listing npm local modules produces missing errors - npm

i'm creating new reactjs application using npx create-react-app my-react.
everything goes well but when list local modules in my-react folder using npm ls --depth=0 there are some missing errors from npm :
my-react#0.1.0 /tmp/my-react
├── react#16.6.3
├── react-dom#16.6.3
└── react-scripts#2.1.1
npm ERR! missing: mkdirp#0.5.1, required by node-pre-gyp#0.10.0
npm ERR! missing: minimist#0.0.8, required by mkdirp#0.5.1
npm ERR! missing: minimatch#3.0.4, required by ignore-walk#3.0.1
npm ERR! missing: brace-expansion#1.1.11, required by minimatch#3.0.4
npm ERR! missing: balanced-match#1.0.0, required by brace-expansion#1.1.11
npm ERR! missing: concat-map#0.0.1, required by brace-expansion#1.1.11
npm ERR! missing: console-control-strings#1.1.0, required by npmlog#4.1.2
npm ERR! missing: inherits#2.0.3, required by readable-stream#2.3.6
npm ERR! missing: safe-buffer#5.1.1, required by readable-stream#2.3.6
npm ERR! missing: safe-buffer#5.1.1, required by string_decoder#1.1.1
npm ERR! missing: console-control-strings#1.1.0, required by gauge#2.7.4
npm ERR! missing: string-width#1.0.2, required by gauge#2.7.4
npm ERR! missing: strip-ansi#3.0.1, required by gauge#2.7.4
npm ERR! missing: code-point-at#1.1.0, required by string-width#1.0.2
npm ERR! missing: is-fullwidth-code-point#1.0.0, required by string-width#1.0.2
npm ERR! missing: strip-ansi#3.0.1, required by string-width#1.0.2
npm ERR! missing: number-is-nan#1.0.1, required by is-fullwidth-code-point#1.0.0
npm ERR! missing: ansi-regex#2.1.1, required by strip-ansi#3.0.1
npm ERR! missing: string-width#1.0.2, required by wide-align#1.1.2
npm ERR! missing: inherits#2.0.3, required by glob#7.1.2
npm ERR! missing: minimatch#3.0.4, required by glob#7.1.2
npm ERR! missing: once#1.4.0, required by glob#7.1.2
npm ERR! missing: once#1.4.0, required by inflight#1.0.6
npm ERR! missing: wrappy#1.0.2, required by inflight#1.0.6
npm ERR! missing: wrappy#1.0.2, required by once#1.4.0
npm ERR! missing: minipass#2.2.4, required by tar#4.4.1
npm ERR! missing: mkdirp#0.5.1, required by tar#4.4.1
npm ERR! missing: safe-buffer#5.1.1, required by tar#4.4.1
npm ERR! missing: yallist#3.0.2, required by tar#4.4.1
npm ERR! missing: minipass#2.2.4, required by fs-minipass#1.2.5
npm ERR! missing: safe-buffer#5.1.1, required by minipass#2.2.4
npm ERR! missing: yallist#3.0.2, required by minipass#2.2.4
npm ERR! missing: minipass#2.2.4, required by minizlib#1.1.0

I just ran into this as well, and did some looking. It seems to be an issue with the current way npm handles Optional Dependencies. If you do a full npm list, you'll find the culprit is fsevents.
UNMET OPTIONAL DEPENDENCY fsevents#1.2.4
│ ├── UNMET OPTIONAL DEPENDENCY nan#2.12.1
│ └─┬ UNMET OPTIONAL DEPENDENCY node-pre-gyp#0.10.0
│ ├── UNMET OPTIONAL DEPENDENCY detect-libc#1.0.3
│ ├─┬ UNMET DEPENDENCY mkdirp#0.5.1
│ │ └── UNMET DEPENDENCY minimist#0.0.8
│ ├─┬ UNMET OPTIONAL DEPENDENCY needle#2.2.0
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY debug#2.6.9
│ │ │ └── UNMET OPTIONAL DEPENDENCY ms#2.0.0
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY iconv-lite#0.4.21
│ │ │ └── UNMET OPTIONAL DEPENDENCY safer-buffer#2.1.2
│ │ └── UNMET OPTIONAL DEPENDENCY sax#1.2.4
│ ├─┬ UNMET OPTIONAL DEPENDENCY nopt#4.0.1
│ │ ├── UNMET OPTIONAL DEPENDENCY abbrev#1.1.1
│ │ └─┬ UNMET OPTIONAL DEPENDENCY osenv#0.1.5
│ │ ├── UNMET OPTIONAL DEPENDENCY os-homedir#1.0.2
│ │ └── UNMET OPTIONAL DEPENDENCY os-tmpdir#1.0.2
│ ├─┬ UNMET OPTIONAL DEPENDENCY npm-packlist#1.1.10
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY ignore-walk#3.0.1
│ │ │ └─┬ UNMET DEPENDENCY minimatch#3.0.4
│ │ │ └─┬ UNMET DEPENDENCY brace-expansion#1.1.11
│ │ │ ├── UNMET DEPENDENCY balanced-match#1.0.0
│ │ │ └── UNMET DEPENDENCY concat-map#0.0.1
│ │ └── UNMET OPTIONAL DEPENDENCY npm-bundled#1.0.3
│ ├─┬ UNMET OPTIONAL DEPENDENCY npmlog#4.1.2
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY are-we-there-yet#1.1.4
│ │ │ ├── UNMET OPTIONAL DEPENDENCY delegates#1.0.0
│ │ │ └─┬ UNMET OPTIONAL DEPENDENCY readable-stream#2.3.6
│ │ │ ├── UNMET OPTIONAL DEPENDENCY core-util-is#1.0.2
│ │ │ ├── UNMET DEPENDENCY inherits#2.0.3
│ │ │ ├── UNMET OPTIONAL DEPENDENCY isarray#1.0.0
│ │ │ ├── UNMET OPTIONAL DEPENDENCY process-nextick-args#2.0.0
│ │ │ ├── UNMET DEPENDENCY safe-buffer#5.1.1
│ │ │ ├─┬ UNMET OPTIONAL DEPENDENCY string_decoder#1.1.1
│ │ │ │ └── UNMET DEPENDENCY safe-buffer#5.1.1
│ │ │ └── UNMET OPTIONAL DEPENDENCY util-deprecate#1.0.2
│ │ ├── UNMET DEPENDENCY console-control-strings#1.1.0
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY gauge#2.7.4
│ │ │ ├── UNMET OPTIONAL DEPENDENCY aproba#1.2.0
│ │ │ ├── UNMET DEPENDENCY console-control-strings#1.1.0
│ │ │ ├── UNMET OPTIONAL DEPENDENCY has-unicode#2.0.1
│ │ │ ├── UNMET OPTIONAL DEPENDENCY object-assign#4.1.1
│ │ │ ├── UNMET OPTIONAL DEPENDENCY signal-exit#3.0.2
│ │ │ ├─┬ UNMET DEPENDENCY string-width#1.0.2
│ │ │ │ ├── UNMET DEPENDENCY code-point-at#1.1.0
│ │ │ │ ├─┬ UNMET DEPENDENCY is-fullwidth-code-point#1.0.0
│ │ │ │ │ └── UNMET DEPENDENCY number-is-nan#1.0.1
│ │ │ │ └── UNMET DEPENDENCY strip-ansi#3.0.1
│ │ │ ├─┬ UNMET DEPENDENCY strip-ansi#3.0.1
│ │ │ │ └── UNMET DEPENDENCY ansi-regex#2.1.1
│ │ │ └─┬ UNMET OPTIONAL DEPENDENCY wide-align#1.1.2
│ │ │ └── UNMET DEPENDENCY string-width#1.0.2
│ │ └── UNMET OPTIONAL DEPENDENCY set-blocking#2.0.0
│ ├─┬ UNMET OPTIONAL DEPENDENCY rc#1.2.7
│ │ ├── UNMET OPTIONAL DEPENDENCY deep-extend#0.5.1
│ │ ├── UNMET OPTIONAL DEPENDENCY ini#1.3.5
│ │ ├── UNMET OPTIONAL DEPENDENCY minimist#1.2.0
│ │ └── UNMET OPTIONAL DEPENDENCY strip-json-comments#2.0.1
│ ├─┬ UNMET OPTIONAL DEPENDENCY rimraf#2.6.2
│ │ └─┬ UNMET OPTIONAL DEPENDENCY glob#7.1.2
│ │ ├── UNMET OPTIONAL DEPENDENCY fs.realpath#1.0.0
│ │ ├─┬ UNMET OPTIONAL DEPENDENCY inflight#1.0.6
│ │ │ ├── UNMET DEPENDENCY once#1.4.0
│ │ │ └── UNMET DEPENDENCY wrappy#1.0.2
│ │ ├── UNMET DEPENDENCY inherits#2.0.3
│ │ ├── UNMET DEPENDENCY minimatch#3.0.4
│ │ ├─┬ UNMET DEPENDENCY once#1.4.0
│ │ │ └── UNMET DEPENDENCY wrappy#1.0.2
│ │ └── UNMET OPTIONAL DEPENDENCY path-is-absolute#1.0.1
│ ├── UNMET OPTIONAL DEPENDENCY semver#5.5.0
│ └─┬ UNMET OPTIONAL DEPENDENCY tar#4.4.1
│ ├── UNMET OPTIONAL DEPENDENCY chownr#1.0.1
│ ├─┬ UNMET OPTIONAL DEPENDENCY fs-minipass#1.2.5
│ │ └── UNMET DEPENDENCY minipass#2.2.4
│ ├─┬ UNMET DEPENDENCY minipass#2.2.4
│ │ ├── UNMET DEPENDENCY safe-buffer#5.1.1
│ │ └── UNMET DEPENDENCY yallist#3.0.2
│ ├─┬ UNMET OPTIONAL DEPENDENCY minizlib#1.1.0
│ │ └── UNMET DEPENDENCY minipass#2.2.4
│ ├── UNMET DEPENDENCY mkdirp#0.5.1
│ ├── UNMET DEPENDENCY safe-buffer#5.1.1
│ └── UNMET DEPENDENCY yallist#3.0.2
fsevents (https://www.npmjs.com/package/fsevents) states that it is only needed for the OS X operating system, so if you're on Linux for example, npm doesn't install it, but then also reports that as an error (?). The behavior is confusing. But it should stay in package.json because if someone installs your code on a mac, fsevents would be needed.
There was a PR for this against the npm repository to turn the platform dependency logs down to info, but it seems to have gotten abandoned when the devs switched npm to a new repo :\
For now, you can safely ignore it (and hopefully get your build system to ignore it as well), or switch to yarn.

Related

Using pnpm to install create react app shows warning

When installing dependencies for a create-react app(version 5.0.0) using pnpm dlx and pnpm import, i get a warning that peer dependencies should be installed. The dev environment for react spins up just fine. This warn message does not show up when using npx. How can i fix this warn message other than installing the peer dependencies?. Thanks in advance.
What i did:
Create react app using pnpm dlx in the command-line
pnpm dlx create-react-app ./temp-app
The above step created a package-lock.json file. So, to create pnpm's lock file,
pnpm import package-lock.json
This created a pnpm-lock.yaml file with a warn message as below
 WARN  Issues with peer dependencies found
.
├─┬ #testing-library/user-event
│ └── ✕ missing peer #testing-library/dom#>=7.21.4
└─┬ react-scripts
├── ✕ missing peer typescript#"^3.2.1 || ^4"
├─┬ eslint-config-react-app
│ ├─┬ #typescript-eslint/eslint-plugin
│ │ ├── ✕ missing peer typescript#"*"
│ │ └─┬ #typescript-eslint/experimental-utils
│ │ └─┬ #typescript-eslint/typescript-estree
│ │ ├── ✕ missing peer typescript#"*"
│ │ └─┬ tsutils
│ │ └── ✕ missing peer typescript#">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta"
│ ├─┬ #typescript-eslint/parser
│ │ └── ✕ missing peer typescript#"*"
│ └─┬ eslint-plugin-flowtype
│ ├── ✕ missing peer #babel/plugin-syntax-flow#^7.14.5
│ └── ✕ missing peer #babel/plugin-transform-react-jsx#^7.14.9
├─┬ react-dev-utils
│ └─┬ fork-ts-checker-webpack-plugin
│ └── ✕ missing peer typescript#">= 2.7"
└─┬ tailwindcss
└── ✕ missing peer autoprefixer#^10.0.2
Peer dependencies that should be installed:
#babel/plugin-syntax-flow#^7.14.5 #testing-library/dom#>=7.21.4 typescript#">=3.2.1 <4.0.0 || >=4.0.0 <5.0.0"
#babel/plugin-transform-react-jsx#^7.14.9 autoprefixer#^10.0.2
You need to install those dependencies too if this warning shows up.
Copy all the packages listed below Peer dependencies that should be installed: and type this command:
pnpm add your-dependencies-list
and replace the your-dependencies-list with all the list of peer dependencies which were listed.
One thing to note is for example if you were trying to add a dependency as a dev dependency and then this warning showed up, then you'll need to execute the above command but you'll need to add a -D or --dev flag before the packages so that it adds them as dev dependency.
Same issue occurred with me when i tried installing parcel as a dev dependency
Progress: resolved 318, reused 318, downloaded 0, added 0, done
 WARN  Issues with peer dependencies found
.
└─┬ parcel
└─┬ #parcel/config-default
├─┬ #parcel/optimizer-htmlnano
│ └─┬ htmlnano
│ └── ✕ missing peer postcss#^8.3.11
└─┬ #parcel/transformer-postcss
└─┬ postcss-modules
├── ✕ missing peer postcss#^8.0.0
├─┬ postcss-modules-extract-imports
│ └── ✕ missing peer postcss#^8.1.0
├─┬ postcss-modules-local-by-default
│ ├── ✕ missing peer postcss#^8.1.0
│ └─┬ icss-utils
│ └── ✕ missing peer postcss#^8.1.0
├─┬ postcss-modules-scope
│ └── ✕ missing peer postcss#^8.1.0
└─┬ postcss-modules-values
└── ✕ missing peer postcss#^8.1.0
Peer dependencies that should be installed:
postcss#">=8.3.11 <9.0.0"
so i ran the following command:
pnpm add -D postcss#">=8.3.11 <9.0.0"
and hurray
Packages: +5 -11
+++++-----------
Progress: resolved 891, reused 891, downloaded 0, added 5, done
devDependencies:
- parcel 2.2.1
+ parcel 2.2.1
+ postcss 8.4.5
Everything worked out!

NPM Workspaces installing packages into a workspace/node_modules

I have workspaces configured and working.
When I install from the root, sometimes packages are installed in the root and sometimes they are installed in the workspace node_modules.
When and how does NPM choose to install a package at the root/node_modules vs a workspace/node_modules?
It turns out, when two packages rely on the same module with a compatible version number in the dependencies, npm (with workspaces) will install the package only in root/node_modules. Otherwise, it will install in the node_modules of package(s).
In this example the same react-dom version is shared between packages:
customer-ui#1.0.0 /home/ubuntu/name/customer-ui
├─┬ components#0.15.0 -> ./packages/components
│ ├─┬ react-cosmos#5.7.2
│ │ └─┬ react-cosmos-shared2#5.7.1
│ │ └─┬ react-element-to-jsx-string#14.3.4
│ │ └── react-dom#17.0.2 deduped
│ ├── react-dom#17.0.2
│ ├─┬ react-modal#3.15.1
│ │ └── react-dom#17.0.2 deduped
│ ├─┬ react-to-print#2.14.7
│ │ └── react-dom#17.0.2 deduped
│ └─┬ styled-components#5.3.5
│ └── react-dom#17.0.2 deduped
└─┬ embedded#0.1.0 -> ./packages/embedded
└── react-dom#17.0.2 deduped
And npm installed it only in the root/node_modules dir:
❯ ls node_modules/react-dom
LICENSE build-info.json index.js profiling.js server.js test-utils.js
README.md cjs package.json server.browser.js server.node.js umd
❯ ls packages/embedded/node_modules/react-dom
ls: cannot access 'packages/embedded/node_modules/react-dom': No such file or directory
❯ ls packages/components/node_modules/react-dom
ls: cannot access 'packages/components/node_modules/react-dom': No such file or directory
However, for a package with incompatible version between packages, it's different:
❯ npm ls argparse
customer-ui#1.0.0 /home/ubuntu/name/customer-ui
├─┬ #components#0.15.0 -> ./packages/components
│ └─┬ eslint#8.17.0
│ └─┬ js-yaml#4.1.0
│ └── argparse#2.0.1
└─┬ embedded#0.1.0 -> ./packages/embedded
├─┬ eslint#6.8.0
│ └─┬ js-yaml#3.14.1
│ └── argparse#1.0.10
├─┬ jest-preset-preact#4.0.5
│ └─┬ babel-jest#27.5.1
│ └─┬ babel-plugin-istanbul#6.1.1
│ └─┬ #istanbuljs/load-nyc-config#1.1.0
│ └─┬ js-yaml#3.14.1
│ └── argparse#1.0.10
└─┬ microbundle#0.12.4
├─┬ cssnano#4.1.11
│ ├─┬ cosmiconfig#5.2.1
│ │ └─┬ js-yaml#3.14.1
│ │ └── argparse#1.0.10
│ └─┬ cssnano-preset-default#4.0.8
│ └─┬ postcss-svgo#4.0.3
│ └─┬ svgo#1.3.2
│ └─┬ js-yaml#3.14.1
│ └── argparse#1.0.10
└─┬ rollup-plugin-postcss#2.9.0
└─┬ postcss-load-config#2.1.2
└─┬ cosmiconfig#5.2.1
└─┬ js-yaml#3.14.1
└── argparse#1.0.10
embedded package demands argparse#1.0.10 and embedded demands argparse#2.0.1.
For these, npm installs them in multiple places:
❯ ls node_modules/argparse
CHANGELOG.md LICENSE README.md argparse.js lib package.json
❯ ls packages/components/argparse
ls: cannot access 'packages/components/argparse': No such file or directory
❯ ls packages/embedded/node_modules/argparse
CHANGELOG.md LICENSE README.md index.js lib package.json
In case it helps, this is a snippet of root/package.json:
{
"name": "customer-ui",
"version": "1.0.0",
"workspaces": [
"packages/*"
]
}
Thanks to #Stf_F for answering this in the comment above.

How to fix NPM vulnerabilities (libcipm, libnpm, node-gyp, npm-lifecycle)?

How should I fix the vulnerabilities below that require manual review ?
$ npm --version
6.9.0
$ npm audit fix
up to date in 7.044s
fixed 0 of 4 vulnerabilities in 31604 scanned packages
4 vulnerabilities required manual review and could not be updated
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libnpm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 high severity vulnerabilities in 31604 scanned packages
4 vulnerabilities require manual review. See the full report for details.
You need to upgrade the tar package to version 4.4.2 or later.
This issue solution yet to be release.Many PR open on github regarding the issue.But try this may it helps:
npm install -D node-gyp
npm install -D tar#">4.4.7"
For more details check here.
This issue also raised here.
Attempt to fix this issue.
This might be fixed by 10th May,2019.
Check here for more details on it.

Arbitrary File Overwrite: tar npm audit

It said,
found 4 high severity vulnerabilities in 891002 scanned packages
4 vulnerabilities require manual review. See the full report for details.
how to make 0 vulnerabilities?
I also do "npm audit fix" and I put "--force", but it didn't work.
and,
when I do "npm audit",
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libnpm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
And I'm using at react & electron.
when I installed font awesome, this error appeared.
So, I removed the font awesome, but it didn't change anything
I had the same problem with my ionic project.
This Link Helped me to get rid this.
In package-lock.json replace the following section
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",
with
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",
Then run
sudo rm -fr node_modules
and
npm install
By following this method I got rid of the warnings.
Hope this works for you!
for whatever packages you are getting vulnerabilities, change package version inside package-lock.json to the recommended version, remove node_modules and run npm i.
for fstream for e.g :
in package-lock.json from:
"fstream": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/fstream/-/fstream-1.0.1.tgz",
"integrity": "sha512-WvJ193OHa0GHPEL+AycEJgxvBEwyfRkN1vhjca23OaPVMCaLCXTd5qAu82AjTcgP1UJmytkOKb63Ypde7raDIg=="
}
to:
"fstream": {
"version": "1.0.12",
"resolved": "https://registry.npmjs.org/fstream/-/fstream-1.0.12.tgz",
"integrity": "sha512-WvJ193OHa0GHPEL+AycEJgxvBEwyfRkN1vhjca23OaPVMCaLCXTd5qAu82AjTcgP1UJmytkOKb63Ypde7raDIg=="
}
delete node_modules:
rm node_modules
then:
npm i

why doesn't gulp run when installed globally?

I install gulp using npm install -g gulp
[npm WARN deprecation warnings redacted]
/usr/local/bin/gulp -> /usr/local/lib/node_modules/gulp/bin/gulp.js
/usr/local/lib
└── gulp#3.9.1
When I try to run the gulp command I get:
gulp
[19:42:23] Local gulp not found in ~/javascript
[19:42:23] Try running: npm install gulp
But when I install another npm package globally, it works. For instance when I install create-react-app like so:
npm install -g create-react-app
/usr/local/bin/create-react-app -> /usr/local/lib/node_modules/create-react-app/index.js
/usr/local/lib
└─┬ create-react-app#0.2.0
├─┬ chalk#1.1.3
│ ├── ansi-styles#2.2.1
│ ├── escape-string-regexp#1.0.5
│ ├─┬ has-ansi#2.0.0
│ │ └── ansi-regex#2.0.0
│ ├── strip-ansi#3.0.1
│ └── supports-color#2.0.0
├─┬ cross-spawn#4.0.0
│ ├─┬ lru-cache#4.0.1
│ │ ├── pseudomap#1.0.2
│ │ └── yallist#2.0.0
│ └─┬ which#1.2.10
│ └── isexe#1.1.2
├── minimist#1.2.0
└── semver#5.3.0
When I run the command after installation it works:
create-react-app
Usage: create-react-app <project-directory> [--verbose]
Is there any reason why gulp would screw out?
You have to install the Gulp CLI to get the command line to work npm install -g gulp-cli