npm audit report:
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
No fix available
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/webpack-dev-server/node_modules/chokidar
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/webpack-dev-server
#angular-devkit/build-angular <=13.0.0-next.2
Depends on vulnerable versions of #angular-devkit/build-webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-angular
#angular-devkit/build-webpack <=0.1300.0-next.2
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-webpack
5 moderate severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
These are vulnerabilities discovered and reported for dependencies your application is using. Generally, you will want to fix these by updating packages to the latest versions containing fixes for the vulnerabilities.
There is a command, npm audit fix, which can update the affected dependencies for you in most cases (It took me personally from 10.000+ to roughly 10 reports). This however by default will only use non-breaking version jumps (so by semantic versioning it will not jump a major version for example).
You can use npm audit fix --force to fix the remaining vulnerabilities (including semver-incompatible ones) if there are package updates, however you will need to look for breaking changes in the updated packages that may conflict with your program logic.
I highly recommend you look at the NPM Docs article below, it explains the whole process very well.
Also see:
Auditing package dependencies for security vulnerabilities
What does "npm audit fix" exactly do?
Related
The package manager npm gives a high severity vulnerability which I don't know how to fix. The advised forced fix wants to install a very old version of expo. Node is up to date (v18.14.1). There seems to be an outdated version reference in 'find-babel-config' to JSON5.
Does anyone have an idea how to fix this dependency? I tried reinstalling and updating npm, including manually deleting node_modules and package-lock.json, cleaning npm cache and updating expo.
npm audit
# npm audit report
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install expo#1.0.0, which is a breaking change
node_modules/babel-preset-expo/node_modules/json5
find-babel-config <=1.2.0
Depends on vulnerable versions of json5
node_modules/babel-preset-expo/node_modules/find-babel-config
babel-plugin-module-resolver 2.3.0 - 4.1.0
Depends on vulnerable versions of find-babel-config
node_modules/babel-preset-expo/node_modules/babel-plugin-module-resolver
babel-preset-expo *
Depends on vulnerable versions of babel-plugin-module-resolver
node_modules/babel-preset-expo
expo >=14.0.0
Depends on vulnerable versions of babel-preset-expo
node_modules/expo
explain it my screensht
i don't know how to do it as i didn't know how to do it but i tried this 'npm audit fix --force' please help me
i get this error
npm WARN deprecated source-map-url#0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated opn#6.0.0: The package has been renamed to `open`
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-resolve#0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated chokidar#2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
changed 204 packages, and audited 205 packages in 9s
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details
DON'T PANIC! Just kidding of course...
npm has evolved during the years and protect it's users against potentials security risks. If the selected package is using old-versioned or risky dependencies, it may raise some warning regarding to the package integrity. First let's have a look on the official package page, and right up we see this:
This is a little development server with live reload capability. Use
it for hacking your HTML/JavaScript/CSS files, but not for deploying
the final site.
Now, we instantly know that the main purpose of this package is to mimic a live server for web apps, as well as we know that the author himself does not recommend using this in production
Why does this matter? Well, if we intended to use it locally, and build our production project without it, there is a very small risk of using it locally (as long as your local build is NOT deployed from your machine to a remote machine / service)
If we want to take it on the safe side, a quick search (using npm search) will result with similar yet better supported packages like livere-load. Just compare the weekly downloads stats and how much dependencies it got (the more dependencies a package use - the more risk you'll have that some of them are outdated and may result with security risks) to get an educated guess whenever the package you are using is suitable for your needs or not
Cheers
I'm trying to install firebase tools.
However I am presented with this error:
# npm audit report
express <=4.17.2 || 5.0.0-alpha.1 - 5.0.0-alpha.8
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/firebase-tools/node_modules/express
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install firebase-tools#1.2.0, which is a breaking change
node_modules/firebase-tools/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/firebase-tools/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/firebase-tools/node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/firebase-tools/node_modules/superstatic/node_modules/update-notifier
node_modules/firebase-tools/node_modules/update-notifier
firebase-tools >=2.0.0
Depends on vulnerable versions of update-notifier
node_modules/firebase-tools
superstatic >=0.12.11
Depends on vulnerable versions of update-notifier
node_modules/firebase-tools/node_modules/superstatic
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/firebase-tools/node_modules/minimatch
qs 6.5.0 - 6.5.2 || 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/firebase-tools/node_modules/qs
node_modules/firebase-tools/node_modules/request/node_modules/qs
body-parser 1.19.0
Depends on vulnerable versions of qs
node_modules/firebase-tools/node_modules/body-parser
express <=4.17.2 || 5.0.0-alpha.1 - 5.0.0-alpha.8
Depends on vulnerable versions of qs
node_modules/firebase-tools/node_modules/express
10 vulnerabilities (6 moderate, 4 high)
When I run:
npm audit fix // or
npm audit fix --force
I get the exact same error.
I then tried to see if updating the packages manually would help, for example by running:
npm install qs#latest
But I get the exact same issues.
I have also
deleted my package.json-lock file and the nodule modules folder and tried a fresh install. still yada
Why can't I seem to break out of this loop?
SOLVED:
I managed to get around it by using the auto install script and not npm from https://firebase.google.com/docs/cli#mac-linux-auto-script:
curl -sL https://firebase.tools | bash
I am able now to use firebase init log in and deploy.... phew!
I am currently working on a NativeScript project that uses NativeScript core ~8.0.0 and I just ran an npm install and realized that there are 3 high vulnerabilities. When I try to fix them using npm audit fix (even with --force flag) I end up having 30 hight vulnerabilites. Again npm audit fixleads to the original 3 high again.
These seem to be due to #nativescript/webpack:5.0.0 which is the current version but relies on a vulnerable version of #pmmmwh/react-refresh-webpack-plugin.
Any ideas on how to solve this problem?
Here is the detailed output of npm audit:
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install #nativescript/webpack#4.1.0, which is a breaking change
node_modules/ansi-html
#pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6
Depends on vulnerable versions of ansi-html
#nativescript/webpack >=5.0.0-alpha.0
Depends on vulnerable versions of #pmmmwh/react-refresh-webpack-plugin
node_modules/#nativescript/webpack
Nervermind, ns migrate did the trick.
Still if anyone is facing a similar problem with the ansi-html package there is a solution for that in this answer.
I created the project with jhipster when I installed npm failed to perform a repair log as follows
I don't know what to do, please help me
npm audit fix --force
log
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating generator-jhipster-vuejs to 0.0.3,which is a SemVer major change.
npm WARN deprecated formatio#1.1.1: This package is unmaintained. Use #sinonjs/formatio instead
npm WARN deprecated samsam#1.1.2: This package has been deprecated in favour of #sinonjs/samsam
npm WARN deprecated cross-spawn-async#2.2.5: cross-spawn no longer requires a build toolchain, use it instead
npm WARN deprecated gulp-util#3.0.8: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
added 374 packages, removed 88 packages, changed 14 packages, and audited 2751 packages in 44s
101 packages are looking for funding
run `npm fund` for details
# npm audit report
axios <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix`
node_modules/generator-jhipster/node_modules/axios
generator-jhipster 2.19.0 - 7.0.0-beta.0
Depends on vulnerable versions of axios
Depends on vulnerable versions of jhipster-core
Depends on vulnerable versions of lodash
node_modules/generator-jhipster
braces <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
fix available via `npm audit fix`
node_modules/glob-stream/node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
node_modules/glob-stream/node_modules/micromatch
glob-stream 5.3.0 - 5.3.5
Depends on vulnerable versions of micromatch
node_modules/glob-stream
vinyl-fs 2.4.2 - 2.4.4
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
decompress <4.2.1
Severity: high
Arbitrary File Write - https://npmjs.com/advisories/1217
fix available via `npm audit fix --force`
Will install generator-jhipster-vuejs#1.9.2, which is a breaking change
node_modules/decompress
gulp-decompress <=1.2.0
Depends on vulnerable versions of decompress
node_modules/gulp-decompress
download 4.0.0 - 5.0.0
Depends on vulnerable versions of caw
Depends on vulnerable versions of gulp-decompress
node_modules/download
yeoman-generator <=0.24.1
Depends on vulnerable versions of download
Depends on vulnerable versions of html-wiring
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of lodash
node_modules/generator-jhipster-vuejs/node_modules/yeoman-generator
generator-jhipster-vuejs <=0.0.3
Depends on vulnerable versions of yeoman-generator
node_modules/generator-jhipster-vuejs
deep-extend <=0.5.0
Prototype Pollution - https://npmjs.com/advisories/612
fix available via `npm audit fix`
node_modules/generator-jhipster-vuejs/node_modules/deep-extend
mem-fs-editor 2.1.0 - 3.0.2
Depends on vulnerable versions of deep-extend
node_modules/generator-jhipster-vuejs/node_modules/mem-fs-editor
lodash <=4.17.18
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
fix available via `npm audit fix --force`
Will install generator-jhipster-vuejs#1.9.2, which is a breaking change
node_modules/cheerio/node_modules/lodash
node_modules/generator-jhipster-vuejs/node_modules/lodash
node_modules/generator-jhipster/node_modules/lodash
node_modules/jhipster-core/node_modules/lodash
cheerio 0.14.0 - 0.19.0
Depends on vulnerable versions of lodash
node_modules/cheerio
html-wiring *
Depends on vulnerable versions of cheerio
node_modules/html-wiring
yeoman-generator <=0.24.1
Depends on vulnerable versions of download
Depends on vulnerable versions of html-wiring
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of lodash
node_modules/generator-jhipster-vuejs/node_modules/yeoman-generator
generator-jhipster-vuejs <=0.0.3
Depends on vulnerable versions of yeoman-generator
node_modules/generator-jhipster-vuejs
generator-jhipster 2.19.0 - 7.0.0-beta.0
Depends on vulnerable versions of axios
Depends on vulnerable versions of jhipster-core
Depends on vulnerable versions of lodash
node_modules/generator-jhipster
inquirer <=0.11.4
Depends on vulnerable versions of lodash
node_modules/generator-jhipster-vuejs/node_modules/inquirer
jhipster-core *
Depends on vulnerable versions of lodash
node_modules/jhipster-core
tunnel-agent <0.6.0
Severity: moderate
Memory Exposure - https://npmjs.com/advisories/598
fix available via `npm audit fix --force`
Will install generator-jhipster-vuejs#1.9.2, which is a breaking change
node_modules/caw/node_modules/tunnel-agent
caw <=2.0.0
Depends on vulnerable versions of tunnel-agent
node_modules/caw
download 4.0.0 - 5.0.0
Depends on vulnerable versions of caw
Depends on vulnerable versions of gulp-decompress
node_modules/download
yeoman-generator <=0.24.1
Depends on vulnerable versions of download
Depends on vulnerable versions of html-wiring
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of lodash
node_modules/generator-jhipster-vuejs/node_modules/yeoman-generator
generator-jhipster-vuejs <=0.0.3
Depends on vulnerable versions of yeoman-generator
node_modules/generator-jhipster-vuejs
20 vulnerabilities (7 low, 2 moderate, 11 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force