Home > Back-end >  Catch a lot of errors on node.js (npm)
Catch a lot of errors on node.js (npm)

Time:11-04

I am attaching the result npm audit. Attempts to solve the problem on their own have led nowhere. I would be grateful if someone could explain the essence of the problem. Can't fix it for a long time. Maybe perhaps the solution is simple and logical, but unfortunately it is not obvious to me.

       High            Regular expression denial of service                          

       Package         glob-parent                                                   

       Patched in      >=5.1.2                                                       

       Dependency of   gulp [dev]                                                    

       Path            gulp > glob-watcher > chokidar > glob-parent                  

       ------------------------------------------------------------

       High            Prototype Pollution in set-value                              

       Package         set-value                                                     

       Patched in      >=4.0.1                                                       

       Dependency of   gulp [dev]                                                    

       Path            gulp > gulp-cli > matchdep > findup-sync > micromatch >       
                       extglob > expand-brackets > snapdragon > base > cache-base >  
                       union-value > set-value

Errors are repeated in the terminal with different paths.

CodePudding user response:

Looking at the package.json you posted in a comment, as of this writing at least, all your issues are in dev dependencies and none are in production dependencies. You can confirm this with npm audit --omit=dev which (as of this writing) shows 0 vulnerabilities.

At this point, a valid option is to decide not to worry about any of those issues reported by npm. You are, for example, extremely unlikely to trigger a denial of service issue via glob-parent (as reported in the snippet you provide) and in the vanishingly-small likelihood that you do, it will be a "denial of service" on your own tooling while running gulp. Literally, who cares?

But if you really want to get rid of these things: uninstall gulp and check-dependencies. The former hasn't published a new version in 2 years and you're not using it in your package.json. The latter hasn't published a new version in 4 years and isn't anything you can't live without. You aren't using either of those dev dependencies in your package.json. If you were planning on using gulp, consider using grunt instead (currently, reports 0 vulnerabilities when installed) or regular npm scripts.

TL;DR:

  1. You can choose to ignore these. They are all in dev dependencies, at least as of this writing.
  2. If ignoring them is not what you want to do, remove gulp and check-dependencies. You are not using them anyway, at least not yet.

If you are following along with a tutorial, definitely ignore the warnings for the purposes of the tutorial or find a more up-to-date tutorial.

Page link:https//www.codepudding.com/Backend/178062.html

Prev:Unable to install n in order to update node.js
Next:how to change the path in dotenv with various script commands (in package.json) such as : start , te
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding