Question

37

Fix vulnerabilities in NPM manually

rated 0 times [ 40] [ 3] / answers: 1 / hits: 14224 / 4 Years ago, sun, january 26, 2020, 12:00:00

I cloned a repository and did an npm install but at the end some error occured.
Now whenever I run npm audit I get the message

found 18 vulnerabilities (5 low, 12 moderate, 1 high) in 15548 scanned packages

  9 vulnerabilities require semver-major dependency updates.

  9 vulnerabilities require manual review. See the full report for details.

No matter what I do they stay the same, I tried npm update, npm audit fix, npm audit fix --force and some other solutions as well but nothing worked.
Here is the list of packages that are currently installed:

D:NewStateopticare>npm list --depth=0

[email protected] D:NewStateopticare

+-- UNMET PEER DEPENDENCY @angular/[email protected]

+-- @angular/[email protected]

+-- UNMET PEER DEPENDENCY @angular/[email protected]

+-- UNMET PEER DEPENDENCY @angular/[email protected]

+-- @angular/[email protected]

+-- UNMET PEER DEPENDENCY @angular/[email protected]

+-- UNMET PEER DEPENDENCY @angular/[email protected]

+-- @angular/[email protected]

+-- UNMET PEER DEPENDENCY @angular/[email protected]

+-- UNMET PEER DEPENDENCY @angular/[email protected]

+-- @angular/[email protected]

+-- @auth0/[email protected]

+-- @ng-bootstrap/[email protected]

+-- @swimlane/[email protected]

+-- @types/[email protected]

+-- @types/[email protected]

+-- @types/[email protected]

+-- @types/[email protected]

+-- @types/[email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- [email protected]

+-- UNMET PEER DEPENDENCY [email protected]

+-- [email protected]

+-- [email protected]

+-- UNMET PEER DEPENDENCY tslint@^5.0.0

+-- [email protected]

+-- [email protected]

+-- [email protected]

`-- [email protected]



npm ERR! peer dep missing: @angular/animations@^6.0.0, required by [email protected]

npm ERR! peer dep missing: @angular/common@>=6.0.0, required by @auth0/[email protected]

npm ERR! peer dep missing: @angular/common@^6.1.0, required by @ng-bootstrap/[email protected]

npm ERR! peer dep missing: @angular/common@^6.0.0, required by [email protected]

npm ERR! peer dep missing: @angular/common@^6.0.0-rc.0 || ^6.0.0, required by [email protected]

npm ERR! peer dep missing: @angular/common@^6.0.0, required by [email protected]

npm ERR! peer dep missing: @angular/compiler@^6.0.0, required by [email protected]

npm ERR! peer dep missing: @angular/core@^6.1.0, required by @ng-bootstrap/[email protected]

npm ERR! peer dep missing: @angular/core@^6.0.0, required by [email protected]

npm ERR! peer dep missing: @angular/core@^6.0.0-rc.0 || ^6.0.0, required by [email protected]

npm ERR! peer dep missing: @angular/core@^6.0.0, required by [email protected]

npm ERR! peer dep missing: @angular/forms@^6.1.0, required by @ng-bootstrap/[email protected]

npm ERR! peer dep missing: @angular/forms@^6.0.0, required by [email protected]

npm ERR! peer dep missing: @angular/platform-browser@^6.0.0, required by [email protected]

npm ERR! peer dep missing: @angular/platform-browser-dynamic@^6.0.0, required by [email protected]

npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/[email protected]

npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]

npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]

npm ERR! peer dep missing: tslint@^5.0.0, required by [email protected]

npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/[email protected]

npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]

npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]

npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/[email protected]

npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]

npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]

npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/[email protected]

npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]

npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]

npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/[email protected]

npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]

npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]

npm ERR! peer dep missing: typescript@~2.7.1 || >=2.8.0-dev || >=2.9.0-dev || ~3.0.0 || >=3.0.0-dev || >=3.1.0-dev || >= 3.2.0-dev || >= 3.3.0-dev, required by [email protected]

and lastly my package.json file

{

  name: opticare,

  version: 0.0.0,

  license: MIT,

  angular-cli: {},

  scripts: {

    build: ng build,

    ng: ng,

    start: ng serve,

    test: ng test,

    pree2e: webdriver-manager update --standalone false --gecko false,

    e2e: protractor

  },

  private: true,

  dependencies: {

    @angular/animations: ^5.2.0,

    @angular/common: ^5.2.0,

    @angular/compiler: ^5.2.0,

    @angular/compiler-cli: ^5.2.0,

    @angular/core: ^5.2.0,

    @angular/forms: ^5.2.0,

    @angular/http: ^5.2.0,

    @angular/platform-browser: ^5.2.0,

    @angular/platform-browser-dynamic: ^5.2.0,

    @angular/router: ^5.2.0,

    @auth0/angular-jwt: ^2.0.0,

    @ng-bootstrap/ng-bootstrap: ^3.2.2,

    @swimlane/ngx-charts: ^7.4.0,

    angular-archwizard: ^3.0.0,

    angular-datatables: ^6.0.0,

    angular2-csv: ^0.2.5,

    angular2-spinner: ^1.0.10,

    bcrypt-nodejs: 0.0.3,

    chalk: ^2.4.1,

    chart.js: ^2.7.2,

    core-js: ^2.4.1,

    cron: ^1.3.0,

    datatables.net: ^1.10.19,

    datatables.net-dt: ^1.10.19,

    express: ^4.16.3,

    file-saver: ^1.3.8,

    googleapis: ^35.0.0,

    http-errors: ^1.6.3,

    install-peerdeps: ^2.0.1,

    jodit-angular: ^1.0.59,

    jquery: ^3.3.1,

    jsonwebtoken: ^8.1.0,

    jwt-decode: ^2.2.0,

    lodash: ^4.17.10,

    moment: ^2.22.2,

    moment-timezone: ^0.5.21,

    mongoose: ^5.2.4,

    mongoose-paginate: ^5.0.3,

    multer: ^1.3.0,

    ng2-nouislider: ^1.7.7,

    ngx-bootstrap: ^2.0.3,

    ngx-chips: ^1.9.2,

    ngx-toastr: ^6.4.0,

    node-cron: ^1.2.1,

    node-sass: ^4.9.2,

    nodemailer: ^4.6.8,

    nouislider: ^11.0.3,

    rxjs: ^5.5.12,

    shortid: ^2.2.8,

    ts-helpers: ^1.1.1,

    twilio: ^3.19.2,

    typescript: ^2.4.2,

    xlsx: ^0.13.0,

    zone.js: ^0.8.19

  },

  devDependencies: {

    @angular/cli: ^1.7.4,

    @angular/compiler-cli: ^5.2.0,

    @types/datatables.net: ^1.10.12,

    @types/jasmine: ~2.8.3,

    @types/jquery: ^3.3.4,

    @types/node: ~6.0.60,

    @types/systemjs: ^0.20.5,

    codelyzer: ^4.0.1,

    jasmine-core: ~2.8.0,

    jasmine-spec-reporter: ~4.2.1,

    karma-chrome-launcher: ~2.2.0,

    karma: ^2.0.4

  }

}

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

jalyn

Add To Favorites

Follow

Total Points: 173

Total Questions: 96

Total Answers: 90

Location: Somalia

Member since Mon, Feb 27, 2023

1 Year ago

jalyn questions

1 A REST API to echo same JSON data back for testing purposes

Fri, Jul 16, 21, 00:00, 3 Years ago

1 Unable to loop through HTMLCollection with forEach

Wed, Jul 7, 21, 00:00, 3 Years ago

1 How to Add Multiple Products to Shopify Cart with One Button Click

Wed, Jun 16, 21, 00:00, 3 Years ago

1 how to fix Legacy context API has been detected within a strict-mode tree on react js

Tue, Jul 7, 20, 00:00, 4 Years ago

1 Chart.js Cannot read property 'fontSize' of undefined

Thu, Aug 22, 19, 00:00, 5 Years ago

View All

answered 4 Years ago yaquelina · Accepted Answer

You'll have to use npm audit and actually read the audit log. In there will be advice on which versions can be installed to fix vulnerabilities.See https://docs.npmjs.com/cli/audit for more information on npm audit.

Vulnerabilities

You can get a report of all vulnerabilities using npm audit. In that report for each vulnerability you will also see a way to fix it. When you use npm audit fix you are telling npm to execute those fixes. Npm however will not automatically install fixes that might break your project, such as major versions changes. You'll have to manually execute the npm install commands for those if you decide the vulnerability is more important than having to deal with the possible breaking change.

Note: Since writing, npm audit fix --force was introduced which will even execute patches that might introduce breaking changes. Use at your own risk, I've used it and it ended badly, very badly.

Peer dependencies

Another common warning are peer dependency warnings. Peer dependencies specify not dependency, but compatibility. Check out this post for a way better explanation on peer dependencies: https://stackoverflow.com/a/34645112/1016004

You can see a peer dependency warning for 2 reasons: the specified peer dependency is missing, or the peer dependency is of the wrong version. In both cases you will have to figure out the correct response yourself. The core question to answer is whether you can install the dependency in your project:

Do you use any deprecated features that will be removed in an update, do any breaking changes apply to your code, ...?

Do you have to revert to a version with a known vulnerability that you use in such a way that it might endanger user data, ... ?

The simple solution, not recommended for production, is to just manually try to run npm install for both the vulnerabilities and peer dependencies with the proposed versions. Be sure to have version control or backups so that you can revert if you end up with more errors than you started with.

If the simple solution doesn't cut it you'll have to look for other versions of packages that are part of the unsolvable constraints. Maybe previous versions of any of those packages can work together?