npm gives me the following error:
No compatible version found: left-pad#0.0.3
Tried to install left-pad with npm and got the same error.
left-pad was unpublished from npm, and once something is unpublished you can't publish it again. now anything that has dependencies on the versions of left-pad that were removed need to be updated.
see here for discussion.
Edit: turns out the author of left-pad removed all his packages from NPM because NPM caved to kik's lawyers and seized control of the author's kik related repo. Pretty hilarious such a trivial library has brought large chunks of the ecosystem down.
Related
I'm new to coding. I'm using Windows10 and just installed a WSL. I want to install Ganache using the command npm install -g ganache-cli but it says it has 8 vulnerabilities (7 moderate,1 high)
When I write npm audit fix or npm audit fix --force it says that there are no vulnerabilities. I don't understand where the problem is.
My NPM version is 8.3.0
There's no real reason to be alarmed about the vulnerabilities npm report, especially for a new project. Most of the time, these vulnerabilities won't actually affect your project. Be careful using npm audit fix especially npm audit fix --force because it can upgrade or downgrade packages, affecting functionality. If you do use it and it says 0 vulnerabilities after, that means it fixed all of them.
Packages are open-sourced so the community would spot any damaging or sneaky code, especially popular packages such as ganache-cli.
Read more here: https://www.voitanos.io/blog/don-t-be-alarmed-by-vulnerabilities-after-running-npm-install/
This question already has answers here:
npm WARN deprecated tar#2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap
(4 answers)
Closed 1 year ago.
npm WARN deprecated tar#2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
changed 67 packages, and audited 68 packages in 7s
4 packages are looking for funding
run `npm fund` for details
2 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
This kind of problem is quite common for npm users. Your package.json file mentions multiple npm packages you need. And, each of those package's package.json file in turn refers to other packages, and so on. Somewhere in there some package refers to version 2.2.2 of tar. But the current version of tar is 6.2.2.
You can, as the error message says, run npm audit to find the offending package: that is, the package that wants the old version of tar (tar#2.2.2).
How to try to fix this?
If it's your package.json that loads tar#2.2.2 try doing these two commands.
npm remove tar --save
npm install tar --save
to get the latest.
Try running npm update --save. It will examine your nest of npm packages, and bring them up to more recent versions. That may, or may not, replace the offending package with a more recent version. It does this by updating a file called package-lock.json containing the explicit versions. If that doesn't work ...
Try running npm audit again to see what the situation is. Then, try npm audit --fix . If that doesn't work ...
File an issue on the github repository of the offending package asking for an update.
Look for another package with the same functionality as the offending package and replace it.
Decide you will live with the warning. (If your software is used in production, that may be unwise, because cybercreeps.)
Ask another question here and mention the offending package.
Say we publish an NPM package that ends up having a bug say it is version 1.0.056.
is there a way to tell NPM to blacklist it, meaning if users have this in package.json:
^1.0.05
that it would endeavor to only install 1.0.057 or 1.0.055?
The idea is when you patch the bug, if it doesn't impact any of the exposed API, then not much reason to make a big semver change? Or maybe on the other hand an important bugfix should call for a minor version change?
Obviously NPM doesn't encourage people to delete packages, we want immutability, but unless a user explicitly requests that version, I want NPM to avoid installing it at all costs?
npm deprecate covers a historical version when you discover problem later:
npm deprecate <pkg>[#<version>] <message>
This command will update the npm registry entry for a package, providing a deprecation warning to all who attempt to install it.
If it was only just published (72 hours) then there is also:
npm unpublish [<#scope>/]<pkg>[#<version>]
This removes a package version from the registry, deleting its entry and removing the tarball.
https://www.npmjs.com/policies/unpublish
https://docs.npmjs.com/cli/unpublish
I'm having some issues uninstalling some of my global npm packages, in that they don't appear to be fully removing.
As an example, I've been trying to remove the beta Angular CLI package (as this package was renamed for its 1.0.0 release). Running npm uninstall -g angular-cli appears to work, however when I then run npm list -g --depth=0 the package appears to remain in the list, now with an error:
error: ENOENT: no such file or directory, open '/usr/local/lib/node_modules/angular-cli/package.json
It appears as though the package has not been fully removed - I'm not sure if this can be fixed using npm prune, or simply by going in and manually deleting any files that may be left over.
I've not had any success googling around the issue, however this could be because I'm not entirely sure what to search for, as evidenced by my not-so-eloquently worded title for this question.
If anyone has any thoughts, I'd be very grateful to hear them!
I'm suffering from the infamous npm install (update) hanging problem.
So far I found following recipes:
cleaned the cache: npm cache clean
deleted npm_modules in my project
set the registry to plain http (http://registry.npmjs.org/): npm config set registry http://registry.npmjs.org/
used --loglevel=verbose flag with npm install
increased number of connections as described here:
Increasing the maximum number of tcp/ip connections in linux
Yet it still hangs. The position at which it hangs seems to be random. It can be
npm verb get saving gulp-traceur to /home/me/.npm/registry.npmjs.org/gulp-traceur/.cache.json; or when installing npm verb afterAdd /home/me/.npm/q/0.9.7/package/package.json the last package downloaded is really random.
The versions are:
npm info using npm#2.7.5
npm info using node#v0.12.0
So the question is if there is anything else I can do about it?
I don't know if you have the same problem as I did but I can't make a comment to your question because I have not enough reputation.
Today somebody found solution to my similar problem. You can check it here:
Sometimes you need to use --force command to make sure the cache is cleaned:
npm cache clean --force.
Maybe related to this issue.
I tried all the above. I use homebrew and had to uninstall node / npm.
This worked for me:
brew install nvm
nvm install node
Afterwards npm started working again for me.