This question already has answers here:
npm WARN deprecated tar#2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap
(4 answers)
Closed 1 year ago.
npm WARN deprecated tar#2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
changed 67 packages, and audited 68 packages in 7s
4 packages are looking for funding
run `npm fund` for details
2 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
This kind of problem is quite common for npm users. Your package.json file mentions multiple npm packages you need. And, each of those package's package.json file in turn refers to other packages, and so on. Somewhere in there some package refers to version 2.2.2 of tar. But the current version of tar is 6.2.2.
You can, as the error message says, run npm audit to find the offending package: that is, the package that wants the old version of tar (tar#2.2.2).
How to try to fix this?
If it's your package.json that loads tar#2.2.2 try doing these two commands.
npm remove tar --save
npm install tar --save
to get the latest.
Try running npm update --save. It will examine your nest of npm packages, and bring them up to more recent versions. That may, or may not, replace the offending package with a more recent version. It does this by updating a file called package-lock.json containing the explicit versions. If that doesn't work ...
Try running npm audit again to see what the situation is. Then, try npm audit --fix . If that doesn't work ...
File an issue on the github repository of the offending package asking for an update.
Look for another package with the same functionality as the offending package and replace it.
Decide you will live with the warning. (If your software is used in production, that may be unwise, because cybercreeps.)
Ask another question here and mention the offending package.
Related
npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.
I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install. However npm audit fix still performs a lot of changes after lock file removal + reinstall.
What exactly does npm audit fix do? Does it for example install versions of dependencies newer than those allowed by the corresponding package.json (but still semver-compatible)?
From NPM's site on their audit command:
npm audit fix runs a full-fledged npm install under the hood
And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document:
Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones:
$ npm audit fix --force
As for the lock file, it is regenerated each time you run a command that changes package.json. There is more information about that in an answer here as well as in the official documentation.
In my understanding is not only "upgrading" but sometimes also downgrading in order to install the stable version that fix the issue, sometimes those issues comes in newer versions that maybe have introduced bugs or simply do not match with previous package's API etc.
E.g in my case for example npm install have upgrade react-script to 5.0.0 that has some issue and after have run:
npm audit fix --force
The force flag does : To address all issues (including breaking changes), run: npm audit fix --force
it installed the 3.0.1 with following message:
npm WARN audit Updating react-scripts to 3.0.1,which is a SemVer major change.
So it does the upgrade to the stable version of that package that fix the issue.
On top, though docs state "is running npm install under the hood" but not in the sense of installing newest version of a dependency, but could be useful also to check what happens with npm ci What is the difference between "npm install" and "npm ci"?
I cloned ParaViewWeb from https://github.com/kitware/paraviewweb then did the following;-
$ npm install
$ npm audit fix
Leaving me with this:
found 42 vulnerabilities (9 low, 23 moderate, 10 high) in 41716 scanned packages
14 vulnerabilities require semver-major dependency updates.
28 vulnerabilities require manual review.
How do I fix the 14 vulnerabilities that require semver-major dependency updates?
When you run npm audit, there should be a line telling you how to update it, e.g.:
# Run npm install --save-dev example#5.0.2 to resolve 1 vulnerability
# SEMVER WARNING: Recommended action is a potentially breaking change
Just execute that to fix it.
If you are already sure that you need to run all that updates then use:
npm audit fix --force
From npm Docs
If the chain of metavulnerabilities extends all the way to the root project, and it cannot be updated without changing its dependency ranges, then npm audit fix will require the --force option to apply the remediation. If remediations do not require changes to the dependency ranges, then all vulnerable packages will be updated to a version that does not have an advisory or metavulnerability posted against it.
If you are in my situation, there currently is no fix.
You may have to complete the fix yourself:
Go into the package and change it's package.json version manually.
OR
Open an issue on the package and hope its still being maintained by the creator.
https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
has a list of suggested fixes.
Upgrade npm through this command
npm install npm#latest -g
I'm trying to make sure my project doesn't have vulnerabilities in production, so I ran:
npm audit > vulnerabilities.txt
and then I searched for all instances of "Dependency of"
which brings up a list like:
Line 199: Dependency of babel-preset-es2015 [dev]
Line 215: Dependency of babel-preset-es2015 [dev]
Line 230: Dependency of babel-preset-es2015 [dev]
Can I assume that if all of them have that [dev] tag, then npm audit found no package vulnerabilities in production?
It looks like the answer is yes.
To validate this, I ran
npm audix fix --production
And then running
npm audit
produced a list where every dependency was a "Dependency Of" something marked as [dev].
If at some point npm supports the --production flag directly on npm audit then that would make it easier.
In older npm versions you can do below, even in newer versions I've found --production flag very buggy and node still reporting devDependencies, in both cases you can use this instead:
npm prune --production --dry-run
Above will output any vulnerabilities from inside dependencies. You would need to fix any vulnerabilities manually then though.
NOTE: Many projects I have worked with have wrongly had production dependencies inside devDependencies instead of dependencies. This needs to be fixed first of course. (just move the declaration inside package.json and npm i - check exact version inside lock file if needed)
If code from a node_module is used clientside (if it's used can sometimes be tricky to tell) it should be in dependencies (example corejs)
If you have a node backend/hosting then you need to check if it's used in Node BE in production as well.
Say we publish an NPM package that ends up having a bug say it is version 1.0.056.
is there a way to tell NPM to blacklist it, meaning if users have this in package.json:
^1.0.05
that it would endeavor to only install 1.0.057 or 1.0.055?
The idea is when you patch the bug, if it doesn't impact any of the exposed API, then not much reason to make a big semver change? Or maybe on the other hand an important bugfix should call for a minor version change?
Obviously NPM doesn't encourage people to delete packages, we want immutability, but unless a user explicitly requests that version, I want NPM to avoid installing it at all costs?
npm deprecate covers a historical version when you discover problem later:
npm deprecate <pkg>[#<version>] <message>
This command will update the npm registry entry for a package, providing a deprecation warning to all who attempt to install it.
If it was only just published (72 hours) then there is also:
npm unpublish [<#scope>/]<pkg>[#<version>]
This removes a package version from the registry, deleting its entry and removing the tarball.
https://www.npmjs.com/policies/unpublish
https://docs.npmjs.com/cli/unpublish
npm gives me the following error:
No compatible version found: left-pad#0.0.3
Tried to install left-pad with npm and got the same error.
left-pad was unpublished from npm, and once something is unpublished you can't publish it again. now anything that has dependencies on the versions of left-pad that were removed need to be updated.
see here for discussion.
Edit: turns out the author of left-pad removed all his packages from NPM because NPM caved to kik's lawyers and seized control of the author's kik related repo. Pretty hilarious such a trivial library has brought large chunks of the ecosystem down.