Not modify package.json when doing npm audit fix - npm

I've updated my npm version, and I think npm audit is a new feature. When I run npm audit fix some of my packages versions are changed from package.json. I just want keep the packages as same as my coworkers

To answer the original question, if you really want to skip auditing completely when installing (for whatever reason, in my case I wanted to troubleshoot an exception when installing) you can use --no-audit flag:
npm install --no-audit

npm audit fix is not must to get your app up and running. I use this command when I want to make sure that there is no potential security vulnerability so that git hub won't have any object against my project. In case you still want to use audit fix without changing rest files, try this commands
Run audit fix without modifying node_modules, but still updating the pkglock:
$ npm audit fix --package-lock-only
Skip updating devDependencies:
$ npm audit fix --only=prod
Do a dry run to get an idea of what audit fix will do, and also output install information in JSON format:
$ npm audit fix --dry-run --json
Check out this link for your future reference:
https://docs.npmjs.com/cli/audit

Related

Install package from npm after linking to another local package with updated version

I'm sure others have this workflow, so I must be missing something here.
How does one go about developing a new version of a package, linking it to test in another app, and then installing another (unrelated) package?
What I've done:
Run git clone git#package-to-update && cd package-to-update.
Edit package, update package-to-update/package.json version to 2.0.0.
Update my-app/package.json to use package-to-update#2.0.0.
cd package-to-update && npm link && cd my-appp && npm link package-to-update.
Test out my-app, see that package-to-update#2.0.0 resolves the issue, have a small party.
Push to package-to-update's upstream, create a merge request, and wait for maintainers to merge in my changes.
Use my local, linked version in the meantime as it's required for the feature I'm working on.
Notice I need another package other-unrelated-package in my-app.
Run cd my-app && npm install other-unrelated-package.
NPM fails because it's trying to pull package-to-update#2.0.0, which is not yet published.
Cry.
Is the only option here to run the following process every time you want to npm install?
Downgrade package-to-update in my-app/package.json.
Run npm install other-package.
Run npm link package-to-update.
Upgrade package-to-update in my-app/package.json".
I generally only use npm link for development. If I want to use a local version and not have to deal with re-linking, I install it by path rather than by version.
npm install /file/path/to/your/module
Then you'll end up with a file: URL like this in your package.json:
"slug": "file:../../slug"
Subsequent npm install won't search the registry in that case. (Since it will avoid the registry on future npm install runs, it also means you need to remember to change it back to the registry when the version with your patch is released!)
I haven't tested, but this method may require that you only care about it as an immediate dependency and not a dependency of another dependency. Based on your workflow above, that seems to be the case, but mentioning it here for other folks.

What does "npm audit fix" exactly do?

npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.
I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install. However npm audit fix still performs a lot of changes after lock file removal + reinstall.
What exactly does npm audit fix do? Does it for example install versions of dependencies newer than those allowed by the corresponding package.json (but still semver-compatible)?
From NPM's site on their audit command:
npm audit fix runs a full-fledged npm install under the hood
And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document:
Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones:
$ npm audit fix --force
As for the lock file, it is regenerated each time you run a command that changes package.json. There is more information about that in an answer here as well as in the official documentation.
In my understanding is not only "upgrading" but sometimes also downgrading in order to install the stable version that fix the issue, sometimes those issues comes in newer versions that maybe have introduced bugs or simply do not match with previous package's API etc.
E.g in my case for example npm install have upgrade react-script to 5.0.0 that has some issue and after have run:
npm audit fix --force
The force flag does : To address all issues (including breaking changes), run: npm audit fix --force
it installed the 3.0.1 with following message:
npm WARN audit Updating react-scripts to 3.0.1,which is a SemVer major change.
So it does the upgrade to the stable version of that package that fix the issue.
On top, though docs state "is running npm install under the hood" but not in the sense of installing newest version of a dependency, but could be useful also to check what happens with npm ci What is the difference between "npm install" and "npm ci"?

How to fix npm vulnerabilities that require semver-major dependency updates?

I cloned ParaViewWeb from https://github.com/kitware/paraviewweb then did the following;-
$ npm install
$ npm audit fix
Leaving me with this:
found 42 vulnerabilities (9 low, 23 moderate, 10 high) in 41716 scanned packages
14 vulnerabilities require semver-major dependency updates.
28 vulnerabilities require manual review.
How do I fix the 14 vulnerabilities that require semver-major dependency updates?
When you run npm audit, there should be a line telling you how to update it, e.g.:
# Run npm install --save-dev example#5.0.2 to resolve 1 vulnerability
# SEMVER WARNING: Recommended action is a potentially breaking change
Just execute that to fix it.
If you are already sure that you need to run all that updates then use:
npm audit fix --force
From npm Docs
If the chain of metavulnerabilities extends all the way to the root project, and it cannot be updated without changing its dependency ranges, then npm audit fix will require the --force option to apply the remediation. If remediations do not require changes to the dependency ranges, then all vulnerable packages will be updated to a version that does not have an advisory or metavulnerability posted against it.
If you are in my situation, there currently is no fix.
You may have to complete the fix yourself:
Go into the package and change it's package.json version manually.
OR
Open an issue on the package and hope its still being maintained by the creator.
https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
has a list of suggested fixes.
Upgrade npm through this command
npm install npm#latest -g

Save peer dependencies in npm with a command

Is there a way to achieve that using npm ? Currently I do this manually, would be nice to use similar approach as with npm install --save
I found some old discussion and commits but it seems it didn't make it:
https://github.com/npm/npm/pull/3994
As far as I can tell, you can't. Just install it as a regular dependency (production or otherwise, just like the package requiring the peer dependency is installed as).
Even if you manually add the entry to peerDependencies an npm audit is going to fail to recognize the package and tell you to install it.
This kind of stinks, I'm a big fan of the separation of concerns, and keeping a list of modules that only exist so they can be absorbed by other modules is crummy.
But, it is what it is and so long as you leverage the npm commands afforded to you, I guess it's manageable.
Since 'I don't know what npm version' you can use npm i --save-peer package_name command. Works on npm 8.1.0

How to figure out why does the npm hang?

I'm suffering from the infamous npm install (update) hanging problem.
So far I found following recipes:
cleaned the cache: npm cache clean
deleted npm_modules in my project
set the registry to plain http (http://registry.npmjs.org/): npm config set registry http://registry.npmjs.org/
used --loglevel=verbose flag with npm install
increased number of connections as described here:
Increasing the maximum number of tcp/ip connections in linux
Yet it still hangs. The position at which it hangs seems to be random. It can be
npm verb get saving gulp-traceur to /home/me/.npm/registry.npmjs.org/gulp-traceur/.cache.json; or when installing npm verb afterAdd /home/me/.npm/q/0.9.7/package/package.json the last package downloaded is really random.
The versions are:
npm info using npm#2.7.5
npm info using node#v0.12.0
So the question is if there is anything else I can do about it?
I don't know if you have the same problem as I did but I can't make a comment to your question because I have not enough reputation.
Today somebody found solution to my similar problem. You can check it here:
Sometimes you need to use --force command to make sure the cache is cleaned:
npm cache clean --force.
Maybe related to this issue.
I tried all the above. I use homebrew and had to uninstall node / npm.
This worked for me:
brew install nvm
nvm install node
Afterwards npm started working again for me.