Context
In my react-native application, I am getting a high severity vulnerability regarding a package called css-what. In which it apparently is resulting in 4 other vulnerabilities because they directly or indirectly depend on css-what. Here's the following output I get on the console from after executing npm audit
css-what <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install react-native-svg#9.12.0, which is a breaking change
node_modules/css-what
css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/css-select
react-native-svg >=9.13.0
Depends on vulnerable versions of css-select
node_modules/react-native-svg
#ui-kitten/components >=5.0.0-alpha.1
Depends on vulnerable versions of react-native-svg
node_modules/#ui-kitten/components
#ui-kitten/eva-icons >=5.0.0-alpha.1
Depends on vulnerable versions of react-native-svg
node_modules/#ui-kitten/eva-icons
So as you can see from the output, the css-what causes a vulnerability for the package react-native-svg and because the design system I installed ui-kitten depends on react-native-svg it subsequently has a vulnerability.
I looked up on the css-what package and the vulnerability in which can be seen here. I know that the vulnerability has a high severity because it can result in denial of service.
What I tried
I made a duplicate of my project because I know running npm audit fix --force would result in breaking changes in which it did when I ran that command on the duplicate project. The app was able to build but it threw an error when running on the simulator.
(Note that I am developing from a bare react-native project).
The instructions that the documentation gave was to update css-what to 5.0.1 but I have no idea on how to go about doing that. Hence I hope someone is able to help me on this.
I have tried above approach for my angular project, but its considering css-what as a diff dependency instead of dependency inside package #angular-devkit/build-angular.
12.1.0-next.6
| `-- css-minimizer-webpack-plugin#3.0.1
| `-- cssnano#5.0.6
| `-- cssnano-preset-default#5.1.3
| `-- postcss-svgo#5.0.2
| `-- svgo#2.3.0
| `-- css-select#3.1.2
| `-- css-what#4.0.0
`-- css-what#5.0.1 ```
tried, see in above. its taking separate css-what thats should not be the case.
still the issue exists.
I had the same problem, so I do the following:
I checked online the latest version of css, which has no vulnerabilities, and installed it as --save.
npm install css-what#5.0.1
then install npm-force-resolutions:
npx npm-force-resolutions
add to my package.json:
"resolution": {"css-what": "^ 5.0.1"}
and then install dependencies as usual:
npm install
if you receive the following error:
npm ERR! Invalid Version: ^5.0.1
then just erase the ^ in the package.json and retry npm-force-resolution and install.
I was having the same problem updating css-what npm update css-what worked for me
css-what in its version prior to 5.1.0 has DOS attack vulnerability. You can find that in your package-lock.json that this is a transitive dependency coming from css-select.
You need to first install the non-vulnerable version of your dependency , so in this case
npm install --save css-what#5.0.1
Once that is done you need to add resolution strategy in your package.json. So , just add below key at the end of your package.json
"resolutions": { "css-what": "^5.0.1" }
After this just run npm install and run npm audit to see if your fix is working. You can cross check your package-lock.json to verify the new entry.
Related
I can not install my npm project due to dependency errors. Node-sass and react-scripts both say high vulnerabilities.
Here is my npm audit report.
How can I solve it?
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts#2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
#svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/#svgr/plugin-svgo
#svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of #svgr/plugin-svgo
node_modules/#svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of #svgr/webpack
node_modules/react-scripts
scss-tokenizer *
Severity: high
Regular expression denial of service in scss-tokenizer - https://github.com/advisories/GHSA-7mwh-4pqv-wmr8
fix available via `npm audit fix --force`
Will install node-sass#4.5.3, which is a breaking change
node_modules/scss-tokenizer
sass-graph >=2.2.0
Depends on vulnerable versions of scss-tokenizer
node_modules/sass-graph
node-sass >=4.6.0
Depends on vulnerable versions of sass-graph
node_modules/node-sass
terser 5.0.0 - 5.14.1
Severity: high
As explained here, if you are using node >= 16 you can install last version of #svgr/webpack
npm i -D #svgr/webpack
In which case you have to add a line in your package.json
"overrides": {
"#svgr/webpack": "$#svgr/webpack"
}
Remove node_modules folder and package-lock.json then perform a new npm install.
You could also only upgrade the 'nth-check' library in a similar fashion.
The library "node-sass" is deprecated so you may use another library, or identify and upgrade the failing component in a similar way as above.
I have tried the suggestion that #Zitoun provided. However, if your application has required input fields with a focus function when submitting with empty fields using react-hook-form, the suggestion will break your app - .focus is not a function. Please check your form before using the suggestion in your production!
i tried to install 'npm install --global expo-cli' and i get this error. svgo#1.3.2 this svgo is no longer supported. upgrade to v2.x.x, uuid#3.4.0 please upgrade to version 7 or higher, chokidar#2.1.8: chokidar 2 does not receive security update since 2019. i run npm audit fix --force, it said recommended protection disable and 7 packages are looking for funding
These are warns regarding libraries you are downloading from the web, don't be concerned by them, you cannot fix those issues. Just ignore it and start using expo. Everything is installed fine. Same errors appear when installing plain React project from the official source, you just need to ignore those warnings.
I'm trying to create a webpage using Reactjs (for learning react js).
After I run the command npx create-react-app cars, I'm getting errors as follows:
npm WARN deprecated tar#2.2.2: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
added 64 packages, and audited 107 packages in 15s
3 high severity vulnerabilities
To address all issues, run:
npm audit fix
Run "npm audit" for details.
After running npm audit, it says:
To address all issues (including breaking changes), run: npm audit fix --force
which gave the result as:
found 0 vulnerabilities
After following all these steps, when I try to create a project starting from create-react-app I'm getting same errors like:
x high severity vulnerabilities to address all issues, run: npm audit
I don't understand what I'm missing here. By all these I ended up creating 4 folders which has a subfolder node-modules and two JSON files named package and package-lock
Can anybody please direct me how do I proceed with all these?
npm version: 7.21.0
node version: v16.7.0
windows: 10
Below are the steps I followed to create my react environment and get ride of these warnings/errors are:
As per this answer, I have uninstalled ByteFence since as I mentioned here in the comments that there a threat detection and
Used this command npm set audit false from this answer
Apart from these steps, I made sure that I have latest versions of Node and npm installed
A while ago, I have encountered a npm vulnerability called "Missing Origin Validation".
The message was following:
High Missing Origin Validation
Package webpack-dev-server
Dependency of react-scripts
Path react-scripts > webpack-dev-server
More info https://nodesecurity.io/advisories/725
When I follow NPM's instruction and fixed it by run npm install react-scripts#2.1.1. It was fine.
Recently, on my other branch(Lets call it branch test) I installed webpack for some purpose. Even though the webpack was technically only installed in my test branch, when I switch to my master branch, this happened:
The react-scripts package provided by Create React App requires a dependency:
"webpack": "4.19.1"
Don't try to install it manually: your package manager does it automatically.
However, a different version of webpack was detected higher up in the tree:
C:\Users\pzheng\my-app\node_modules\webpack (version: 4.25.1)
I dont see webpack installed in my master branch's package.json. However, I still followed the NPM's instruction: deleted my package-lock.json and node_modules then I ran npm install
It fixed,but then the Missing Origin Validation vulnerability appears again. I am running into a cycle at this point. In the future the test branch will be merged. Then I need to pick a version. However, either version will cause an error.
Any help is appreciated.
I am just getting started with react-native. On installing this package
npm install --save react-native-validator-form
https://github.com/NewOldMax/react-native-validator-form/issues/3
I was prompted to npm audit and I was shown 4 vulnerabilities (listed above)
After running the 2 helper commands, I was prompted with another 2 vulnerabilities (see link)
How can I fix the remaining issues?
Updating the respective npm packages didn't work.
Not sure how to proceed?
This is a result of the new npm version including the audit command.
It isn't some new issue with the Angular CLI, npm just introduced new functionality in npm to warn users about vulnerabilities in the packages they're installing - so there's no "new" vulnerability in Angular, it's just that now npm is now warning you about vulnerabilities that already existed:
https://blog.npmjs.org/
Most of the issues stem from Karma, so it'd need to be fixed there for the Angular team to pull in a new Karma version karma-runner/karma#2994
If you have ran npm audit and got vulnerabilities, then you can have different scenarios:
Security vulnerabilities found with suggested updates
Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies.
Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see "SEMVER warnings".)
Security vulnerabilities found requiring manual review
If security vulnerabilities are found, but no patches are available, the audit report will provide information about the vulnerability so you can investigate further.
Source: Reviewing and acting on the security audit report
Even after running npm audit fix if it is not fixed, then to proceed I think you should Turn off npm audit. Use below command to turn off npm audit.
when installing a single package.
npm install example-package-name --no-audit
To turn off npm audit when installing all packages
npm set audit false
it will set the audit setting to false in your user and global npmrc config files.
for reference visit : turn-off-npm-audit
Hope it will help and you can proceed to your work :) Happy codding
I had the same issue and log was like below:
Testing binary
Binary is fine
added 1166 packages from 1172 contributors and audited 39128 packages in 112.505s
found 1 high severity vulnerability
I executed the below command and it was fixed.
npm audit fix
log shows as below:
Testing binary
Binary is fine
+ #angular-devkit/build-angular#0.11.4
added 18 packages from 47 contributors, removed 14 packages and updated 52 packages in 64.529s
fixed 1 of 1 vulnerability in 39128 scanned packages
I faced the same issue while installing react-native navigation, using:
npm install react-navigation
For me, npm audit-fix didn't worked well. npm use to have some limitations. For me, yarn worked:
yarn add <package-name>
This worked for me:
Module not found: Can't resolve 'react-router-dom'
vulnerable dependencies:[1]: https://github.com/edjata1/Fix_Issues/blob/main/REACT%20ERROR%20vulnerable%20dependencies%20issues.txt
I had the same problem while running this command:
npm install ngx-bootstrap --save
...and solved it by running the Command Prompt as Administrator.
So Open the Command Prompt as Administrator and then try again. Hopefully it will work.