Yarn 3.3.1 : how to upgrade all instances of a package? - package

Hi everybody I don't really now if these are called "instances" of a package...anyway, my problem is this:
if I run yarn npm audit it shows me a problem with the package trim-newlines and suggests me to upgrade it to a version >=3.0.1 After the upgrade (with yarn up trim-newlines), I run npm ls trim-newlines and this is the output:
├─┬ lerna#3.22.1
│ └─┬ #lerna/version#3.22.1
│ └─┬ #lerna/conventional-commits#3.22.0
│ ├─┬ conventional-changelog-core#3.2.3
│ │ ├─┬ conventional-changelog-writer#4.1.0
│ │ │ └─┬ meow#8.1.2
│ │ │ └── trim-newlines#3.0.1
│ │ ├─┬ conventional-commits-parser#3.2.4
│ │ │ └─┬ meow#8.1.2
│ │ │ └── trim-newlines#3.0.1
│ │ └─┬ get-pkg-repo#1.4.0
│ │ └─┬ meow#3.7.0
│ │ └── trim-newlines#1.0.0
│ └─┬ conventional-recommended-bump#5.0.1
│ └─┬ meow#4.0.1
│ └── trim-newlines#2.0.0
└── trim-newlines#4.0.2
So it looks like there are multiple versions of it. I managed to upgrade the bottom one to latest version, but how do I upgrade the others?

Related

Expo json5 issue: Why is npm audit fix --force not resolving the vulnerability?

npm audit
npm audit report
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via npm audit fix --force
Will install expo#1.0.0, which is a breaking change
node_modules/babel-preset-expo/node_modules/json5
find-babel-config <=1.2.0
Depends on vulnerable versions of json5
node_modules/babel-preset-expo/node_modules/find-babel-config
babel-plugin-module-resolver 2.3.0 - 4.1.0
Depends on vulnerable versions of find-babel-config
node_modules/babel-preset-expo/node_modules/babel-plugin-module-resolver
babel-preset-expo *
Depends on vulnerable versions of babel-plugin-module-resolver
node_modules/babel-preset-expo
expo >=14.0.0
Depends on vulnerable versions of babel-preset-expo
node_modules/expo
5 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
├─┬ #babel/core#7.20.12
│ └── json5#2.2.3 deduped
├─┬ #expo/json-file#8.2.35 extraneous
│ └── json5#1.0.2 extraneous
├─┬ babel-plugin-module-resolver#2.5.0 invalid: "5.0.0" from the root project
│ └─┬ find-babel-config#1.2.0
│ └── json5#0.5.1
├─┬ expo-splash-screen#0.17.5 extraneous
│ └─┬ #expo/prebuild-config#5.0.7
│ └─┬ #expo/json-file#8.2.36
│ └── json5#1.0.2
├─┬ expo#47.0.13
│ ├─┬ #expo/cli#0.4.11
│ │ ├─┬ #expo/json-file#8.2.36
│ │ │ └── json5#1.0.2
│ │ ├─┬ #expo/metro-config#0.5.2
│ │ │ └─┬ #expo/json-file#8.2.36
│ │ │ └── json5#1.0.2
│ │ └─┬ #expo/package-manager#0.0.57
│ │ └─┬ #expo/json-file#8.2.36
│ │ └── json5#1.0.2
│ ├─┬ #expo/config-plugins#5.0.4
│ │ └─┬ #expo/json-file#8.2.36
│ │ └── json5#1.0.2
│ ├─┬ babel-preset-expo#9.2.2
│ │ └─┬ babel-plugin-module-resolver#4.1.0
│ │ └─┬ find-babel-config#1.2.0
│ │ └── json5#0.5.1
│ └─┬ expo-constants#14.0.2
│ └─┬ #expo/config#7.0.3
│ └─┬ #expo/json-file#8.2.36
│ └── json5#1.0.2
├─┬ find-babel-config#2.0.0
│ └── json5#2.2.3 deduped
├── json5#2.2.3
└─┬ loader-utils#2.0.4 extraneous
└── json5#2.2.3 deduped
"npm audit fix --force" or npm install --save json5#latest command is not working as expected.

-bash: react-native: command not found mac

I've followed these steps but I still can't create a react-native app
for MacOS
Install Homebrew
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Install Node
brew install node
Install watchman
brew install watchman
Finally install React Native CLI
npm install -g react-native-cli
/usr/local/Cellar/node/11.7.0/lib
└─┬ react-native-cli#2.0.1
├─┬ chalk#1.1.3
│ ├── ansi-styles#2.2.1
│ ├── escape-string-regexp#1.0.5
│ ├─┬ has-ansi#2.0.0
│ │ └── ansi-regex#2.1.1
│ ├─┬ strip-ansi#3.0.1
│ │ └── ansi-regex#2.1.1 deduped
│ └── supports-color#2.0.0
├── minimist#1.2.0
├─┬ prompt#0.2.14
│ ├── pkginfo#0.4.1
│ ├─┬ read#1.0.7
│ │ └── mute-stream#0.0.8
│ ├── revalidator#0.1.8
│ ├─┬ utile#0.2.1
│ │ ├── async#0.2.10
│ │ ├── deep-equal#1.0.1
│ │ ├── i#0.3.6
│ │ ├─┬ mkdirp#0.5.1
│ │ │ └── minimist#0.0.8
│ │ ├── ncp#0.4.2
│ │ └─┬ rimraf#2.6.3
│ │ └─┬ glob#7.1.3
│ │ ├── fs.realpath#1.0.0
│ │ ├─┬ inflight#1.0.6
│ │ │ ├── once#1.4.0 deduped
│ │ │ └── wrappy#1.0.2
│ │ ├── inherits#2.0.3
│ │ ├─┬ minimatch#3.0.4
│ │ │ └─┬ brace-expansion#1.1.11
│ │ │ ├── balanced-match#1.0.0
│ │ │ └── concat-map#0.0.1
│ │ ├─┬ once#1.4.0
│ │ │ └── wrappy#1.0.2 deduped
│ │ └── path-is-absolute#1.0.1
│ └─┬ winston#0.8.3
│ ├── async#0.2.10 deduped
│ ├── colors#0.6.2
│ ├── cycle#1.0.3
│ ├── eyes#0.1.8
│ ├── isstream#0.1.2
│ ├── pkginfo#0.3.1
│ └── stack-trace#0.0.10
└── semver#5.6.0

Use are using
react-native init
to create the project, right?
Otherwise, make sure it's in your PATH. See the following:
-bash: react-native: command not found

Npm audit shows 9 vulnerabilities upon creating a new react native project

When I create a new React native project and I run npm audit I get 9 vulnerabilities. The list of the vulnerabilities are listed in the table below:
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 1.1.5 <2.0.0 || >=3.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-native > react-devtools-core > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/550 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.5.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-native > metro > jest-haste-map > sane > fsevents > │
│ │ node-pre-gyp > rc > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.5.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest-expo │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jest-expo > jest > jest-cli > jest-haste-map > sane > │
│ │ fsevents > node-pre-gyp > rc > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.5.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest-expo │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jest-expo > jest > jest-cli > jest-runner > jest-haste-map > │
│ │ sane > fsevents > node-pre-gyp > rc > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.5.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest-expo │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jest-expo > jest > jest-cli > jest-runner > jest-runtime > │
│ │ jest-haste-map > sane > fsevents > node-pre-gyp > rc > │
│ │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.5.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest-expo │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jest-expo > jest > jest-cli > jest-runtime > jest-haste-map │
│ │ > sane > fsevents > node-pre-gyp > rc > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native-scripts [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-native-scripts > xdl > jsonwebtoken > joi > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native-scripts [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-native-scripts > xdl > jsonwebtoken > joi > topo > │
│ │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-native > plist > xmlbuilder > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
When I run npm outdated everything seems to be up to date.
Any help resolving these would be appreciated.
Thanks

Try to run $npm list react-native, it will give you the overview where the package is used and the corresponding versions. My guess will be, those are not everywhere the latest/requiered. Hope this also will help: npm check and update package if needed... The problem is the following: your packages are all up-to-date, but npm install command does not update the versions of these packages in package.json files. To do that you need to use npm-check-updates: How do I update each dependency in package.json to the latest version?

npm install -g generator-angular does not reflect real versions of minimmatch, graceful-fs, and generator-karma

I don't understand the following:
tuxiboy#C:~/Downloads$ sudo npm install -g graceful-fs graceful-fs#latest
/usr/lib
└── graceful-fs#4.1.9
tuxiboy#C:~/Downloads$ sudo npm install -g minimatch minimatch#latest
/usr/lib
└── minimatch#3.0.3
tuxiboy#C:~/Downloads$ sudo npm install -g generator-karma generator-karma#latest
npm WARN deprecated cross-spawn-async#2.2.4: cross-spawn no longer requires a build toolchain, use it instead!
/usr/lib
└── generator-karma#2.0.0
tuxiboy#C:~/Downloads$ sudo npm update minimatch
tuxiboy#C:~/Downloads$ sudo npm update graceful-fs
tuxiboy#C:~/Downloads$ sudo npm update generator-karma
tuxiboy#C:~/Downloads$ sudo npm install npm#latest -g
/usr/bin/npm -> /usr/lib/node_modules/npm/bin/npm-cli.js
/usr/lib
└── npm#3.10.8
tuxiboy#C:~/Downloads$ sudo npm install -g generator-angular generator-angular#latest
npm WARN deprecated graceful-fs#2.0.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs#^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated minimatch#2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated CSSselect#0.4.1: the module is now available as 'css-select'
npm WARN deprecated CSSwhat#0.4.7: the module is now available as 'css-what'
npm WARN deprecated minimatch#0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch#0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated tough-cookie#0.9.15: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
/usr/lib
├── generator-angular#0.15.1
└── UNMET PEER DEPENDENCY generator-karma#>=0.9.0
npm WARN generator-angular#0.15.1 requires a peer of generator-karma#>=0.9.0 but none was installed.
tuxiboy#C:~/Downloads$ npm -g list minimatch
/usr/lib
├─┬ generator-angular#0.15.1
│ ├─┬ wiredep#2.2.2
│ │ └─┬ glob#4.5.3
│ │ └── minimatch#2.0.10
│ └─┬ yeoman-generator#0.16.0
│ ├─┬ file-utils#0.1.5
│ │ ├─┬ glob#3.2.11
│ │ │ └── minimatch#0.3.0
│ │ └── minimatch#0.2.14
│ ├─┬ findup-sync#0.1.3
│ │ └─┬ glob#3.2.11
│ │ └── minimatch#0.3.0
│ └─┬ glob#3.2.11
│ └── minimatch#0.3.0
├─┬ generator-karma#2.0.0
│ └─┬ yeoman-generator#0.22.6
│ └─┬ glob#6.0.4
│ └── minimatch#3.0.3
├─┬ grunt-cli#1.2.0
│ └─┬ findup-sync#0.3.0
│ └─┬ glob#5.0.15
│ └── minimatch#3.0.3
├── minimatch#3.0.3
└─┬ npm#3.10.8
├─┬ fstream-npm#1.2.0
│ └─┬ fstream-ignore#1.0.5
│ └── minimatch#3.0.3
├─┬ glob#7.0.6
│ └── minimatch#3.0.3
├─┬ init-package-json#1.9.4
│ └─┬ glob#6.0.4
│ └── minimatch#3.0.3
├─┬ node-gyp#3.4.0
│ └── minimatch#3.0.3
└─┬ read-package-json#2.0.4
└─┬ glob#6.0.4
└── minimatch#3.0.3
tuxiboy#C:~/Downloads$ npm -g list graceful-fs
/usr/lib
├─┬ generator-angular#0.15.1
│ ├─┬ wiredep#2.2.2
│ │ └─┬ bower-config#0.5.2
│ │ └── graceful-fs#2.0.3
│ └─┬ yeoman-generator#0.16.0
│ └─┬ download#0.1.19
│ └─┬ decompress#0.2.5
│ └─┬ tar#0.1.20
│ └─┬ fstream#0.1.31
│ └── graceful-fs#3.0.11
├─┬ generator-karma#2.0.0
│ └─┬ yeoman-generator#0.22.6
│ └─┬ download#4.4.3
│ └─┬ vinyl-fs#2.4.3
│ └── graceful-fs#4.1.9
├── graceful-fs#4.1.9
└─┬ npm#3.10.8
└── graceful-fs#4.1.6
tuxiboy#C:~/Downloads$ npm -g list generator-karma
/usr/lib
└── generator-karma#2.0.0
tuxiboy#C:~/Downloads$ npm -v
3.10.8
It seems like I have generator-karma in the newest generator-karma#2.0.0 version, but still it complains that I'm using a too old version!
Regarding minimatch and graceful-fs, then under 'generator-angular#0.15.1' it shows version minimatch#2.0.10 and graceful-fs#2.0.3, but other places it seems to have minimatch#3.0.3 and graceful-fs#4.1.9!

First of all these are just warnings.
You are installing the latest versions of minimatch etc. globally on your computer. But the warnings are due to the generator-angular dependency tree, i.e. generator-angular has dependencies that are dependent on older versions of minimatch etc... hence the warnings.
e.g. in this part of the tree:
├─┬ generator-angular#0.15.1
│ ├─┬ wiredep#2.2.2
│ │ └─┬ glob#4.5.3
│ │ └── minimatch#2.0.10
│ └─┬ yeoman-generator#0.16.0
│ ├─┬ file-utils#0.1.5
│ │ ├─┬ glob#3.2.11
│ │ │ └── minimatch#0.3.0
│ │ └── minimatch#0.2.14
│ ├─┬ findup-sync#0.1.3
│ │ └─┬ glob#3.2.11
│ │ └── minimatch#0.3.0
│ └─┬ glob#3.2.11
│ └── minimatch#0.3.0
you see that older versions of minimatch are being retrieved.

Meteor's Load Order and Angular Modules

The folder structure of my Angular-Meteor-app looks like this:
.
├── client
│ ├── app
│ │ ├── auth
│ │ │ ├── login
│ │ │ │ ├── login.controller.js
│ │ │ │ ├── login.html
│ │ │ ├── register
│ │ │ │ ├── ...
│ │ │ ├── reset-password
│ │ │ │ ├── ...
│ │ │ ├── route.config.js
│ │ ├── lib
│ │ │ ├── app.module.js
│ │ │ ├── auth.module.js
│ │ ├── ...
│ ├── ...
├── ...
Please note that because of Meteor's load order I cannot put auth.module.js under the auth directory but have to place it under the lib directory. Otherwise Angular would complain that the auth module could not be injected when used in login.controller.js. (Files in subdirectories are loaded before files in parent directories, all files in lib are moved before everything else.)
What I would like is to move auth.module.js in the auth folder, so I have all files of my auth module in the right place:
.
├── client
│ ├── app
│ │ ├── auth
│ │ │ ├── login
│ │ │ │ ├── login.controller.js
│ │ │ │ ├── login.html
│ │ │ ├── register
│ │ │ │ ├── ...
│ │ │ ├── reset-password
│ │ │ │ ├── ...
│ │ │ ├── auth.module.js
│ │ │ ├── route.config.js
│ │ ├── lib
│ │ │ ├── app.module.js
│ │ ├── ...
│ ├── ...
├── ...
Any idea how to manage this?

I think you've got at least two options:
Make client/auth flat, so that the lexicographic ordering will load auth.module.js before login.controller.js.
│ │ ├── auth
│ │ │ ├── auth.module.js
│ │ │ ├── login.controller.js
│ │ │ ├── login.html
│ │ │ ├── ...
Or use yet another lib sub-directory
│ │ ├── auth
│ │ │ ├── lib
| │ │ │ ├── auth.module.js
│ │ │ ├── login
│ │ │ │ ├── login.controller.js
│ │ │ │ ├── login.html
│ │ │ ├── ...
Of course, one could argue that your code should not depend in the load order, i.e., you should only use the auth code once everything is loaded, e.g., in oMeteor.startup or onCreate of templates.

Resources