I am trying to update npm version to latest 6.14.7 in package.json.
After updating npm to the latest, I ran npm audit and got two vulnerabilities for the dot-prop package dependency which is showing under npm path.
So, I tried updating the latest dot-prop ^5.1.1. But still getting the same error.
Please help me with this how can I manually review and fix.
Audit Report:
[root#redhatdev client]# npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Prototype Pollution
Package dot-prop
Patched in >=5.1.1
Dependency of npm [dev]
Path npm libnpx update-notofoer configstore dot-prop
More info https://npmjs.com/advisories/1213
High Prototype Pollution
Package dot-prop
Patched in >=5.1.1
Dependency of npm [dev]
Path npm update-notofoer configstore dot-prop
More info https://npmjs.com/advisories/1213
found 2 high severity vulnerabilities in 1674 scanned packages
2 vulnerabilities require manual review. See the full report for details.
[root#redhatdev client]#
Full Audit report: npm audit --json
{
"actions": [
{
"action": "review",
"module": "dot-prop",
"resolves": [
{
"id": 1213,
"path": "npm>libnpx>update-notifier>configstore>dot-prop",
"dev": true,
"optional": false,
"bundled": true
},
{
"id": 1213,
"path": "npm>update-notifier>configstore>dot-prop",
"dev": true,
"optional": false,
"bundled": true
}
]
}
],
"advisories": {
"1213": {
"findings": [
{
"version": "4.2.0",
"paths": [
"npm>libnpx>update-notifier>configstore>dot-prop",
"npm>update-notifier>configstore>dot-prop"
]
}
],
"id": 1213,
"created": "2019-10-14T17:43:55.291Z",
"updated": "2020-07-29T20:58:02.206Z",
"deleted": null,
"title": "Prototype Pollution",
"found_by": {
"link": "",
"name": "Unknown",
"email": ""
},
"reported_by": {
"link": "",
"name": "Unknown",
"email": ""
},
"module_name": "dot-prop",
"cves": [
"CVE-2020-8116"
],
"vulnerable_versions": "<5.1.1",
"patched_versions": ">=5.1.1",
"overview": "Versions of `dot-prop` before 5.1.1 are vulnerable to prototype pollution. The function `set` does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n",
"recommendation": "Upgrade to version 5.1.1 or later.",
"references": "- [GitHub advisory](https://github.com/advisories/GHSA-ff7x-qrg7-qggm)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-8116)",
"access": "public",
"severity": "high",
"cwe": "CWE-471",
"metadata": {
"module_type": "",
"exploitability": 4,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/1213"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 2,
"critical": 0
},
"dependencies": 61,
"devDependencies": 1612,
"optionalDependencies": 31,
"totalDependencies": 1674
},
"runId": "9b99170c-35c0-44b1-a0e6-8b714069a255"
}
Edit 2:
Now I found the Problem.
You updated npm locally. (it's in your package.json)
So please run:
npm uninstall npm --save (uninstall locally)
then:
npm i npm -g (that updates npm globally and not locally)
That fixes the problem.
Rest of this answer is obsolete and doesn't add to the solution.
EDIT:
It seems to be a npm problem to me.
Here is what I did:
I had npm version 6.14.6.
I installed dot-prop.
No Problem.
I updated my npm to6.14.7.
2 vulnerabilities.
I ran npm audit fix which results in fixed 0 of 2 vulnerabilities.
I ran npm -v which results in 6.14.6.
So I think it's a problem with npm 6.14.7 (and/or a combination with this special package)
Original Message:
did you also try npm audit fix ?
Also it says https://go.npm.me/audit-guide for additional guidance
Did you try that as well?
I'm trying to update from 5.8 to any version 6 Laravel. I've updated the PHP code, but the composer update is problematic for me. I've tried composer update, composer update --with-dependencies, composer install.
Composer isn't something I work with often. Any help is very appreciate! How do I decipher the composer error message to an actionable task? Is there a command that will install the dependencies for Laravel 6?
The error message after composer update:
- Conclusion: don't install laravel/framework v6.0.0
- arcanedev/support 4.5.0 requires illuminate/support ~5.8.0 -> satisfiable by laravel/framework[v5.8.38], illuminate/support[5.8.x-dev, v5.8.0, v5.8.11, v5.8.12, v5.8.14, v5.8.15, v5.8.17, v5.8.18, v5.8.19, v5.8.2, v5.8.20, v5.8.22, v5.8.24, v5.8.27, v5.8.28, v5.8.29, v5.8.3, v5.8.30, v5.8.31, v5.8.32, v5.8.33, v5.8.34, v5.8.35, v5.8.36, v5.8.4, v5.8.8, v5.8.9].
- arcanedev/support 4.5.0 requires illuminate/support ~5.8.0 -> satisfiable by laravel/framework[v5.8.38], illuminate/support[5.8.x-dev, v5.8.0, v5.8.11, v5.8.12, v5.8.14, v5.8.15, v5.8.17, v5.8.18, v5.8.19, v5.8.2, v5.8.20, v5.8.22, v5.8.24, v5.8.27, v5.8.28, v5.8.29, v5.8.3, v5.8.30, v5.8.31, v5.8.32, v5.8.33, v5.8.34, v5.8.35, v5.8.36, v5.8.4, v5.8.8, v5.8.9].
- Can only install one of: laravel/framework[6.x-dev, v5.8.38].
- don't install illuminate/support 5.8.x-dev|don't install laravel/framework 6.x-dev
- don't install illuminate/support v5.8.9|don't install laravel/framework 6.x-dev
- Installation request for laravel/framework ^6.0 -> satisfiable by laravel/framework[6.x-dev, v6.0.0, v6.0.1, v6.0.2, v6.0.3, v6.0.4, v6.1.0, v6.10.0, v6.10.1, v6.11.0, v6.12.0, v6.13.0, v6.13.1, v6.14.0, v6.15.0, v6.15.1, v6.16.0, v6.17.0, v6.17.1, v6.18.0, v6.18.1, v6.18.10, v6.18.11, v6.18.12, v6.18.13, v6.18.14, v6.18.15, v6.18.16, v6.18.17, v6.18.18, v6.18.19, v6.18.2, v6.18.20, v6.18.21, v6.18.22, v6.18.23, v6.18.24, v6.18.25, v6.18.26, v6.18.27, v6.18.28, v6.18.29, v6.18.3, v6.18.30, v6.18.31, v6.18.4, v6.18.5, v6.18.6, v6.18.7, v6.18.8, v6.18.9, v6.2.0, v6.3.0, v6.4.0, v6.4.1, v6.5.0, v6.5.1, v6.5.2, v6.6.0, v6.6.1, v6.6.2, v6.7.0, v6.8.0, v6.9.0].
- Installation request for arcanedev/support ~4.5 -> satisfiable by arcanedev/support[4.5.0].
The composer.json
{
"name": "laravel/laravel",
"type": "project",
"description": "The Laravel Framework.",
"keywords": [
"framework",
"laravel"
],
"license": "MIT",
"require": {
"php": "^7.2",
"laravel/framework": "^6.0",
"fideloper/proxy": "^4.0",
"guzzlehttp/guzzle": "^6.3",
"illuminate/support": "~5.8.0|^6.0",
"intervention/image": "^2.4",
"laravel/tinker": "^1.0",
"spatie/laravel-permission": "^3.0"
},
"require-dev": {
"barryvdh/laravel-ide-helper": "^2.6",
"beyondcode/laravel-dump-server": "^1.0",
"filp/whoops": "^2.0",
"fzaninotto/faker": "^1.4",
"mockery/mockery": "^1.0",
"nunomaduro/collision": "^2.0",
"phpunit/phpunit": "^7.0",
"barryvdh/laravel-debugbar": "^3.2",
"arcanedev/log-viewer": "^4.7",
"arcanedev/support": "~4.5"
},
"config": {
"optimize-autoloader": true,
"preferred-install": "dist",
"sort-packages": true
},
"extra": {
"laravel": {
"dont-discover": []
}
},
"autoload": {
"psr-4": {
"App\\": "app/"
},
"classmap": [
"database/seeds",
"database/factories"
]
},
"autoload-dev": {
"psr-4": {
"Tests\\": "tests/"
}
},
"minimum-stability": "dev",
"prefer-stable": true,
"scripts": {
"post-autoload-dump": [
"Illuminate\\Foundation\\ComposerScripts::postAutoloadDump",
"#php artisan package:discover --ansi"
],
"post-root-package-install": [
"#php -r \"file_exists('.env') || copy('.env.example', '.env');\""
],
"post-create-project-cmd": [
"#php artisan key:generate --ansi"
]
}
}
Just have a look at the error message you've shared: your configuration requires arcanedev/support with the version constraint ~4.5. By peeking into the version list of that package, you can see that there is only one version that can be used, which is 4.5.0, and this package requires illuminate/support with the version constraint ~5.8.0. Obviously, this excludes any later versions of Laravel.
By also updating arcanedev/support to some later version (^5.0 should be fine), you are able to update Laravel. Packagist can help you to inspect the constraints for different versions of that package.
I’ve been using aurelia-ux 0.3.0 for some time now and love the concept. Since the move to aurelia-ux 0.4.0 and the shift to monorepo I’m a little lost on how to install and use the library.
Could anyone provide a little exemple on how to install aurelia-ux 0.4.0 (core + 1-2 components) with aurelia-cli ?
Notice: the current npm documentation of #aurelia-ux/core package points to the showcase application - however this showcase still runs 0.3.0.
After some tests and research I've been able to install auralia-ux 0.4.0+
First you need to install the core and components
npm install #aurelia-ux/core
Then you can either install each component separately or together
npm install #aurelia-ux/button
npm install #aurelia-ux/input
npm install #aurelia-ux/...
# or
npm install #aurelia-ux/components
Then in the aurelia_project/aurelia.json you need to add the dependencies as such:
{
"name": "#aurelia-ux/core",
"path": "../node_modules/#aurelia-ux/core/dist/amd",
"main": "index",
"resources": [
"**/*.{css,html}"
]
},
{
"name": "#aurelia-ux/button",
"path": "../node_modules/#aurelia-ux/button/dist/amd",
"main": "index",
"resources": [
"**/*.{css,html}"
]
},
{
"name": "#aurelia-ux/input",
"path": "../node_modules/#aurelia-ux/input/dist/amd",
"main": "index",
"resources": [
"**/*.{css,html}"
]
},
or if you prefer the components variant (warning: I haven't tested this variant):
{
"name": "#aurelia-ux/core",
"path": "../node_modules/#aurelia-ux/core/dist/amd",
"main": "index",
"resources": [
"**/*.{css,html}"
]
},
{
"name": "#aurelia-ux/components",
"path": "../node_modules/#aurelia-ux/components/dist/amd",
"main": "index",
"resources": [
"**/*.{css,html}"
]
}
Finaly you must register the plugins in your main.js
aurelia.use
.plugin('#aurelia-ux/core')
.plugin('#aurelia-ux/button')
.plugin('#aurelia-ux/input')
or with the components variant (not tested)
aurelia.use
.plugin('#aurelia-ux/core')
.plugin('#aurelia-ux/components')
I'm about to write a yeoman generator where the whole template is hosted on a git repository. So the package.json of my yeoman generator looks like
{
"name": "generator-foo",
"version": "0.1.0",
"description": "",
"files": [
"generators"
],
"keywords": [
"yeoman-generator"
],
"dependencies": {
"foo-template": "git://somewhere-in-the-world/foo-template.git#0.1.0",
"chalk": "^1.1.3",
"yeoman-generator": "^1.1.1",
"yosay": "^2.0.0"
}
}
Is there any way to prevent npm install from installing the foo-template package, i.e. running any postinstall script just for this package? Instead, it should be just downloaded to node_modules.
As describe here, postinstall scripts can be disabled globally for npm using --ignore-scripts flag.
As a complete solution, I would move your explicit dependency to foo-template to your local postinstall section with ignore scripts enabled:
{
"name": "generator-foo",
...
"postinstall": "npm install --ignore-scripts git://somewhere-in-the-world/foo-template.git#0.1.0",
"peerDependencies": {
"foo-template": "git://somewhere-in-the-world/foo-template.git#0.1.0"
}
}
Note that to make sure the dependency is explicitly described, we should mark it as a peerDependency (e.g. prevents package removal on prune).
I am trying to use browserify to build a new project that my team is working on, but it does not recognize the transform from the package.json. It will build on 2 machines, but on 2 others it will not build.
Here is the relevant piece of my package.json.
"dependencies": {},
"devDependencies": {
....
},
"browserify": {
"transform": [
"browserify-shim"
]
},
"browser": {
"angular": "./src/main/webapp/js/lib/angular.js",
"angular-route": "./src/main/webapp/js/lib/angular-route.js",
"underscore": "./src/main/webapp/js/lib/lodash.compat.js",
"restangular": "./src/main/webapp/js/lib/restangular.js"
},
"browserify-shim": {
"angular": {},
"angular-route": {
"depends": [
"angular"
]
},
"underscore": {
"exports": "_"
},
"restangular": {
"depends": [
"underscore",
"angular"
]
}
}
I am running browserify from the command line. I have 4 computers on my team and it is working on a Mac and a Windows machine, but I have 2 Windows machine that it does not work on. We have all pulled from the same repo, all of our browserify and npm versions are the same. What should I do next?
The Windows machines were running the command from git bash. The command would not work with on git bash. After we switched to the command prompt, then all of the commands run fine.