npm - using stale package data - npm

Whenever I do an npm install, I get a ton of messages about it using stale package data. What does that mean and is it something I need to worry about?
Here's a small example of the warning messages I get with an npm install. In this particular example I just added "npm install #angular/animations#latest --save":
WARN registry Unexpected warning for https://registry.npmjs.org/: Miscellaneous Warning EINTEGRITY: sha512-Mp+FXEI+FrwY/XYV45b2YD3E8i3HwnEAoFcM0qlZzq/RZ9RwWitt2Y/c7cqRAz70U7hfekqx6qNYthuKFO6K0
g== integrity checksum failed when using sha512: wanted sha512-Mp+FXEI+FrwY/XYV45b2YD3E8i3HwnEAoFcM0qlZzq/RZ9RwWitt2Y/c7cqRAz70U7hfekqx6qNYthuKFO6K0g== but got sha1-2+xJQ20q4V9TYRTnbRRlbNvA9E0
=. (8538 bytes)
WARN registry Using stale package data from https://registry.npmjs.org/ due to a request error during revalidation.
WARN registry Unexpected warning for https://registry.npmjs.org/: Miscellaneous Warning EINTEGRITY: sha512-NnSOmMEYtVR2JVMIGTzynRkkaxtiq1xnFBcdQD/DnNCYPoEPsVJhM98BDyaoNOQIi7p4okdi3E27eN7GQbsUu
g== integrity checksum failed when using sha512: wanted sha512-NnSOmMEYtVR2JVMIGTzynRkkaxtiq1xnFBcdQD/DnNCYPoEPsVJhM98BDyaoNOQIi7p4okdi3E27eN7GQbsUug== but got sha1-wVm41b4PnlpvNG2rlPFs4CIWG4g
=. (3618 bytes)
WARN registry Using stale package data from https://registry.npmjs.org/ due to a request error during revalidation.
WARN registry Unexpected warning for https://registry.npmjs.org/: Miscellaneous Warning EINTEGRITY: sha512-Mp+FXEI+FrwY/XYV45b2YD3E8i3HwnEAoFcM0qlZzq/RZ9RwWitt2Y/c7cqRAz70U7hfekqx6qNYthuKFO6K0
g== integrity checksum failed when using sha512: wanted sha512-Mp+FXEI+FrwY/XYV45b2YD3E8i3HwnEAoFcM0qlZzq/RZ9RwWitt2Y/c7cqRAz70U7hfekqx6qNYthuKFO6K0g== but got sha1-2+xJQ20q4V9TYRTnbRRlbNvA9E0
=. (8538 bytes)
WARN registry Using stale package data from https://registry.npmjs.org/ due to a request error during revalidation.
WARN registry Unexpected warning for https://registry.npmjs.org/: Miscellaneous Warning EINTEGRITY: sha512-NnSOmMEYtVR2JVMIGTzynRkkaxtiq1xnFBcdQD/DnNCYPoEPsVJhM98BDyaoNOQIi7p4okdi3E27eN7GQbsUu
g== integrity checksum failed when using sha512: wanted sha512-NnSOmMEYtVR2JVMIGTzynRkkaxtiq1xnFBcdQD/DnNCYPoEPsVJhM98BDyaoNOQIi7p4okdi3E27eN7GQbsUug== but got sha1-wVm41b4PnlpvNG2rlPFs4CIWG4g
=. (3618 bytes)
WARN registry Using stale package data from https://registry.npmjs.org/ due to a request error during revalidation.
Here is the current package.json file that I have for my project:
{
"name": "myproject",
"version": "0.0.1",
"license": "me",
"scripts": {
"ng": "ng",
"start": "ng serve",
"build": "ng build --extract-css true",
"build-prod": "ng build -prod",
"test": "ng test",
"lint": "ng lint",
"e2e": "ng e2e",
"update:packages": "node wipe-dependencies.js && rm -rf node_modules && npm update --save-dev && npm update --save",
"prestyleguide": "ng build --extract-css true",
"styleguide": "rimraf dist/styleguide/ && kss --config kss/kss-config.json --custom hidemarkup --custom hideexample --custom hidedefault --custom fakeexample --placeholder .modifier-class",
"//": "Build just the styleguide without building the entire app (requires that the app has already been built to the dist/ folder)",
"build-styleguide": "rimraf dist/styleguide/ && kss --config kss/kss-config.json --custom hidemarkup --custom hideexample --custom hidedefault --custom fakeexample --placeholder .modifier-class"
},
"private": true,
"dependencies": {
"#angular/animations": "^4.3.3",
"#angular/common": "^4.3.2",
"#angular/compiler": "^4.3.2",
"#angular/core": "^4.3.2",
"#angular/forms": "^4.3.2",
"#angular/http": "^4.3.2",
"#angular/platform-browser": "^4.3.2",
"#angular/platform-browser-dynamic": "^4.3.2",
"#angular/router": "^4.3.2",
"#ng-bootstrap/ng-bootstrap": "^1.0.0-alpha.28",
"bootstrap": "^4.0.0-alpha.6",
"classlist.js": "^1.1.20150312",
"core-js": "^2.4.1",
"font-awesome": "^4.7.0",
"ngx-mydatepicker": "^2.0.12",
"rxjs": "^5.4.2",
"web-animations-js": "^2.3.1",
"zone.js": "^0.8.16"
},
"devDependencies": {
"#angular/cli": "^1.2.3",
"#angular/compiler-cli": "^4.3.2",
"#types/jasmine": "^2.5.53",
"#types/node": "^8.0.15",
"codelyzer": "^3.1.2",
"fs-extra": "^4.0.0",
"jasmine-core": "^2.6.4",
"jasmine-spec-reporter": "^4.1.1",
"karma": "^1.7.0",
"karma-chrome-launcher": "^2.2.0",
"karma-cli": "^1.0.1",
"karma-coverage-istanbul-reporter": "^1.3.0",
"karma-jasmine": "^1.1.0",
"karma-jasmine-html-reporter": "^0.2.2",
"kss": "^3.0.0-beta.18",
"protractor": "^5.1.2",
"random-ext": "^2.5.1",
"ts-node": "^3.2.1",
"tslint": "^5.5.0",
"typedoc": "^0.7.1",
"typescript": "^2.4.2"
}
}

try that and then reinstall all of your project's dependencies
rm ./package-lock.json
rm -r ./node_modules
npm cache clear --force
There is a full thread on github about it, since june I think

Since npm 5 you don't have full control over the cache, so for npm 5 you could try
npm cache verify
This helped me. I don't think you have to remove package-lock and node_modules as first step.

Should the cache clear method not work...
I found I had this problem during an OS X update. Installing the Command Line Tools update and restarting iTerm fixed this, incredibly enough.
Certainly not suggesting this is a "proper" solution but was definitely messing with my setup (wtf apple?). Posted in the event someone else viewing this is in the same position 💁🏼

You can try clearing your NPM cache using:
$ npm cache clear --force
Then re-install your node modules.
I hope this helps.

I got this error when using a custom registry (not npmjs.org). The problem was that my registry had gone down.

Before deleting your node_modules, check your internet connection - your provider might do some traffic shaping and blocking or slowing down the access to package repositories. You can spot that if you see something like Miscellaneous Warning ETIMEDOUT: [...] in your error messages.
This was the case for me, and the problem got resolved once I was using VPN.

Related

vue-CLI outputting very concerning error (security question)

I'm building an application with Vue.js. Suddenly, vue-cli has begun outputting errors that have me concerned that perhaps one or more of my dependencies has something nefarious in it.
When I run npm run serve (vue-cli serve), the command succeeds, but outputs several lines of error messages like the following:
(node:366423) UnhandledPromiseRejectionWarning: Error: ENOENT: no such file or directory, stat '/initrd.img'
It also fails to stat /home/jordan/.steampath, /initrd.img.old, /vmlinuz, and /vmlinuz.old.
It also sometimes outputs these lines when hot-reloading.
I'm concerned because it seems there should be ZERO reason for it to even try to stat kernel files or my steampath. It seems to be looking at things it shouldn't need to (but is apparently being prevented from doing so).
Should I be concerned about security? Is this evidence that I'm using a vue or NPM plugin with nefarious code in it? Or is this a simple misconfiguration somewhere?
Here's my package.json:
{
"name": "pp10-client",
"version": "0.1.0",
"private": true,
"scripts": {
"serve": "vue-cli-service serve",
"build": "vue-cli-service build",
"lint": "vue-cli-service lint"
},
"dependencies": {
"#sentry/browser": "^5.15.5",
"#sentry/integrations": "^5.15.5",
"#tinymce/tinymce-vue": "^2.1.0",
"apexcharts": "^3.19.2",
"axios": "^0.19.2",
"blueimp-md5": "^2.16.0",
"core-js": "^2.6.11",
"filepond": "^4.13.6",
"moment": "^2.26.0",
"npm-cache": "^0.7.0",
"pdfjs": "^2.3.7",
"pdfjs-dist": "^2.3.200",
"save": "^2.4.0",
"sortablejs": "^1.10.2",
"tinymce": "^5.3.0",
"underscore": "^1.10.2",
"v-calendar": "^1.0.8",
"v-tooltip": "^2.0.2",
"vue": "^2.6.11",
"vue-apexcharts": "^1.5.3",
"vue-color": "^2.7.1",
"vue-filepond": "^5.1.3",
"vue-js-modal": "^1.3.35",
"vue-js-toggle-button": "^1.3.3",
"vue-phone-number-input": "^1.1.9",
"vue-router": "^3.2.0",
"vue-stepper-component": "^1.0.0",
"vue-tour": "^1.3.1",
"vue-worker": "^1.2.1",
"vuedraggable": "^2.23.2",
"vuex": "^3.4.0"
},
"devDependencies": {
"#vue/cli-plugin-babel": "^3.12.1",
"#vue/cli-plugin-eslint": "^3.12.1",
"#vue/cli-service": "^3.12.1",
"babel-eslint": "^10.1.0",
"eslint": "^5.16.0",
"eslint-plugin-vue": "^5.2.3",
"pug": "^2.0.4",
"pug-plain-loader": "^1.0.0",
"sass": "^1.26.5",
"sass-loader": "^7.3.1",
"stylus": "^0.54.7",
"stylus-loader": "^3.0.2",
"vue-template-compiler": "^2.6.11"
}
}
EDIT: Solution:
Removed nodejs and npm, deleted all associated folders, and reinstalled nodejs and npm by using nvm (node version manager). I chose the current version of node (14 as of this writing).
Removed node_modules and package-lock.json within the project.
Ran npm install (in project folder)
Installed vue-cli globally: npm install -g #vue/cli
When builds failed, followed prompts to install missing dependencies.
FINALLY it worked.
facing the same issue with nuxt.js, audit does not mention anything regarding this. Howto find the npm module? String steam is not present, likely obfuscated as bytearray or else
On Ubuntu 20.04, upgrading to node 12.18.3 and running npm rebuild node-sass solved the problem for me.
Make sure you use the latest dependencies in your package.json (manually check on npmjs.com or your npm registry)
Delete the entire node modules dir and package-lock.json, and then running npm install helped me.

VueJS: Error when building for production

I have been trying to build a production version of my code that built just fine previously. Now, when I run vue build on my main.js file it provides the following:
\ Building for production...Browserslist: caniuse-lite is outdated. Please run next command `npm update caniuse-lite browserslist`
\ Building for production...Browserslist: caniuse-lite is outdated. Please run next command `npm update caniuse-lite browserslist`
Browserslist: caniuse-lite is outdated. Please run next command `npm update caniuse-lite browserslist`
\ Building for production...Browserslist: caniuse-lite is outdated. Please run next command `npm update caniuse-lite browserslist`
(node:10708) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: CSS minification error: Unknown browser query `basedir=$(dirname "$(echo "$0" | sed -e 's`. Maybe you are using old Browserslist or made typo in query.. File: css/app.75eb53b0.css
(node:10708) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
I have attempted to resolve the Browserslist/caniuse-lite error by manually updating the package, and packages that are dependent upon it, starting a new project, running npm --depth 999 commands (depth 9999 causes a memory heap error), and everything else I can find to do. I am not using VS (using VS Code) but attempted to work around by removing the WebCompiler information from my AppData, but do not have a WebCompiler folder to begin with.
I have additionally tried reverting back to css-loader 2.1.1, which resolved another issue that came up while working on this, but it has not resolved this issue.
Any help would be greatly appreciated as this is stopping any updates from being published to production.
I have attempted the fixes in the other thread regarding the Browserslist warning. Additionally those threads do not mention the following error:
(node:10708) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: CSS minification error: Unknown browser query `basedir=$(dirname "$(echo "$0" | sed -e 's`. Maybe you are using old Browserslist or made typo in query.. File: css/app.75eb53b0.css
(node:10708) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
The following is my package.json for the project
{
"name": "coeus",
"version": "0.1.0",
"private": true,
"scripts": {
"serve": "vue-cli-service serve",
"build": "vue-cli-service build",
"lint": "vue-cli-service lint"
},
"dependencies": {
"#fortawesome/fontawesome-svg-core": "^1.2.25",
"#fortawesome/free-brands-svg-icons": "^5.11.2",
"#fortawesome/free-solid-svg-icons": "^5.11.2",
"#fortawesome/vue-fontawesome": "^0.1.7",
"axios": "^0.19.0",
"bcrypt": "^3.0.6",
"bcryptjs": "^2.4.3",
"body-parser": "^1.19.0",
"bootstrap-vue": "^2.0.2",
"browserslist": "^4.7.0",
"caniuse-lite": "^1.0.30000997",
"cors": "^2.8.5",
"dns": "^0.2.2",
"express": "^4.17.1",
"express-fileupload": "^1.1.5",
"fast-csv": "^3.4.0",
"json-loader": "^0.5.7",
"jsonwebtoken": "^8.5.1",
"method-override": "^3.0.0",
"mongoose": "^5.7.1",
"morgan": "^1.9.1",
"nodemailer": "^6.3.0",
"npm": "^6.11.3",
"path": "^0.12.7",
"vue": "^2.6.10",
"vue-router": "^3.1.3",
"vuex": "^3.1.1"
},
"devDependencies": {
"#vue/cli-plugin-babel": "^3.11.0",
"#vue/cli-plugin-eslint": "^3.11.0",
"#vue/cli-service": "^3.11.0",
"#vue/eslint-config-prettier": "^5.0.0",
"css-loader": "^2.1.1",
"style-loader": "^1.0.0",
"vue-template-compiler": "^2.6.10"
}
}
I am not sure why this is (I could have missed it in the docs) but I figured out that I was using a vue build command to build the production version. After looking over a few things I tried npm run build and not only did not get the Browserslist warning, but did not encounter the minify error either. Thank you for all of the help!

Custom Webpack wrapper library not installing dependencies

I wrote a wrapper library for internal use of webpack with all the needed loaders and config stuff pre-done so I only have to install the wrapper library to every project and add the entry configuration.
So far that worked but for my newest, freshly cloned project it doesn't.
I tried deleting the node_modules folder and the package-lock.json file and do a clean npm i but it's still the same.
webpack-cli is installed, but has webpack as peer-dependency and it says it isn't installed. When I add it to the projects' package.json it works, but then trying to npm run build results in several errors that it couldn't find any of the loaders that should have been installed with the library.
project package.json
"scripts": {
"build": "webpack --progress --colors --hide-modules",
"dev": "npm run build --",
"watch": "npm run dev -- --watch",
"prod": "NODE_ENV=production npm run build"
},
"devDependencies": {
"#namespace/lib": "git+ssh://git#internal:js/lib.git"
},
library package.json
"dependencies": {
"#babel/core": "^7.1.2",
"#babel/preset-env": "^7.1.0",
"autoprefixer": "^9.3.1",
"babel-loader": "^8.0.4",
"copy-webpack-plugin": "^4.5.4",
"css-loader": "^1.0.0",
"extract-text-webpack-plugin": "^4.0.0-beta.0",
"file-loader": "^2.0.0",
"image-webpack-loader": "^4.4.0",
"lodash": "^4.17.11",
"node-sass": "^4.9.4",
"postcss-loader": "^3.0.0",
"sass-loader": "^7.1.0",
"vue-loader": "^15.4.2",
"vue-style-loader": "^4.1.2",
"vue-template-compiler": "^2.5.17",
"webpack": "^4.23.1",
"webpack-cli": "^3.1.2"
},
"devDependencies": {
"eslint": "^5.8.0",
"standard": "^12.0.1"
}
I deleted the
"#namespace/lib": "git+ssh://git#internal:js/lib.git"
line from the projects' package.json file and did a
npm i -D git+ssh://git#internal:js/lib.git
and now it installed all the libraries' dependencies.
Before that I just ran npm i from the newly cloned project with the existing lines in the package.json. I don't understand why that would make a difference, but it seems it did!
//EDIT:
Another thing that worked:
git reset --hard
rm package-lock.json
rm -rf node_modules # deleting already installed modules from the previous tries
npm i
So from a fresh git clone-perspective it's just deleting the lock-file and then installing again. But without a pre-existing node_modules folder.

requires a peer but none was installed

My package.json looks like this
{
"name": "hello-world",
"version": "1.0.0",
"description": "The Hello World",
"author": "",
"license": "MIT",
"scripts": {
"start": "tsc && concurrently \"npm run tsc:w\" \"npm run lite\" ",
"lite": "lite-server",
"postinstall": "typings install",
"tsc": "tsc",
"tsc:w": "tsc -w",
"typings": "typings"
},
"dependencies": {
"#angular/common": "~2.0.1",
"#angular/compiler": "~2.0.1",
"#angular/core": "~2.0.1",
"#angular/http": "~2.0.1",
"#angular/platform-browser": "~2.0.1",
"#angular/platform-browser-dynamic": "~2.0.1",
"#angular/router": "~3.0.1",
"#angular/upgrade": "~2.0.1",
"systemjs": "0.19.39",
"core-js": "^2.4.1",
"reflect-metadata": "^0.1.8",
"rxjs": "5.0.0-beta.12",
"zone.js": "^0.6.25",
"angular-in-memory-web-api": "~0.1.1",
"bootstrap": "4.0.0-alpha.4"
},
"devDependencies": {
"concurrently": "^3.0.0",
"lite-server": "^2.2.2",
"typescript": "^2.0.3",
"typings": "^1.4.0"
}
}
When I run npm i it runs successfully but I got some warnings.
npm WARN angular-in-memory-web-api#0.1.17 requires a peer of rxjs#5.0.0-rc.4 but none was installed.
npm WARN angular-in-memory-web-api#0.1.17 requires a peer of zone.js#^0.7.2 but none was installed.
I added these lines to package.json
"peerDependencies": {
"rxjs": "5.0.0-rc.4",
"zone.js": "^0.7.2"
}
But when I run npm i again I still get this warning
npm WARN hello-world#1.0.0 requires a peer of rxjs#5.0.0-rc.4 but none was installed.
npm WARN hello-world#1.0.0 requires a peer of zone.js#^0.7.2 but none was installed.
npm WARN angular-in-memory-web-api#0.1.17 requires a peer of rxjs#5.0.0-rc.4 but none was installed.
npm WARN angular-in-memory-web-api#0.1.17 requires a peer of zone.js#^0.7.2 but none was installed.
with additional warning for the main application.
Why is that and how to get rid from this warning?
TL;DR
Peer Dependencies are a special kind of dependencies - they used by packages which do not call them directly, giving the user (you) the control. Hence, you have to install these packages manually.
You do not need to add peerDependencies to your package.json.
The reason you're seeing these error is, some of your dependencies declare rxjs#5.0.0-rc.4 and zone.js#^0.7.2 in their package.json as peerDependencies. This is why when you've added peerDependencies in your package.json, you get these warning twice.
To understand more about Peer Dependencies I suggest reading these:
Peer Dependencies
What are those PeerDependencies in a NodeJS project?
This great answer
I delete the node_modules folder and run npm install. The error would go away.

npm install does not install nested dependancies

npm install is failing to install all nested dependencies (seemingly from a depth of 2 packages deep and beyond).
I suspected it might have something to do with one or more dependencies (e.g. bcrypt) which error on install and kill the npm process (despite themselves seeming to install successfully).
Running npm install again does not install all the dependencies and you have to manually invoke npm install <one of your packages>#<it's version number> which is a bad thing.
$ npm -v
2.14.12
Works fine on Mac OSX. Problem is on Ubuntu 14.04.4 LTS.
** Edit 1: package.json **
{
"name": "test",
"version": "0.0.0",
"description": "Test",
"main": "",
"scripts": {
},
"author": "",
"license": "ISC",
"dependencies": {
"bcrypt": "0.8.5",
"boom": "^3.1.2",
"deep-freeze": "0.0.1",
"good": "~6.4.0",
"good-console": "~5.2.0",
"hapi": "~11.1.2",
"hapi-auth-cookie": "^3.1.0",
"inert": "~3.2.0",
"iron": "^4.0.0",
"joi": "^8.0.4",
"jquery": "^2.1.1",
"kerberos": "0.0.17",
"lodash": "^3.10.1",
"moment": "^2.11.2",
"mysql": "^2.10.2",
"q": "~1.4.1",
"react": "0.14.6",
"react-dom": "0.14.6",
"react-redux": "4.0.6",
"react-router": "2.0.0-rc5",
"react-router-redux": "2.1.0",
"reduce-reducers": "0.1.1",
"redux": "^3.0.5",
"request": "2.69.0",
"sequelize": "git://github.com/ajamesphillips/sequelize.git",
"sparkpost": "^1.2.0"
}
}
I have upgraded the server from 0.5 Gb RAM to 2 Gb RAM and so far it seems npm install proceeds smoothly. Not certain that memory exhaustion was the problem. Will hopefully not report back but will do if it breaks again.
I'm fairly certain this was an issue with running out of memory. Will use egrep -i -r 'killed process' /var/log/ ( Finding which process was killed by Linux OOM killer ) next time I have this problem to see if OOM killer killed some of the processes launched by npm install.