I'm trying to create a webpage using Reactjs (for learning react js).
After I run the command npx create-react-app cars, I'm getting errors as follows:
npm WARN deprecated tar#2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
added 64 packages, and audited 107 packages in 15s
3 high severity vulnerabilities
To address all issues, run:
npm audit fix
Run "npm audit" for details.
After running npm audit, it says:
To address all issues (including breaking changes), run: npm audit fix --force
which gave the result as:
found 0 vulnerabilities
After following all these steps, when I try to create a project starting from create-react-app I'm getting same errors like:
x high severity vulnerabilities to address all issues, run: npm audit
I don't understand what I'm missing here. By all these I ended up creating 4 folders which has a subfolder node-modules and two JSON files named package and package-lock
Can anybody please direct me how do I proceed with all these?
npm version: 7.21.0
node version: v16.7.0
windows: 10
Below are the steps I followed to create my react environment and get ride of these warnings/errors are:
As per this answer, I have uninstalled ByteFence since as I mentioned here in the comments that there a threat detection and
Used this command npm set audit false from this answer
Apart from these steps, I made sure that I have latest versions of Node and npm installed
Related
I had previously executed npm start without any errors on the exact same code. Since the last time I had executed it without any errors, I had made no changes to the files. But just a day later, the same code suddenly gave this error:
> client#0.1.0 start
> react-scripts start
Cannot use import statement outside a module
I can't understand why this happened. However, npm run build compiles without any errors and generates the build properly. So I don't think it is some issue with the code.
Further, I ran npm install once again, I found that there were some vulnerabilities:
added 684 packages, removed 193 packages, changed 411 packages, and audited 1873 packages in 2m
153 packages are looking for funding
run `npm fund` for details
32 vulnerabilities (19 moderate, 12 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
So, following the instruction I used npm audit fix --force and I saw it updated react-scripts to version 5.0.0 . This suddenly solved the previous error and the code compiled without errors after this, however, now I faced another problem.
On visiting localhost:3000 it showed localhost refused to connect, even though my terminal showed that the code was compiled successfully.
This is the project in which I encountered the error: https://github.com/DevRish/martcart.
I have also opened an issue regarding this: https://github.com/DevRish/martcart/issues/1
I am confused about two things here. Firstly, with react-scripts version 4.0.3, why is build compiling without errors but development environment giving error? Secondly, even when react-scripts version 5.0.0 compiles the code successfully, why does localhost:3000 show 'refused to connect' ?
Update: After removing the setupProxy.js file, it works fine.
I added the proxy attribute in the package.json file to achieve the proxying functionality.
I am following a tutorial on youtube and forked the repo. After running npm install I get the following:
found 45634 vulnerabilities (42263 low, 21 moderate, 3349 high, 1 critical) in 1547 scanned packages
run `npm audit fix` to fix 45333 of them.
301 vulnerabilities require manual review. See the full report for details.
As I'm not really sure what npm audit fix does I am hesitant in executing the command.
I did run npm audit which gave me a list. Here a snippet :
Moderate Regular Expression Denial of Service
Package acorn
Patched in >=5.7.4 <6.0.0 || >=6.4.1 <7.0.0 || >=7.1.1
Dependency of react-scripts
Path react-scripts > jest > jest-cli > jest-config >
jest-environment-jsdom > jsdom > acorn
More info https://npmjs.com/advisories/1488
After reading through some forums people suggest to ignore the alert or to delete the package-lock.json and run npm install again. Haven't tried either of those solutions. Was gonna ask here first before blindly following advice I read in some forum.
Thanks for any help.
Since you're just following a tutorial I would ignore the vulnerabilities, most of the time its just deprecated packages that haven't updated to fix these vulnerabilities.
I am trying to create a new project and I am running into an npm security issue.
First I created a new react app using the command npx create-react-app {app-name} and then changed the directory into that folder. I tried to run npm install (to update all packages), and I get this error:
found 2 vulnerabilities (1 low, 1 high) in 1643 scanned packages
2 vulnerabilities require manual review. See the full report for details.
I ran npm audit as instructed and the generated security report shows the following:
NPM AUDIT SECURITY REPORT
at first I thought I had maybe done something incorrectly during the setup, however, I went to a previous project in which there were no dependency errors or errors at all for that matter. I ran npm install in the directory of the react app, and sure enough, I got the same issues. Obviously this is going to be a big deal if it is happening to everyone, but in the event that someone is not running into this issue, are the any tips I could get to overcome this error?
Thanks!
I am at wits end with this. I am learning React by doing Free Code Camp projects and ran into this issue while building projects locally (rather than running them on codepen.io).
Upon npm install, I got the following error message:
audited 46157 packages in 10.749s
found 65 low severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
npm audit fix didn't fix it (found SO threads about this). Learned about peer dependencies and looked up the Path and the vulnerable package and the dependent package.
Here is one of the vulnerabilities ...
Visited the URL which described the vulnerability.
OK ... long story short:
I have installed a newer version of the dependent package
(micromatch from the example above).
I have updated the braces package to the latest one
Tried npm install once I confirmed that I have the most recent
version of both the packages but still getting the same number of
vulnerabilities.
C02N696MG3QD:fccdrummachine kalyan.chatterjee$ npm view micromatch version
3.1.10
C02N696MG3QD:fccdrummachine kalyan.chatterjee$ npm view braces version
2.3.2
What else can I do to resolve this? Please advise.
I am just getting started with react-native. On installing this package
npm install --save react-native-validator-form
https://github.com/NewOldMax/react-native-validator-form/issues/3
I was prompted to npm audit and I was shown 4 vulnerabilities (listed above)
After running the 2 helper commands, I was prompted with another 2 vulnerabilities (see link)
How can I fix the remaining issues?
Updating the respective npm packages didn't work.
Not sure how to proceed?
This is a result of the new npm version including the audit command.
It isn't some new issue with the Angular CLI, npm just introduced new functionality in npm to warn users about vulnerabilities in the packages they're installing - so there's no "new" vulnerability in Angular, it's just that now npm is now warning you about vulnerabilities that already existed:
https://blog.npmjs.org/
Most of the issues stem from Karma, so it'd need to be fixed there for the Angular team to pull in a new Karma version karma-runner/karma#2994
If you have ran npm audit and got vulnerabilities, then you can have different scenarios:
Security vulnerabilities found with suggested updates
Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies.
Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see "SEMVER warnings".)
Security vulnerabilities found requiring manual review
If security vulnerabilities are found, but no patches are available, the audit report will provide information about the vulnerability so you can investigate further.
Source: Reviewing and acting on the security audit report
Even after running npm audit fix if it is not fixed, then to proceed I think you should Turn off npm audit. Use below command to turn off npm audit.
when installing a single package.
npm install example-package-name --no-audit
To turn off npm audit when installing all packages
npm set audit false
it will set the audit setting to false in your user and global npmrc config files.
for reference visit : turn-off-npm-audit
Hope it will help and you can proceed to your work :) Happy codding
I had the same issue and log was like below:
Testing binary
Binary is fine
added 1166 packages from 1172 contributors and audited 39128 packages in 112.505s
found 1 high severity vulnerability
I executed the below command and it was fixed.
npm audit fix
log shows as below:
Testing binary
Binary is fine
+ #angular-devkit/build-angular#0.11.4
added 18 packages from 47 contributors, removed 14 packages and updated 52 packages in 64.529s
fixed 1 of 1 vulnerability in 39128 scanned packages
I faced the same issue while installing react-native navigation, using:
npm install react-navigation
For me, npm audit-fix didn't worked well. npm use to have some limitations. For me, yarn worked:
yarn add <package-name>
This worked for me:
Module not found: Can't resolve 'react-router-dom'
vulnerable dependencies:[1]: https://github.com/edjata1/Fix_Issues/blob/main/REACT%20ERROR%20vulnerable%20dependencies%20issues.txt
I had the same problem while running this command:
npm install ngx-bootstrap --save
...and solved it by running the Command Prompt as Administrator.
So Open the Command Prompt as Administrator and then try again. Hopefully it will work.