I'm new to coding. I'm using Windows10 and just installed a WSL. I want to install Ganache using the command npm install -g ganache-cli but it says it has 8 vulnerabilities (7 moderate,1 high)
When I write npm audit fix or npm audit fix --force it says that there are no vulnerabilities. I don't understand where the problem is.
My NPM version is 8.3.0
There's no real reason to be alarmed about the vulnerabilities npm report, especially for a new project. Most of the time, these vulnerabilities won't actually affect your project. Be careful using npm audit fix especially npm audit fix --force because it can upgrade or downgrade packages, affecting functionality. If you do use it and it says 0 vulnerabilities after, that means it fixed all of them.
Packages are open-sourced so the community would spot any damaging or sneaky code, especially popular packages such as ganache-cli.
Read more here: https://www.voitanos.io/blog/don-t-be-alarmed-by-vulnerabilities-after-running-npm-install/
Related
It seems I have a path error, I can see proof the package installed, and I've tried it both globally and local, tried both with and w/o the -cli suffix, but zshell keeps complaining command not found
dr_frankenmiller#Bryans-MacBook-Pro ~ % npm install ganache-cli
npm WARN deprecated ganache-cli#6.12.2: ganache-cli is now ganache; visit https://trfl.io/g7 for details
added 1 package, and audited 102 packages in 11s
2 packages are looking for funding
run npm fund for details
9 vulnerabilities (8 moderate, 1 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
dr_frankenmiller#Bryans-MacBook-Pro ~ % npm ls --depth=0
dr_frankenmiller# /Users/dr_frankenmiller
└── ganache-cli#6.12.2
dr_frankenmiller#Bryans-MacBook-Pro ~ % ganache-cli
zsh: command not found: ganache-cli
I might have done something bad, using a sudo rm -rf node_modules command to uninstall the package, was that dangerous to do? I reinstalled it globally and then tried running it again, and then zshell started complaining I wasn't authorized to run ganache. I tried the command sudo ganache, it asked me for password, and then responded again that command not found.
Can someone help me get back on track with my tutorial?
According to Ganache-CLI's instructions, it should be installed with:
npm install ganache-cli -g
I'd recommend installing the latest Ganache version rather than installing Ganache-CLI, though. Ganache-CLI is deprecated. Use
npm uninstall ganache-cli && npm install ganache -g
Ganache v7.0.0 and onward can be used in the CLI as well as programatically.
On another note, I strongly recommend against using sudo when installing anything via npm. This can give untrusted code the ability to run as admin on your system. Definitely a big security risk.
Just a follow up on difficulties I was having, I ended up using yarn to download and run ganache (MINUS the -cli suffix, -cli suffix now deprecated), yarn install ganache --global to install and then yarn ganache to run (no -cli necessary)
Here's how I found the solution for my specific use case. The bug came about when I was attempting to run a brownie deployment script. Run npm uninstall ganache-cli then run yarn global add ganache. Worked like a charm.
I have a few react projects that were started using "npx create-react-app" and if I run "npm audit" they come back with:
# npm audit report
immer <8.0.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1603
fix available via `npm audit fix --force`
Will install react-scripts#2.0.5, which is a breaking change
node_modules/react-dev-utils/node_modules/immer
react-dev-utils >=6.0.6-next.9b4009d7
Depends on vulnerable versions of immer
node_modules/react-dev-utils
react-scripts >=2.0.6-next.9b4009d7
Depends on vulnerable versions of react-dev-utils
node_modules/react-scripts
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
I have tried running npm audit fix and that doesn't fix the issue.
I have tried running npm audit fix --force which results in even more errors.
I have tried running npm i immer#8.0.1 which also does not work.
I am using nvm with node version 14.15.5 and npm version 7.5.4. I recently updated nvm to the latest version (0.37.2) and changed the default to the latest node lts (14.15.5), so I believe this may be the culprit but I can't figure out how to fix these 3 vulnerabilities.
A possibility is that there's an issue with me having not moved my global packages to the newer version of node.
Any help is much appreciated.
The issue has now been fixed. Just run npm audit fix.
I am a new developer and these error torture me.
npm install --save radium
+ radium#0.26.0
updated 1 package and audited 1374 packages in 11.052s
23 packages are looking for funding
run `npm fund` for details
found 34 vulnerabilities (31 low, 1 moderate, 2 high)
run `npm audit fix` to fix them, or `npm audit` for details
This is an npm feature called audit so that you can check whether your installed modules have known vulnerabilities and exploits. Developers or other users of these modules can announce possible exploits and probabily release a patch if they found anything unsafe in the module. Then everytime you install modules or run audit manually you will see these warnings. You can run npm audit fix to let npm fix them if possible. However some modules does not have a patch or cannot be fixed automatically so you have to fix them by hand. Anyway if you are just developing locally you can ignore them.
npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.
I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install. However npm audit fix still performs a lot of changes after lock file removal + reinstall.
What exactly does npm audit fix do? Does it for example install versions of dependencies newer than those allowed by the corresponding package.json (but still semver-compatible)?
From NPM's site on their audit command:
npm audit fix runs a full-fledged npm install under the hood
And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document:
Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones:
$ npm audit fix --force
As for the lock file, it is regenerated each time you run a command that changes package.json. There is more information about that in an answer here as well as in the official documentation.
In my understanding is not only "upgrading" but sometimes also downgrading in order to install the stable version that fix the issue, sometimes those issues comes in newer versions that maybe have introduced bugs or simply do not match with previous package's API etc.
E.g in my case for example npm install have upgrade react-script to 5.0.0 that has some issue and after have run:
npm audit fix --force
The force flag does : To address all issues (including breaking changes), run: npm audit fix --force
it installed the 3.0.1 with following message:
npm WARN audit Updating react-scripts to 3.0.1,which is a SemVer major change.
So it does the upgrade to the stable version of that package that fix the issue.
On top, though docs state "is running npm install under the hood" but not in the sense of installing newest version of a dependency, but could be useful also to check what happens with npm ci What is the difference between "npm install" and "npm ci"?
I cloned ParaViewWeb from https://github.com/kitware/paraviewweb then did the following;-
$ npm install
$ npm audit fix
Leaving me with this:
found 42 vulnerabilities (9 low, 23 moderate, 10 high) in 41716 scanned packages
14 vulnerabilities require semver-major dependency updates.
28 vulnerabilities require manual review.
How do I fix the 14 vulnerabilities that require semver-major dependency updates?
When you run npm audit, there should be a line telling you how to update it, e.g.:
# Run npm install --save-dev example#5.0.2 to resolve 1 vulnerability
# SEMVER WARNING: Recommended action is a potentially breaking change
Just execute that to fix it.
If you are already sure that you need to run all that updates then use:
npm audit fix --force
From npm Docs
If the chain of metavulnerabilities extends all the way to the root project, and it cannot be updated without changing its dependency ranges, then npm audit fix will require the --force option to apply the remediation. If remediations do not require changes to the dependency ranges, then all vulnerable packages will be updated to a version that does not have an advisory or metavulnerability posted against it.
If you are in my situation, there currently is no fix.
You may have to complete the fix yourself:
Go into the package and change it's package.json version manually.
OR
Open an issue on the package and hope its still being maintained by the creator.
https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
has a list of suggested fixes.
Upgrade npm through this command
npm install npm#latest -g