Update dependencies in NPM to resolve vulnerability - npm

My repo in github show the following alert :
Dependabot cannot update ssri to a non-vulnerable version. The latest possible version that can be installed is 6.0.1 because of the following conflicting dependencies:
terser-webpack-plugin#2.3.8 requires ssri#^7.0.0 via cacache#13.0.1
webpack#4.46.0 requires ssri#^6.0.1 via a transitive dependency on
cacache#12.0.4
The earliest fixed version is 8.0.1.
As far as I known, I should update the root package (which is terser-webpack-plugin) in package.json to a newer version, but how to determine the minimum version that can support the non-vulnerable version of the dependency (in this case ssri 8.0.1) since I don't want to update to a too high version and risk breaking things. I am thinking of manually checking through all the release version of terser-webpack-plugin, but it's very tedious and seem wrong to check like that. Any suggestions ?

To speed up the process and save installing each version and its associated dependency tree, we can use npm-remote-ls (https://stackoverflow.com/a/26005786/2815338)
Firstly get the list of available versions:
> npm view terser-webpack-plugin versions
[
'1.0.0', '1.0.1', '1.0.2', '1.1.0', '1.2.0',
...
Then run npm-remote-ls for each version after your current one and filter on the relevant dependency, e.g.
> npm-remote-ls terser-webpack-plugin#3.0.0 | grep ' ssri#'
??? ?????? ssri#8.0.1
??? ??? ??? ?????? ssri#6.0.2
In this case terser-webpack-plugin#5.0.0 is the first with only fixed versions of ssri (8.0.1), and 5.1.0 appears to not include ssri at all, presumably due to webpack no longer depending on cacache.
N.B. the question marks appear to be due to encoding of characters that npm-remote-ls uses to display a tree structure. You could also use Select-String in PowerShell, but this appears to show different (incorrect) characters instead.

Related

Visual studio code error :-Failed to start flow Error: Wrong version of Flow. The config specifies version ^0.92.0 but this is version 0.95.1

Hello I am a beginner in React-native and below is my flowconfig file's version and I get an error with this version
[version]
^0.92.0
Is there a way to fix this error, I was trying to run debug mode in visual code for running react-native projects and to print console.log.
So far I am unsuccessful.
PS:- beginner in react-native
Change [version] in the .flowconfig to match the installed version, ^0.95.1
1. Check that the following tags match
package.json
"devDependencies": {
"flow-bin": "0.130.0"
}
.flowconfig
[version]
^0.130.0
2. Clean & Reinstall
If they match, this error can occur when your node_modules are out of sync with the version of flow-bin in your package.json. This can occur if you've changed branches recently or have have an older version in your node modules.
Try removing and reinstalling like this:
rm -rf node_modules/ && npm i
Instead of changing the flow version make it a ranged version. For example something like >=0.50.0 or simply remove the version altogether. You can read about that more in the flowconfig docs
I find that changing the flow version every time you face this problem to be a bad approach especially if you work with a team and each team member has a different version installed and they would commit their version into the .flowconfig file

Set minimum patch version

Using semver as the standard, so I have this package version:
0.0.108
so in package.json for a Node.js project, I might have something like:
"foo":"^0.0.108"
my question is - using semver notation, how can I tell NPM not to install anything below 0.0.108? For example, 0.0.107 is unacceptable, but 0.0.109, or 0.0.111 is ok?
If you don't want anything in 0.1.x, then this should work
>=0.0.108 <0.1
If you are okay with any future versions, such as major releases, then you only need
>=0.0.108
Note the semver spec (Section 4) and the npm documentation on semver (Caret Ranges) both suggest there can be breaking changes for every release when the minor version number is still 0, so you may have to deal with those if you decide not to use ^0.0.108.

react-native-router-flux undifine is not a function (evaluationg 'addListner')

I upgraded my router-flux version 0.27 to 0.30.
I am facing error of evaluating addListner I also submit it in the issue
4.0.0-beta.30 is broken as the last commit says
update dependencies, bump version - don't use, errors are possible!
4.0.0-beta.28 is broken too. Use 4.0.0-beta.27 instead.
In package.json, make sure you have exactly this:
"react-native-router-flux": "4.0.0-beta.27"
Don't include ^ otherwise your package manager will still install the .28 version (unless you have a yarn.lock at .27).

angular bootstrap older versions removed from npmjs?

We had been using version 0.11.0 of angular-bootstrap from npmjs. It appears that version is no longer available on npmjs. From the commands below does this mean that someone actually unpublished the older packages?
prompt:~$ npm view angular-bootstrap time
{ modified: '2015-01-12T06:48:54.881Z',
created: '2014-01-29T21:54:32.213Z',
'0.0.1': '2014-01-29T21:54:37.589Z',
'0.0.2': '2014-01-29T22:03:08.814Z',
'0.0.3': '2014-01-29T22:51:49.998Z',
'0.0.4': '2014-02-11T15:14:17.078Z',
'0.11.0': '2014-06-24T07:06:56.435Z',
'0.13.0-SNAPSHOT': '2014-12-02T13:05:43.151Z',
'0.12.0': '2015-01-12T06:46:41.986Z' }
prompt:~$ npm view angular-bootstrap versions
0.12.0
I agree, the package seems to have been unpublished. You can still access it from the github history, as follows:
$ npm install "angular-ui/bootstrap#0.11.0"
(note that you may not need quoting, but some shells will interpret the # as a comment-begin character.) You can also use this syntax in dependencies inside package.json
If you have a project in production that depends on this, you should probably make a fork of the angular-ui/bootstrap repository and point towards that.
(I had some difficulty making this work on Windows, but it looks like you're on a Unixy system, so you should be fine.)
Ticket discussing this and the future is at https://github.com/angular-ui/bootstrap/issues/1636

YUM: Upgrade a package from a different repo

Say I have two repos: repoa and repob. I installed a package 3.1 ver from repoa. I have a newer version 3.2 in repob.
How could I upgrade the package from repob? I tried to yum upgrade, but looks it always stick to the original repo - repoa, and didn't look at the package in repob at all. I can use 'yum provides' to get the package information from two repose, but only repoa looks recognised.
I tried several things such as change the priority higher for repob, temporarily remove the repoa, but none of them working.
I guess I need to remove it then do reinstallation from repob.