I am following a TypeScript tutorial. Unfortunately, the packages are outdated and I got a warning about vulnerabilities.
I followed a bunch of suggestions from npm check and update package if needed, namely:
npm audit fix
npm audit fix --force
npm update
npm audit says there are still 24 vulnerabilities left. But none of the above commands will fix them.
npm outdated results in no output.
The vulnerable packages are:
ansi-regex
glob-parent
node-forge
nth-check
postcss
I don't actually know why they are part of my project, I don't have them in my package.json configuration.
What are the next steps of fixing these vulnerabilities?
I have tried:
- How to fix npm vulnerabilities? which has no answers.
- updating the dependencies in
package.jsonmanually to newer versions and then runningnpm install. It didn't have an effect. - deleting
package-lock.jsonaccording to a suggestion here and then runnpm installagain. - adding
"ansi-regex": "^6.0.1", "glob-parent": "^6.0.2", "node-forge": "^1.3.0", "nth-check": "^2.0.1", "postcss": "^8.4.12"as as devDependencies and runningnpm install. - running
npm i npm@latestas suggested in How to fix NPM vulnerabilities - How to fix npm vulnerabilities? I tried two methods, problems persist which didn't have any new suggestions
- I have 5 moderate severity vulnerabilities when I checked the npm audit. How can I fix these errors given below? which also didn't suggest any new commands
- running
npm update glob-parent --depth 2just to find out that--depthis deprecated and NPM always updates any depth [Github] - running
npm prune - deleting the
node_modulesfolder and runningnpm installagain
You can reproduce my latest state with the following package.json in an empty directory and running npm install.
{
"name": "pacman",
"version": "0.0.1",
"description": "I just follow a tutorial. Nothing of interest.",
"keywords": ["game"],
"license": "MIT",
"author": "someone stupid",
"scripts": {
"build": "parcel build index.html",
"dev": "parcel index.html --open",
"start": "npm run build && npm run dev",
"test": "echo \"Error: no test specified\" && exit 1"
},
"devDependencies": {
"@typescript-eslint/eslint-plugin": "^5.16.0",
"@typescript-eslint/parser": "^5.16.0",
"ansi-regex": "^6.0.1",
"eslint": "^8.12.0",
"eslint-config-prettier": "^8.5.0",
"eslint-plugin-prettier": "^4.0.0",
"glob-parent": "^6.0.2",
"node-forge": "^1.3.0",
"nth-check": "^2.0.1",
"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",
"postcss": "^8.4.12",
"prettier": "^2.6.1",
"typescript": "^4.6.3"
},
"dependencies": {
"npm": "^8.5.5"
}
}
This should give you 24 vulnerabilities, 18 moderate and 6 high (at the time of writing, running npm 8.5.5).
CodePudding user response:
As per the comments, I have already tried all commands for the general case, in which case you need to start analyzing individual packages.
So, what did I do?
- Update all dependencies to the latest version.
Next, perform a binary search by removing half of the dependencies and repeating the following steps
- delete the
node_modulesfolder - run
npm install - run
npm auditto check for the vulnerabilities
If there are no vulnerabilites, add the half of the remaining packages you want to install.
If there are vulnerabilities, remove the half of the packages you are currently installing.
In my case, this process boiled it down to the following two lines:
"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",
For parcel-bundler, NPM spit out a warning:
npm WARN deprecated [email protected]: Parcel v1 is no longer maintained.
Please migrate to v2, which is published under the 'parcel' package.
So I guess I don't need parcel-bundler at all, because it has been integrated into the parcel package, which I had already updated to version 2 in an earlier step.
CodePudding user response:
make sue to run npm audit fix!