I want to deploy my app But there are 3 vulnerabilities I didn't understand how to slove them. i used npm audit fix also I sloved some vulnerabilities with manual updating them.so this is th manual review someone help me :
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular Expression Denial of Service
Package browserslist
Patched in >=4.16.5
Dependency of react-scripts
Path react-scripts > react-dev-utils > browserslist
More info https://npmjs.com/advisories/1747
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of react-scripts
Path react-scripts > webpack > watchpack > watchpack-chokidar2 >
chokidar > glob-parent
More info https://npmjs.com/advisories/1751
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of react-scripts
Path react-scripts > webpack-dev-server > chokidar > glob-parent
More info https://npmjs.com/advisories/1751
found 3 moderate severity vulnerabilities in 2195 scanned packages
3 vulnerabilities require manual review. See the full report for details.
The answer here gives a good explanation.
Normally, you would try these solutions, in order:
npm audit fix (it sounds like you have already done this)
npm audit fix --force
npm i react-scripts (the parent package of the package with the vuln)
npm i browserslist#4.16.5 glob-parent#5.1.2 (the vuln packages themselves)
However, we can see that (at the time I'm writing this) the issue is not resolved in react-dev-utils' package.json. Additionally, the package.json uses an exact version (no caret). These two facts mean that none of these solutions listed above will work.
You have two options:
clone the create-react-app repo, fix the versions yourself and use your cloned version instead of the real one
wait for create-react-app to fix it, at which point one of the solutions above should work
I would strongly suggest the latter approach.
Maybe this article written by #DanAbramov will be interesting for you https://overreacted.io/npm-audit-broken-by-design/
Related
I can not install my npm project due to dependency errors. Node-sass and react-scripts both say high vulnerabilities.
Here is my npm audit report.
How can I solve it?
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts#2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
#svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/#svgr/plugin-svgo
#svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of #svgr/plugin-svgo
node_modules/#svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of #svgr/webpack
node_modules/react-scripts
scss-tokenizer *
Severity: high
Regular expression denial of service in scss-tokenizer - https://github.com/advisories/GHSA-7mwh-4pqv-wmr8
fix available via `npm audit fix --force`
Will install node-sass#4.5.3, which is a breaking change
node_modules/scss-tokenizer
sass-graph >=2.2.0
Depends on vulnerable versions of scss-tokenizer
node_modules/sass-graph
node-sass >=4.6.0
Depends on vulnerable versions of sass-graph
node_modules/node-sass
terser 5.0.0 - 5.14.1
Severity: high
As explained here, if you are using node >= 16 you can install last version of #svgr/webpack
npm i -D #svgr/webpack
In which case you have to add a line in your package.json
"overrides": {
"#svgr/webpack": "$#svgr/webpack"
}
Remove node_modules folder and package-lock.json then perform a new npm install.
You could also only upgrade the 'nth-check' library in a similar fashion.
The library "node-sass" is deprecated so you may use another library, or identify and upgrade the failing component in a similar way as above.
I have tried the suggestion that #Zitoun provided. However, if your application has required input fields with a focus function when submitting with empty fields using react-hook-form, the suggestion will break your app - .focus is not a function. Please check your form before using the suggestion in your production!
I'm trying to create a webpage using Reactjs (for learning react js).
After I run the command npx create-react-app cars, I'm getting errors as follows:
npm WARN deprecated tar#2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
added 64 packages, and audited 107 packages in 15s
3 high severity vulnerabilities
To address all issues, run:
npm audit fix
Run "npm audit" for details.
After running npm audit, it says:
To address all issues (including breaking changes), run: npm audit fix --force
which gave the result as:
found 0 vulnerabilities
After following all these steps, when I try to create a project starting from create-react-app I'm getting same errors like:
x high severity vulnerabilities to address all issues, run: npm audit
I don't understand what I'm missing here. By all these I ended up creating 4 folders which has a subfolder node-modules and two JSON files named package and package-lock
Can anybody please direct me how do I proceed with all these?
npm version: 7.21.0
node version: v16.7.0
windows: 10
Below are the steps I followed to create my react environment and get ride of these warnings/errors are:
As per this answer, I have uninstalled ByteFence since as I mentioned here in the comments that there a threat detection and
Used this command npm set audit false from this answer
Apart from these steps, I made sure that I have latest versions of Node and npm installed
I am following a tutorial on youtube and forked the repo. After running npm install I get the following:
found 45634 vulnerabilities (42263 low, 21 moderate, 3349 high, 1 critical) in 1547 scanned packages
run `npm audit fix` to fix 45333 of them.
301 vulnerabilities require manual review. See the full report for details.
As I'm not really sure what npm audit fix does I am hesitant in executing the command.
I did run npm audit which gave me a list. Here a snippet :
Moderate Regular Expression Denial of Service
Package acorn
Patched in >=5.7.4 <6.0.0 || >=6.4.1 <7.0.0 || >=7.1.1
Dependency of react-scripts
Path react-scripts > jest > jest-cli > jest-config >
jest-environment-jsdom > jsdom > acorn
More info https://npmjs.com/advisories/1488
After reading through some forums people suggest to ignore the alert or to delete the package-lock.json and run npm install again. Haven't tried either of those solutions. Was gonna ask here first before blindly following advice I read in some forum.
Thanks for any help.
Since you're just following a tutorial I would ignore the vulnerabilities, most of the time its just deprecated packages that haven't updated to fix these vulnerabilities.
I am at wits end with this. I am learning React by doing Free Code Camp projects and ran into this issue while building projects locally (rather than running them on codepen.io).
Upon npm install, I got the following error message:
audited 46157 packages in 10.749s
found 65 low severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
npm audit fix didn't fix it (found SO threads about this). Learned about peer dependencies and looked up the Path and the vulnerable package and the dependent package.
Here is one of the vulnerabilities ...
Visited the URL which described the vulnerability.
OK ... long story short:
I have installed a newer version of the dependent package
(micromatch from the example above).
I have updated the braces package to the latest one
Tried npm install once I confirmed that I have the most recent
version of both the packages but still getting the same number of
vulnerabilities.
C02N696MG3QD:fccdrummachine kalyan.chatterjee$ npm view micromatch version
3.1.10
C02N696MG3QD:fccdrummachine kalyan.chatterjee$ npm view braces version
2.3.2
What else can I do to resolve this? Please advise.
I am just getting started with react-native. On installing this package
npm install --save react-native-validator-form
https://github.com/NewOldMax/react-native-validator-form/issues/3
I was prompted to npm audit and I was shown 4 vulnerabilities (listed above)
After running the 2 helper commands, I was prompted with another 2 vulnerabilities (see link)
How can I fix the remaining issues?
Updating the respective npm packages didn't work.
Not sure how to proceed?
This is a result of the new npm version including the audit command.
It isn't some new issue with the Angular CLI, npm just introduced new functionality in npm to warn users about vulnerabilities in the packages they're installing - so there's no "new" vulnerability in Angular, it's just that now npm is now warning you about vulnerabilities that already existed:
https://blog.npmjs.org/
Most of the issues stem from Karma, so it'd need to be fixed there for the Angular team to pull in a new Karma version karma-runner/karma#2994
If you have ran npm audit and got vulnerabilities, then you can have different scenarios:
Security vulnerabilities found with suggested updates
Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies.
Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see "SEMVER warnings".)
Security vulnerabilities found requiring manual review
If security vulnerabilities are found, but no patches are available, the audit report will provide information about the vulnerability so you can investigate further.
Source: Reviewing and acting on the security audit report
Even after running npm audit fix if it is not fixed, then to proceed I think you should Turn off npm audit. Use below command to turn off npm audit.
when installing a single package.
npm install example-package-name --no-audit
To turn off npm audit when installing all packages
npm set audit false
it will set the audit setting to false in your user and global npmrc config files.
for reference visit : turn-off-npm-audit
Hope it will help and you can proceed to your work :) Happy codding
I had the same issue and log was like below:
Testing binary
Binary is fine
added 1166 packages from 1172 contributors and audited 39128 packages in 112.505s
found 1 high severity vulnerability
I executed the below command and it was fixed.
npm audit fix
log shows as below:
Testing binary
Binary is fine
+ #angular-devkit/build-angular#0.11.4
added 18 packages from 47 contributors, removed 14 packages and updated 52 packages in 64.529s
fixed 1 of 1 vulnerability in 39128 scanned packages
I faced the same issue while installing react-native navigation, using:
npm install react-navigation
For me, npm audit-fix didn't worked well. npm use to have some limitations. For me, yarn worked:
yarn add <package-name>
This worked for me:
Module not found: Can't resolve 'react-router-dom'
vulnerable dependencies:[1]: https://github.com/edjata1/Fix_Issues/blob/main/REACT%20ERROR%20vulnerable%20dependencies%20issues.txt
I had the same problem while running this command:
npm install ngx-bootstrap --save
...and solved it by running the Command Prompt as Administrator.
So Open the Command Prompt as Administrator and then try again. Hopefully it will work.