in my npm audit output I saw the following entry with a hash:
├───────────────┼─────────────────────────────────────────┤
│ Path │ 050fb87979f5c6895917ef26a696d57ebf3cf1… │
│ │ > mocha > growl │
├───────────────┼─────────────────────────────────────────┤
May I know what the hash stands for and where can I find the dependency tree node it represents? I searched online and searched through my package-lock.json file but couldn't find it.
Thanks!
Somehow I was able to figure it out not long after posting it, by using npm ls growl. It shows that the hash represents an internal package. (The confusing part is that some internal packages were displayed by package name in npm audit output while some were displayed as hashes. | Update: it turns out that we are importing some package by their git commit directly, in those case those dependencies are displayed as hashes.)
I just ran into the same issue. The issue is to obscure the package name for security reasons. After looking into the npm docs this has been resolved in Version 7. I just ran npm audit using npm 7+ and it has pointed to the exact packages that are the culprit with no hash.
Related
I'm running into an issue with my npm mirror.
It appears to be lagging behind. Currently, my Jenkins build fails, because it does not see scheduler#^0.20.2, which was published about 20 hours ago.
Weirdly enough, npm ls scheduler returns empty, so I'm not sure what package is requesting it, but I need to, at least for now, somehow specify scheduler#^0.20.1 to be used in my project.
Is there a way to do this? I want to ensure that whichever package it is that depends on scheduler#^0.20.2 will have only scheduler#^0.20.1 available to it.
I just run
$ npm install scheduler#0.20.1
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN nm#1.0.0 No description
npm WARN nm#1.0.0 No repository field.
+ scheduler#0.20.1
added 4 packages from 3 contributors and audited 4 packages in 2.939s
found 0 vulnerabilities
then check
$ npm ls
nm#1.0.0 /home/daniil/
└─┬ scheduler#0.20.1
├─┬ loose-envify#1.4.0
│ └── js-tokens#4.0.0
└── object-assign#4.1.1
Editing package.json would probably have worked when you need force deep-lying module version:
{
"scripts": {
"preinstall": "npx npm-force-resolutions"
},
"resolutions": {
"scheduler": "^0.20.1"
},
}
I solved this way potential vulnerabilities in my repo
Recently I've been a little bit annoyed because after building my project I get a message like this nearly EVERY DAY:
╭────────────────────────────────────────────────────────────────╮
│ │
│ New patch version of npm available! 6.14.6 -> 6.14.8 │
│ Changelog: https://github.com/npm/cli/releases/tag/v6.14.8 │
│ Run npm install -g npm to update! │
│ │
╰────────────────────────────────────────────────────────────────╯
so I run npm install -g npm and a few days later or so it's there again with a newer patch (at least I assume so, since I executed that script successfully and don't know of anything that reverts it).
I'm very happy that people are improving it, but is there an easy way for this to update itself?
Because I'd rather manually downgrade it than having to manually upgrade it every time.
Your message above indicates that you are using npm version 6.x. That release line does not get a new release every day or even every week. In fact, the version in that message (6.14.8) was released 2 months ago. Judging from the 6.x release history, npm 6.x was getting updated about once a month. Now that 7.x is out, it will probably be less frequent. So frequent npm updates may not be your problem. The problem may be that npm updates are not sticking (or working at all) for you for whatever reason.
On the other hand, if you are using npm v7.x, it's a recent release that has been undergoing bug fixes every few days, but that is very likely to slow waaaay down. So one solution may be to just wait another week or two and the updates will be less frequent. (They may already be much less frequent than the were even last week.)
All that said: A blunt hammer solution would be to update npm as the first step in your build process. If you run npm run build as your build step, update package.json to add npm install -g npm && at the front of your build script. If you want to tolerate the npm update failing, you can change && to || but then the message you want to go away will still show up if the npm installation/update fails.
If your build process involves installing Node.js, then putting npm install -g npm after the Node.js installation is the way to go. Node.js ships with npm and it is exceedingly likely that the version that ships with Node.js is not the most recent version.
My webpack project has a new error:
Browserslist: caniuse-lite is outdated. Please run next command npm update caniuse-lite browserslist
Which I haven't solved yet, but the underlying problem is: I don't have caniuse-lite in my package.json - so where is it?
btw: running that command makes no difference.
It's obviously a dependency or a dependency of a dependency, ad infinitum...
npmjs caniuse-lite lists 80 dependent packages.
Is there a way to search the dependency graph of packages to easily find what package in my package.json file is the parent that somewhere along the line depends on caniuse-lite?
You can easily check that by following way.
Checkout more here : https://docs.npmjs.com/cli/ls
npm ls contextify
app-name#0.0.1 /home/zorbash/some-project
└─┬ d3#3.3.6
└─┬ jsdom#0.5.7
└── contextify#0.1.15
Description
Cloned a repo to a new computer and getting the following error:
swipes#0.0.1 start C:\a\swipes-api\mobile
node node_modules/react-native/local-cli/cli.js start
Scanning 722 folders for symlinks in C:\a\swipes-api\mobile\node_modules (30ms)
┌────────────────────────────────────────────────────────────────────────────┐
│ Running packager on port 8081. │
│ │
│ Keep this packager running while developing on any JS projects. Feel │
│ free to close this tab and run your own packager instance if you │
│ prefer. │
│ │
│ https://github.com/facebook/react-native │
│ │
└────────────────────────────────────────────────────────────────────────────┘
Looking for JS files in
C:\a\swipes-api\mobile
error: bundling: NotFoundError: Cannot find entry file index.android.js in any of the roots: ["C:\\a\\swipes-api\\mobile"]
at DependencyGraph._getAbsolutePath (C:/a/swipes-api/mobile/node_modules/react-native/packager/src/node-haste/DependencyGraph.js:280:11)
at DependencyGraph.getDependencies (C:/a/swipes-api/mobile/node_modules/react-native/packager/src/node-haste/DependencyGraph.js:218:26)
at Resolver.getDependencies (C:/a/swipes-api/mobile/node_modules/react-native/packager/src/Resolver/index.js:107:27)
at C:/a/swipes-api/mobile/node_modules/react-native/packager/src/Bundler/index.js:591:37
at next (native)
at step (C:\a\swipes-api\mobile\node_modules\react-native\packager\src\Bundler\index.js:12:445)
at C:\a\swipes-api\mobile\node_modules\react-native\packager\src\Bundler\index.js:12:605
at process._tickCallback (internal/process/next_tick.js:103:7)
Bundling `index.android.js` 0.0% (0/1), failed.
The path is correct where it's searching from. I've been stuck with this for the whole day now.
Is this somehow because there are double backslashes in the path to the index file?
npm start -- --reset-cache results in the same error.
Running yarn start after react-native run-android results in the same issue as well.
npm run start -- --root C:\a\swipes-api\mobile - No result.
This does not seem to be connected to the previous issue in the RN 0.45.0.
Additional Information
React Native version: 0.45.1
Platform: Android
Development Operating System: Windows
Edit:
All new projects with react-native init result in the same issue. Seems to be an issue with the config of my computer or npm, but I can't seem to track down why this happens.
Any ideas?
I have this and some like this error on windows.
Updating the npm and the node helped me on this issue.
currently i have:
C:\usr\Far>node -v && npm -v
v6.11.1
3.10.10
Many trials to run was not successful at all until I do not update. Anyway some errors like this appear time to time. Just restart. Also helpful to do before restart (but may be not need, just restart):
sh -c 'rm -rf $TMP/react*'
npm cache clean
Where $TMP is your system tmp directory, (check for existence react temp files there)
If you add or update some packages or some like that modifications concerning node_modules directory need to do also:
rm -rf node_modules && npm install
I wanted to try grunt-babel, so I opened up a terminal in my Home folder and did npm install --save-dev grunt-babel babel-preset-es2015 according to the plugin's instructions.
I was doing this too hastily, and realized I should probably have done this in my new project folder where I am dabbling with ES6 code. I had not even done npm init in that folder nor in the Home folder from where I executed the install command.
When I do npm uninstall grunt-babel, the preset files are removed but 91 folders of different dependencies remain in the node_modules folder.
Can I simply remove the folder instead of running npm uninstall 91 times?
This guy asked a similar question but none of the answers address his subquestion of just removing the folder: how to uninstall npm modules in node js?
npm uninstall <name> removes the module from node_modules, but not package.json.
npm uninstall <name> --save to also delete the dependency from package.json.
npm rm <package_name> removes the packages when uninstall not working
npm prune <name> (see docs) for extraneous packages and packages that are not listed on the parent package's dependencies list.
If you don't want to uninstall one by one run
rm -rf node_modules && npm cache clean && npm install
It's a good way for being sure the packages you uninstall are no more in the packages json.
Now in 2021 npm uninstall <name> will also removed it from package.json
UPDATED answer (2020):
These are all aliases to uninstall:
remove, rm, r, un, unlink
And today there is no need for --save flag since it is the default. The same goes for install BTW.
Use npm list as a tool to understand your changes. I usually use the time to make a capture file like:
npm list >1307
do some change
npm list >1309
so then:
cat 13??
or an editor lets me see what npm thinks it did.
For uninstall, only packages on the root all size of 'whole package' get removed. Other then that, the command is politely ignored...
For example:
├── safe-stable-stringify#1.1.0
├── semver#6.3.0
├─┬ tableify#1.1.0
│ └─┬ optimist#0.6.1
│ ├── minimist#0.0.8 deduped
│ └── wordwrap#0.0.3
safe-stable-stringify is a removal candidate, but wordwrap is not. Think about it, this is entirely reasonable !
npm uninstall pkgtoyank -save
updates packages.json by removing it from there as well.
npm is very well designed to say the least. I usually hugely avoid directly poking under it in ./node_modules I will copy things out from there to look at them, but why yank on a leash of a BIG CAT and get bit. it works; use it as its intended....