to gitlab's package registry. My dummy project contains four files:
package.json
{
"name": "#<my-group>/<my-project>",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"repository": {
"type": "git",
"url": "git+https://gitlab.com/<my-group>/<my-project>.git"
},
"keywords": [],
"author": "",
"license": "ISC",
"bugs": {
"url": "https://gitlab.com/<my-group>/<my-project>/issues"
},
"homepage": "https://gitlab.com/<my-group>/<my-project>#readme"
}
.gitlab-ci.yml
image: node:latest
stages:
- deploy
deploy:
stage: deploy
script:
- echo "#<my-group>:registry=https://${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/">.npmrc
- echo "//${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=${CI_JOB_TOKEN}">>.npmrc
- npm publish
index.js
console.log('success');
README.md
<my-project>
When I commit my project to gitlab, the job fails with the following output
npm notice package: #<my-group>/<my-project>#1.0.0
npm notice === Tarball Contents ===
npm notice 8B README.md
npm notice 20B index.js
npm notice 612B package.json
npm notice === Tarball Details ===
npm notice name: #<my-group>/<my-project>
npm notice version: 1.0.0
npm notice filename: <my-group>-<my-project>-1.0.0.tgz
npm notice package size: 475 B
npm notice unpacked size: 640 B
npm notice shasum: 7b3db...
npm notice integrity: sha512-xDv0dl9A86...
npm notice total files: 3
npm notice
npm notice Publishing to https://gitlab.com/api/v4/projects/<my-project-id>/packages/npm/ with tag latest and default access
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://gitlab.com/api/v4/projects/<my-project-id>/packages/npm/#<my-group>%2f<my-project> - insufficient_scope
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.
NOTE:
I have replaced the actual group name, project name and project id with <my-group>, <my-project>, and <my-project-id> in the code sections above.
I have followed gitlab's official documentation on setting this up (see https://docs.gitlab.com/ee/user/packages/npm_registry/) and believe that I can safely rule out the following:
I have made sure that Package registryis enabled in the project setup
I followed naming convention as described in the documentation
I am using a CI_JOB_TOKEN which should always be valid and should have appropriate permissions.
I made sure that there is no other package with the same name or version within the given scope.
I have made sure that the scoped package's URL includes a trailing slash (see gitlab-ci.yml above)
I have confirmed the path of the <my-group> namespace querying https://gitlab.com/api/v4/groups (just to make sure that the root namespace is correct)
I have used npm init --scope=#<my-group> --yes for initialization
The url of the repository is indeed: https://gitlab.com/<my-group>/<my-project>/
Any help on getting this to work would be much appreciated.
After changing from a job token ${CI_JOB_TOKEN} to a deploy token ${CI_DEPLOY_PASSWORD}, I was able to publish to the registry.
See Predefined variables reference for more info on predefined variables.
Gitlab deploy tokens can be created for projects under Settings > Repository > Deploy tokens with the following scopes: read_repository, read_package_registry, write_package_registry
I can't install vuetify. error Component name "Home" should always be multi-word vue/multi-word-component-names
Below is the full message:
There are uncommitted changes in the current repository, it's recommended to commit or stash them first.
? Still proceed? yes
📦 Installing vue-cli-plugin-vuetify...
up to date, audited 1735 packages in 9s
164 packages are looking for funding
run npm fund for details
17 vulnerabilities (6 moderate, 11 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
✔ Successfully installed plugin: vue-cli-plugin-vuetify
? Choose a preset: Vuetify 2 - Vue CLI (recommended)
🚀 Invoking generator for vue-cli-plugin-vuetify...
WARN conflicting versions for project dependency "sass-loader":
- ^12.0.0 injected by generator "undefined"
- ^10.0.0 injected by generator "vue-cli-plugin-vuetify"
Using newer version (^12.0.0), but this may cause build errors.
â ‹ Running completion hooks...
C:\Users\allan\Downloads\Projects\curso-vue\vue-cli\project-plugins\src\views\HomeView.vue
9:11 error Component name "Home" should always be multi-word vue/multi-word-component-names
✖ 1 problem (1 error, 0 warnings)
So far I have tried to change the Component name "Home" to "HomeView" in the homeView.vue
but when trying this, I realize that after trying to install vuetify again, when the process is terminated, the "HomeView" returns to being "Home"
I tried the ways below but the error remains:
first try:
{
"vue/multi-word-component-names": ["error", {
"ignores": [Home]
}]
}
second try:
{
"vue/multi-word-component-names": ["error", {
"ignoreIfComponentName": "/^[a-z]+$/"
}],
}
I tried the 2 ways in .eslintrc.js what could I be doing wrong?
I used "axios": "^0.19.2", running npm i gave the warning "npm WARN deprecated axios#0.19.2: Critical security vulnerability fixed in v0.21.1." so I run npm update -S axios to update it. But it failed to update axios. I run yarn upgrade axios but it failed too.
I had thought there maybe a module required 0.19.2 so I checked package-lock.json and I found the only module in my project that requires axios is pm2 but it requires "axios": "^0.21.0",
"#pm2/js-api": {
"version": "0.6.7",
"resolved": "https://registry.npmjs.org/#pm2/js-api/-/js-api-0.6.7.tgz",
"integrity": "sha512-xxxxxxxx",
"requires": {
"async": "^2.6.3",
"axios": "^0.21.0",
"debug": "~4.3.1",
"eventemitter2": "^6.3.1",
"ws": "^7.0.0"
},
I have no idea why npm update failed to update axios. I then run npm uninstall axios, npm install -S axios then "axios": "^0.27.2" is installed.
But why ?
--- update ---
To verify whether I can reproduce this issue or not I create a project at https://github.com/qiulang/npm-update-error-demo
It shows that even I only have one dependency axios, npm update axios still failed to update. BTW I use npm 8.x (try both 8.5 & latest 8.11)
When I run npm update -S axios --loglevel verbose with npm 6 I got the result
npm verb outdated not updating axios because it's currently at the
maximum version that matches its specified semver range
If I run with npm 8 I even got 404 error
npm verb audit error HttpErrorGeneral: 404 Not Found - POST
https://registry.npmmirror.com/-/npm/v1/security/audits/quick
So I had thought could this be npm bug ? Suddenly I realize this was caused by Caret Ranges ^ I used because normally ^ means patch and minor updates (most people are familiar with that) but it only means for the patch updates for versions 0.X >=0.1.0 as npm document says
Many authors treat a 0.x version as if the x were the major
"breaking-change" indicator.
Caret ranges are ideal when an author may make breaking changes
between 0.2.4 and 0.3.0 releases, which is a common practice.
...
^0.2.3 := >=0.2.3 <0.3.0
BTW because many answers were given to What's the difference between tilde(~) and caret(^) in package.json? so the answer about patch only for ^0.x was buried in them.
We have a monorepo with a shared package called "#myorganization/common", that is used by both the app and Google cloud functions.
Google cloud functions requires that the package is published to a repo to use it, since we do not publish compiled code, that can include local packages, but directly the raw TypeScript.
I found serveral tutorials but not for the use case of combining private packages and organizations.
I cd into the packages/common directory.
I added the following lines to my packages.json:
"publishConfig": { "registry": "https://npm.pkg.github.com/" },
"repository": {
"url": "git#github.myorganization/common.git"
},
I created a personal Auth Token on GitHub with full repo, packages and org rights.
Then I login to my organization:
npm login --registry=https://npm.pkg.github.com --scope=#myorganization
Then I hit:
npm publish
I get the following error:
npm ERR! code EPRIVATE
npm ERR! This package has been marked as private
npm ERR! Remove the 'private' field from the package.json to publish it.
I want this package to be only usable by organization members. It shall be both used as a local private package within the lerna monorepo, when used by React Native, and used by Google Cloud Function by getting it from GitHub packages. Yet no other people shall be able to access it.
Is it something that is possible ?
Regards
Edit:
I tried to update packages.json, removing private=true and trying to ensure I publish it to my private organization:
"publishConfig": {
"registry": "https://npm.pkg.github.com/:_authToken=xxxx --scope=#myorganization"
},
I now get the error:
npm ERR! code E404
npm ERR! 404 Not Found - PUT https://npm.pkg.github.com/#myorganization%2fcommon - The expected resource was not found.
npm ERR! 404
npm ERR! 404 '#myorganization/common#0.0.7' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
I was facing the exact same issue. Here's what worked for me.
I had to create that organization (i.e. myorganization in your example) on GitHub and a repo with same name (i.e. common in your example) as repo under that organization and it worked.
I want to use newman for generate reporter in type CSV. When I run the command to install sudo npm install csv
It show warning message like this
npm WARN mycomputer#1.0.0 No description
npm WARN mycomputer#1.0.0 No repository field.
+ csv#5.3.2
updated 1 package and audited 369 packages in 1.785s
2 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
I don't know how to fix it, please help
You need to amend your parkage.json file and add
"description": "",
"repository": {
},
and you can specify the following for repo
"type": "git",
"url": "https://github.com/[parkage].git"