I used "axios": "^0.19.2", running npm i gave the warning "npm WARN deprecated axios#0.19.2: Critical security vulnerability fixed in v0.21.1." so I run npm update -S axios to update it. But it failed to update axios. I run yarn upgrade axios but it failed too.
I had thought there maybe a module required 0.19.2 so I checked package-lock.json and I found the only module in my project that requires axios is pm2 but it requires "axios": "^0.21.0",
"#pm2/js-api": {
"version": "0.6.7",
"resolved": "https://registry.npmjs.org/#pm2/js-api/-/js-api-0.6.7.tgz",
"integrity": "sha512-xxxxxxxx",
"requires": {
"async": "^2.6.3",
"axios": "^0.21.0",
"debug": "~4.3.1",
"eventemitter2": "^6.3.1",
"ws": "^7.0.0"
},
I have no idea why npm update failed to update axios. I then run npm uninstall axios, npm install -S axios then "axios": "^0.27.2" is installed.
But why ?
--- update ---
To verify whether I can reproduce this issue or not I create a project at https://github.com/qiulang/npm-update-error-demo
It shows that even I only have one dependency axios, npm update axios still failed to update. BTW I use npm 8.x (try both 8.5 & latest 8.11)
When I run npm update -S axios --loglevel verbose with npm 6 I got the result
npm verb outdated not updating axios because it's currently at the
maximum version that matches its specified semver range
If I run with npm 8 I even got 404 error
npm verb audit error HttpErrorGeneral: 404 Not Found - POST
https://registry.npmmirror.com/-/npm/v1/security/audits/quick
So I had thought could this be npm bug ? Suddenly I realize this was caused by Caret Ranges ^ I used because normally ^ means patch and minor updates (most people are familiar with that) but it only means for the patch updates for versions 0.X >=0.1.0 as npm document says
Many authors treat a 0.x version as if the x were the major
"breaking-change" indicator.
Caret ranges are ideal when an author may make breaking changes
between 0.2.4 and 0.3.0 releases, which is a common practice.
...
^0.2.3 := >=0.2.3 <0.3.0
BTW because many answers were given to What's the difference between tilde(~) and caret(^) in package.json? so the answer about patch only for ^0.x was buried in them.
Related
Context
I joined a new project where I was asked to upgrade React from version 17 to 18. After upgrading react and react-dom and some other dependencies I got some warnings, which had to do with dependencies.
npm install react#latest react-dom#latest
Some of them I was able to resolve easily, by updating some packages. This was until I tried resolving the following warning:
npm WARN Conflicting peer dependency: react#17.0.2
npm WARN node_modules/react
npm WARN peer react#"^16.3.0 || ^17.0.0" from react-side-effect#2.1.1
npm WARN node_modules/react-helmet/node_modules/react-side-effect
npm WARN react-side-effect#"^2.1.0" from react-helmet#6.1.0
npm WARN node_modules/react-helmet
Already I am a bit surprised by the react#17.0.2. Apparently there is another version of React still in dependencies, that is required by another package.
Package that requires React 17.0.2
"<CUSTOM PACKAGE MADE BY SOMEONE ELSE>": {
"version": "0.3.0",
"resolved": <LINK>,
"integrity": "sha1-Ah72HLxApcdcSPGRIE/L7wjy8Ec=",
"dependencies": {
<CUSTOM PACKAGE MADE THE SAME PERSON 2>: "^0.1.6",
"react": "^17.0.2",
"react-dom": "^17.0.2",
"react-scripts": "5.0.0"
}
},
The actual dependency
"react": {
"version": "17.0.2",
"resolved": "https://registry.npmjs.org/react/-/react-17.0.2.tgz",
"integrity": "sha512-gnhPt75i/dq/z3/6q/0asP78D0u592D5L1pd7M8P+dck6Fu/jJeL6iVVK23fptSUZj8Vjf++7wXA8UNclGQcbA==",
"requires": {
"loose-envify": "^1.1.0",
"object-assign": "^4.1.1"
}
Ancillary Question
Would having 2 versions of React in your package-lock.json not cause problems? I can't imagine these two version be used simultaneously. My guess would be that in this case this should be a peer dependency, am I correct to assume that?
Attempts
At first I thought that I could not update React yet, until react-helmet would be patched. I let my colleagues know, and they all said that another project also used react-helmet and they were able to update React. What?! Great impression on new colleagues 😄.
Indeed opening the other project and installing the new React version there did not cause the same warning.
Question
As an experiment I decided to remove the package-lock.json entirely. This resulted in the same errors. Removing the package-lock.json and the node_modules resolved it however! Why is this the case? The package that requires React 17.0.2 is still there as is the dependency for React version 17.0.2. Yet somehow, it is no longer a problem.
Any help to understand why this would resolve the situation would be greatly appreciated.
Note
react-helmet seems to be unmaintained, so will need to be removed eventually. This is not what my question is about.
Apparently removing the node_modules and package-lock.json did not help at all. Removing both does not trigger the warning the first install. Once you run npm install again, the same warning will show.
So it seems the warnings do not show up at the first 'clean' install. This also seems to be true at the other project, however there is something more going on there.
In this case it will probably mean that we will need to replace react-helmet with react-helmet-async and update the version of the custom package.
I've been following along with a web dev tutorial and I'm stuck at this part: https://btholt.github.io/intro-to-web-dev-v2/libraries#building-your-code
I've been trying for a couple of days to install parcel-bundler and can't figure out what I'm doing wrong. I also tried Prettier and get the same errors. I'm so frustrated and running out of ideas.
I'm running npm 6.14.4 and node 12.16.2.
This is the error npm install -g parcel-bundler in Users/myName (Catalina 10.15):
npm WARN deprecated core-js#2.6.11: core-js#<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js#3.
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
/Users/myName/.node_modules_global/bin/parcel -> /Users/myName/.node_modules_global/lib/node_modules/parcel-bundler/bin/cli.js
> parcel-bundler#1.12.4 postinstall /Users/myName/.node_modules_global/lib/node_modules/parcel-bundler
> node -e "console.log('\u001b[35m\u001b[1mLove Parcel? You can now donate to our open collective:\u001b[22m\u001b[39m\n > \u001b[34mhttps://opencollective.com/parcel/donate\u001b[0m')"
Love Parcel? You can now donate to our open collective:
> https://opencollective.com/parcel/donate
+ parcel-bundler#1.12.4
updated 1 package in 18.055s
And if I try to run parcel --help I'm told: -bash: parcel: command not found
So I try to fix that first warning. I list the links to the SO articles that I tried at the bottom. I tried deleting node_modules in home directory and doing npm install again. I tried npm install --save core-js#^3. I tried doing a forced clean cache and reinstalling. I tried npm update.
This is my package.json:
{
"name": "generic_package", <-- manually changed from myName
"version": "1.0.0",
"description": "Test description", <-- manually added to remove "no description" error
"main": ".mongorc.js",
"dependencies": {
"core-js": "^3.6.5", <-- looks like it's using >3v
"lodash": "^4.17.15",
"parcel-bundler": "^1.12.4", <-- looks like it's there??
"prettier": "^2.0.4"
},
"devDependencies": {},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1",
"build": "node build/build.js" <-- manually added as per an SO article
},
"keywords": [],
"author": "",
"license": "ISC",
"repository": { <-- manually added this object as per an SO article
"type": "git",
"url": "https://github.com/npm/npm.git",
"private": true <-- manually added as per another SO article
}
}
Error: Please, upgrade your dependencies to the actual version of core-js#3
npm WARN deprecated core-js#2.6.11: core-js#<3 is no longer maintained and not recommended for usage due to the number of issues
npm WARN deprecated core-js#2.6.11
How to update core-js to core-js#3 dependency?
Problems installing express using npm.
The reason for the message npm WARN deprecated core-js#2.6.11: core-js#<3 is no longer maintained is because parcel-bundler has a transitive dependency on core-js#2.6.11, which is no longer supported.
It appears that parcel was installed correctly, so you should be able to run it. On Linux systems, it would have created a symlink under /usr/local/bin/parcel. Make sure that "/usr/local/bin" is in your PATH.
You can also run it as follows:
npm run-script parcel
On newer versions of NPM, you can run this:
npx parcel
What exactly does next mean in package.json dependencies?
"dependencies": {
"react": "^15.4.2",
"react-dom": "^15.4.2",
"react-router-dom": "next"
}
The next tag is used by some projects to identify the upcoming version.By default, other than latest, no tag has any special significance to npm itself.
NPM Documentation
Specifically, and according to the documentation I found this helpful:
By default, the latest tag is used by npm to identify the current
version of a package, and npm install (without any # or
# specifier) installs the latest tag. Typically, projects only
use the "latest" tag for stable release versions, and use other tags for
unstable versions such as prereleases.
The next tag is used by some projects to identify the upcoming
version.
By default, other than latest, no tag has any special significance to
npm itself.
So, for instance, I had some issues related to npm itself generating npm ERR! Error: EACCES: permission denied errors on package installations, that I first corrected by reverting to an earlier version of npm (from 5.4.0):
npm install -g npm#5.3.0
But npm is also one of those packages that does use the "next" tag in their distribution, so to take advantage of that in the newest but not officially "stable version", you could also run:
npm install -g npm#next
Which installed 5.5.1
Running: npm show npm versions --jsonshows the following version history to give an idea what exactly was installed:
[ ...
"5.3.0",
"5.4.0",
"5.4.1",
"5.4.2",
"5.5.0",
"5.5.1"
]
This answer is an attempt to state the purpose of #next more simply. The language in the docs and in other answers appears overly complex.
Using next as the version number will allow a pre-release version if the project has one available. It will otherwise allow the latest stable version.
I am unable to create a new React Native project via react-native init <ProjectName>.
This is the first time I've tried since upgrading to macOS Sierra, but I don't know if that's related.
If I run the command with the --verbose flag, it runs through all the npm packages, but then eventually outputs the following:
├── UNMET PEER DEPENDENCY react#~15.3.1
<List of other packages including react-native 0.34.1>
npm WARN react-native#0.34.1 requires a peer of react#~15.3.1 but none was installed.
npm verb
npm verb If you need help, you may report this error at:
npm verb <https://github.com/npm/npm/issues>
npm verb exit [ 0, true ]
npm info ok
It then just sits there indefinitely. Last time I created a react native project it would take maybe 20-30 seconds max, but now it never completes (after say 10-15 minutes).
If I kill the process, all I have is a package.json with just the following in:
{
"name": "TestApp",
"version": "0.0.1",
"private": true,
"scripts": {
"start": "node node_modules/react-native/local-cli/cli.js start"
},
"dependencies": {
"react-native": "0.34.1"
}
}
...and the node_modules folder containig react-native and its dependencies. None of the required XCode/Android folders are there, or the index entry points, configs etc.
I have tried reinstalling all the required dependencies (node, homebrew) and I have also reinstalled git via homebrew.
I've seen other threads that suggest manually installing React, but I don't buy it. This used to work and React used to get installed as part of the process, but now I get this warning and it's game over.
Anyone else seen this issue?
EDIT
I just tried this on my other Mac, also running macOS Sierra and it worked fine. I followed the same steps on that to ensure all my dependencies were up to date first. I did a verbose init and still got the warning about React 15.3.1 being missing, but it then carried on and install Reacrt 15.3.2 and then set up all the XCode/Android project files.
Very odd/annoying as I really need to start putting something together on this Mac.
SECOND EDIT
If I create a new user account on my Mac and log in as that, I can create a project, so it seems to be user-specific. Although annoying, I don't mind setting a new account up, but before I do would like to see if anyone can offer any suggestions. Thanks.
So the issue turned about to be watchman, as outlined here: https://github.com/facebook/react-native/issues/9943
If I ran watchman version the terminal hung, so as per the instructions I did:
rm -rf /usr/local/var/run/watchman/ && brew uninstall watchman && brew install watchman
...and it worked a treat!
I'm getting the following error from a few different libraries in my project, after adding the "stage-2" preset to my .babelrc. (Thats my assumption atm)
e.g. from the DatePicker class in React Native:
node_modules/react-native/Libraries/Components/DatePickerAndroid/DatePickerAndroid.android.js: You gave us a visitor for the node type "ForAwaitStatement" but it's not a valid type
How can I resolve this error?
I'm using React Native 0.31 and
"devDependencies": {
"babel-preset-react-native-stage-0": "^1.0.1",
"babel-preset-stage-2": "^6.17.0"
},
I too ran into this. Solved by updating my babel-core version by changing the entry in package.json to the latest (at the time of this writing)
// package.json
...
"babel-core": "6.17.0",
...
then running
rm -r node_modules/babel* && npm i
I had the same issue after updating babel-core and some babel plugins. In my case it was fixed by updating babel-cli (globally installed with npm), which was a few versions behind and not using the right babel-core version.
I encountered this after an npm update, struggled for several hours to find a fix, but ultimately solved it via rm -rf node_modules && npm install. I hate npm.
I found this issue is caused by a lower version babel-types, so the solution is just:
npm install babel-types
or a clean npm install:
git clean -fdx
npm install
If your babel-cli is out of date, you might get the same error. Try updateing babel-cli using npm install babel-cli -g or update your local babel-cli and reference it in your package.json scripts.
Also do npm i -D babel-plugin-transform-runtime and add "plugins": ["transform-runtime"] to your .babelrc
Had a similar situation as #Thomas; a globally installed version of babel-cli which was behind. I can recommend not installing it globally, instead running babel through npm scripts.
Local install:
npm install babel-cli --save-dev
In your npm scripts:
"babel": "babel script.js"