Everytime I do npm install after cloning a github project OR install packages on my local system for my practice projects, there are always around 20+ vulnerabilities.
But the guys in youtube tutorials always have 0 vulnerabilities.
I even reinstalled npm but it didn't change anything
If you are following an old video, you are likely installing old packages. Therefore it's pretty common to have vulnerabilities.
If you want the warnings to disappear, you can try to remove #version in your packages inside package.json and then run npm i again. Or, as bogdanoff says, run npm update instead.
But be careful: packages may behave differently from the video when updated.
Related
I'm installing gulp on a new machine after 2 years of not having gone through the process and for some reason running npm install gulp --save-dev is installing 318 dependencies. Am I doing something wrong? I couldn't find any info on the gulp site that mentions this change on v.4.0.2 so I'm really scratching my head here.
Thanks
When you use npm install even to upgrade or to retrieve stored files inside a machine npm silently installs the updated dependencies without taking any permission from the user. It might be possible that npm may have installed a testing or beta version dependencies too, guess you have to take a look in appdata if you are using windows.
You're not doing anything wrong. It genuinely does have that many dependencies:
Generated by npm.broofa.com
As an aside, it's interesting to compare how much this has changed over time: #3.9.1, #3.0.0, #1.2.1
In my create-react-app project I've installed many node packages via npm. Every time, I've used npm install --save to update package.json and package-lock.json and then committed the changes to git.
Recently, something caused a previously-working npm module to fail. Since I couldn't find the cause, I tried removed and reinstalled all dependencies like this:
rm -rf node_modules/
npm install
However, the same module still fails, even when I switch back to older commits and repeat the commands above!
Since the problem can't be in the committed code itself (which is running fine on another machine), the problem must be somewhere else such as in the create-react-app development server or the /node_modules.
How can I reset my work to a working state, given that everything is in git and was working before?
UPDATE:
My answer below turned out to be only partly right. npm did install a newer version of the package, but that was not actually the problem after all. The true fix was realising that my data (from my database) was corrupt, so returning to prior "working version" made no difference until I fixed my data!
UPDATE: As mentioned in the updated question, this answer did not actually solve my problem after all. Messing around with the npm modules did fix something, but it soon started failing again, so the fix was incomplete.
UPDATE 2: There was also a problem in the data I was passing from my database to the module! That data is not stored in git, so fiddling with npm modules and git had no power.
It seems that the problem was in the npm versioning! Since my package.json listed somepackage#^6.0.0, running npm install fetched the latest version (which had the bug).
Hence, my old working commits that referenced somepackage#^6.0.0 still actually installed the new faulty version when re-installed from scratch.
The solution was to edit package.json and change somepackage#^6.0.0 to somepackage#6.0.0(exact match without ^)
I can see create-react-app has added installation with npx. So it made me curious to check which one is better npm, npx or yarn. Which one is better and which is better to use and why?
I don't see why this got negative votes, not everyone comes with inbuilt knowledge on this stuff right ? and this is the place to ask 😅
npm: installation of packages (libraries), i.e. pieces of functionality to help you build your own applications.
npx: npx is a tool to execute packages without installing the packages.
yarn: also installation of packages. yarn is a replacement for npm that sits on top of the same packages repository.
npx isn't the same as the other two, it is a feature of npm to run packages without installing. As for which one is better between npm and yarn, there isn't a clear "winner" (general rule to apply in life too). I personally prefer yarn since in my experience it was faster and less verbose, another positive was it had a lockfile but now npm has one too (and I hear new versions are faster as well).
tl;dr: Either is fine really.
You can compare the feature of npm and yarn. yarn is faster than npm because it is doing parallel installation and npm is doing serial installation of modules. Previous version of npm does not have lockfile now both npm and yarn have lock file. Both are build on the top of same repository.
npx is totally different from npm and yarn. It is a tool to execute packages without installing it.
So I will suggest yarn if you want to decrease the build time of the application.
I have a project with a package.json file and an install bash script that, among other steps, runs npm install.
I'm thinking of updating the script so that it runs yarn install if yarn is available (to take advantage of yarn's caching, lockfile, etc), and falls back to npm install otherwise. As far as I can tell, all the packages seem to install and work ok either way.
Are yarn and npm interchangeable enough for this to be a viable approach, though? Or are there potential issues that this could lead to? Are we meant to just pick one, or is yarn interchangeable with npm in practice?
(nb. I've read this closely related question, but I'm asking this as a separate question because it's about explicitly supporting both yarn and npm install processes in a project)
Yarn and npm (version >=3.0.0) should be relatively compatible, especially moving from npm to Yarn, because compatibility is one of the stated goals of Yarn. As stated in Migrating from npm:
Yarn can consume the same package.json format as npm, and can install any package from the npm registry.
So, in theory, any package.json that is valid for npm should also work equally well for Yarn. Note that I say that npm v2 is probably less compatible - this is because npm migrated from a nested node_modules structure to a flat layout (which is what Yarn uses). That said, Yarn and npm v3 should produce very similar layouts, because, as stated in the issue I linked:
To a first approximation we should try to be very compatible with the node_modules layout for people who need that compatibility, because it'll be the most likely way to avoid long-tail compatibility problems.
However, you will not be able to take advantage of the Yarn.lock generated by Yarn, because (as the name suggests) it's only supported by Yarn, and npm shrinkwrap is not compatible.
Also, as noted by #RyanZim, older versions of Yarn don't support pre- and post-install hooks, but versions later than v0.16.1 do. If you rely on these hooks, you will need to specify to users that versions greater than v0.16.1 are required.
In summary, as long as you encounter no bugs and only use features that are shared by both package managers, you should have no issues whatsoever.
This might be a stupid question but I believe I should know this since I am just starting out in the web development field rather than just assuming. I normally see this
Install via npm or bower (recommended) or manually download the package
or something of that sorts. My Assumption is that the node_module and bower_component updates the packages automatically, however I am not sure.
Sometimes I install with npm or bower, or sometimes I just mannually download the package to which I have seen no difference. Could someone please tell me why it is important to install via npm or bower so I can know for sure what is going on.
Package managers allow you to keep third party code separate from your code and have consistent versions of that code. With npm or bower you can set out exactly what dependencies you project has, and what versions through a single file, without having to bloat your codebase with the dependencies themselves.
This means that anyone who wants to set up the project can just download the core code and run npm install or the equivalent command, and install all the dependencies at the latest supported version.