Home > Mobile >  Npm audit fix --force does apply its own recommendations
Npm audit fix --force does apply its own recommendations

Time:09-17

there are plenty of similar questions but they have not helped me at all.

I try to get rid off critical vulnerabilities. I have run npm update, npm audit fix and npm audit fix --force many times but it is stalled. I see the same warnings again though the out says it is a fixable trouble. Is there a way to finish it?

>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating update to 0.7.4,which is a SemVer major change.
npm WARN deprecated set-value@0.4.3: Critical bug fixed in v3.0.1, please upgrade to the latest version.
npm WARN deprecated set-value@0.4.3: Critical bug fixed in v3.0.1, please upgrade to the latest version.

assign-deep  <1.0.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1014
fix available via `npm audit fix`

set-value  <=2.0.0 || 3.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1012
fix available via `npm audit fix --force`
Will install update@0.4.2, which is a breaking change

Update: I can see too much various versions (even 0.2) of set-value in package.json. I have set all occurences with the version <= 2.0 to 2.0.1. Tests passed through.

CodePudding user response:

TL;DR: Try npm uninstall update.

Using the package.json in the repo that you linked to and npm@7, running npm install and then npm audit reported:

46 vulnerabilities (3 low, 11 moderate, 32 high)

Running npm audit fix didn't change that, which is indeed irksome, but also a known issue.

Running npm audit fix --force actually somehow made things worse:

55 vulnerabilities (9 low, 10 moderate, 36 high)

So I started over again with your package.json and ran npm install and npm audit again. The output for npm audit includes this:

set-value  <=2.0.0 || 3.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1012
fix available via `npm audit fix --force`
Will install update@0.7.4, which is a breaking change

So it wants to update the update module to version 0.7.4, which is the latest version. I did that manually like this:

npm uninstall update && npm install update

That got the same result (an increase in vulnerabilities) as npm audit fix --force but I did notice that after uninstalling update, 0 vulnerabilities were reported.

$ npm uninstall update

removed 584 packages, and audited 870 packages in 4s

56 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$

Looking at the npm page for update, it hasn't been updated itself in 5 years. So maybe replacing that package with something else is your best option here.

Back to your package.json, the update package is in your dependencies which seems wrong as it seems to be a command-line tool. A quick scan of the repo seems to indicate it's not actually used anywhere.

So I'm going to posit that the best solution is npm uninstall update.

Page link:https//www.codepudding.com/Mobile/118753.html

Prev:'.' is not recognized as an internal or external command, operable program or batch file i
Next:NSToolbarItem Image Looks Bad Small in Running App but not in Interface Builder
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding