There is small React/Redux app I'd like to check against nsp check.
For instance, nsp complains that debug 2.6.8 package I use in app contains a vulnerability. So I need to bump version of debug:
Regular Expression Denial of Service
│ Name │ debug
│ CVSS │ 3.7 (Low)
│ Installed │ 2.6.8
│ Vulnerable │ <= 2.6.8 || >= 3.0.0 <= 3.0.1
│ Patched │ >= 2.6.9 < 3.0.0 || >= 3.1.0
│ Path │ sms-web#0.0.1 > webpack-dev-server#2.5.0 >
compression#1.7.0 >
│ │ debug#2.6.8
│ More Info │ https://nodesecurity.io/advisories/534
I tried npm update --depth=7, but it didn't update debug package.
So how can I update deeply placed packages, e.g. debug?
According to the docs:
As of npm#2.6.1, the npm update will only inspect top-level packages. Prior versions of npm would also recursively inspect all dependencies. To get the old behavior, use npm --depth 9999 update. In order to update just the debug package you could do
npm --depth 9999 update debug
or else you could just uninstall and reinstall it like
npm uninstall -S debug
npm install -S debug
Related
I am trying to follow this tutorial on https://storybook.js.org/tutorials/intro-to-storybook/react/en/get-started/
The commands that are given in the tutorial are as follows
# Clone the template
npx degit chromaui/intro-storybook-react-template taskbox
cd taskbox
# Install dependencies
yarn
# Run the test runner (Jest) in a terminal:
yarn test --watchAll
# Start the component explorer on port 6006:
yarn storybook
# Run the frontend app proper on port 3000:
yarn start
I am however running into an issue when yarn storybook on my wsl2 ubuntu terminal.
Here is the error
yarn storybook
yarn run v1.22.5
warning ../package.json: No license field
$ start-storybook -p 6006 -s public
info #storybook/react v6.3.0
info
info => Loading presets
info => Serving static files from ./public at /
info => Loading 1 config file in "/mnt/d/taskbox/.storybook"
info => Loading 9 other files in "/mnt/d/taskbox/.storybook"
info => Adding stories defined in "/mnt/d/taskbox/.storybook/main.js"
info => Using prebuilt manager
info => Loading Webpack configuration from `node_modules/react-scripts`
info => Removing existing JavaScript and TypeScript rules.
info => Modifying Create React App rules.
info => Using default Webpack4 setup
(node:7126) [DEP0148] DeprecationWarning: Use of deprecated folder mapping "./" in the "exports" field module resolution of the package at /mnt/d/taskbox/node_modules/postcss-safe-parser/node_modules/postcss/package.json.
Update this package.json to use a subpath pattern like "./*".
(Use `node --trace-deprecation ...` to show where the warning was created)
17% building 63/88 modules 25 active /mnt/d/taskbox/node_modules/global/window.jsBrowserslist: caniuse-lite is outdated. Please run:
npx browserslist#latest --update-db
Why you should do it regularly:
https://github.com/browserslist/browserslist#browsers-data-updating
webpack built preview 0ef1297f848efab9f24c in 139265ms
╭─────────────────────────────────────────────────────╮
│ │
│ Storybook 6.3.0 started │
│ 3.97 min for preview │
│ │
│ Local: http://localhost:6006/ │
│ On your network: http://172.22.229.210:6006/ │
│ │
│ A new version (6.3.6) is available! │
│ │
│ Upgrade now: npx sb#latest upgrade │
│ │
│ Read full changelog: https://git.io/fhFYe │
│ │
╰─────────────────────────────────────────────────────╯
node:internal/errors:456
ErrorCaptureStackTrace(err);
^
Error: spawn wslvar ENOENT
at Process.ChildProcess._handle.onexit (node:internal/child_process:282:19)
at onErrorNT (node:internal/child_process:480:16)
at processTicksAndRejections (node:internal/process/task_queues:83:21) {
errno: -2,
code: 'ENOENT',
syscall: 'spawn wslvar',
path: 'wslvar',
spawnargs: [ 'systemroot' ],
cmd: 'wslvar systemroot',
stdout: '',
stderr: ''
}
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
I've been having a hard time finding similar errors to go off of since it seems like a rare error. I suspect it's related to me running storybook on WSL2 though.
According to this Github comment, the error is usually caused by either:
powershell.exe not being in the path (unlikely, but could be the case if a /etc/wsl.conf explicitly disabled Windows PATH interop).
Missing wslvar, which is part of the wslu (WSL Utilities) package. While it's installed by default in some WSL distributions, it may not be up-to-date or installed in some. See the Github page for installation instructions for each distribution.
Every time I try to create a react app it gets stuck. This is what I see
┌────────────────────────────────────────────────────────────┐
│ npm update check failed │
│ Try running with sudo or get access │
│ to the local update config store via │
│ sudo chown -R $USER:$(id -gn $USER) C:\Users\alanp\.config │
└────────────────────────────────────────────────────────────┘
Creating a new React app in C:\Users\alanp\OneDrive\Desktop\Personal Projects\PictureDayAtl\my-app.
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts with cra-template...
It will just stay there. I checked my project out and it does end up creating a my-app folder and a package.json, but thats about it. I have I have up to date node and npm. Ive tried installing react, react-dom, and react-scripts before hand but that doesnt work. Ive tried repeating this multiple times and nothing. Left it run for a couple hours and nothing. Any help would be appreciated.
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native-cached-image │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-native-cached-image > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 11 vulnerabilities (2 low, 8 moderate, 1 high) in 26316 scanned packages
11 vulnerabilities require manual review. See the full report for details.
This shows up when I try to npm install, and all of them required manual review. I've tried to visit this to check for more info and apparently it's because my lodash is of version 4.17.4. So I've then run npm install --save lodash#4.17.5 and checked my package.json to make sure it's reflecting correctly.
However, it seems the vulnerabilities is still there. Wondering if I fix it the wrong way?
As per requested, the body of package.json
"dependencies": {
"lodash": "^4.17.5",
}
You can solve it with https://github.com/rogeriochaves/npm-force-resolutions
1) add resolutions section
"resolutions": {
"lodash": "^4.17.5"
}
2) run
rm -r node_modules
npx npm-force-resolutions
npm install
Issue is related to the react-native-cached-image package having a dependency on lodash 4.17.4 as you can see here: https://github.com/kfiroo/react-native-cached-image/blob/master/package.json#L51
I try to run a REACT application on bluemix / IBMCloud which runs successful on my local workstation.
I get the error Module not found: Can't resolve 'watson-react-components'
when I invoke the application (deploy to bluemix is successful)
Here the import statement im my java script code
import React from 'react';
import './Conversation.css';
import { InputWithButton } from 'watson-react-components';
import Message from './Message.js';
I install the packagethe following install commands
# Install & build
npm install && npm install watson-react-components && npm run build
this is what I get during the installation of the packages
│ └── whatwg-fetch#2.0.3
└─┬ watson-react-components#0.6.16
├── map-range#0.1.2
├── numeral#2.0.6
├─┬ prismjs#1.11.0
│ └─┬ clipboard#1.7.1
│ ├─┬ good-listener#1.2.2
│ │ └── delegate#3.2.0
│ ├── select#1.1.2
│ └── tiny-emitter#2.0.2
Here the error message on the app
Failed to compile
./src/Conversation.js
Module not found: Can't resolve 'watson-react-components' in '/home/vcap/app/src'
sorry sorry --- the problem was sitting in front of the computer. I missed the cf push command in the deployment script.
Problem solved!!! sorry again
The bug is in the command to install the app.
It should be npm install && npm install --save watson-react-components && npm run build
You forgot a --save
I am using Linux and I want to know if I can check what version of angular-material am using. I'm using bower for installing/updating packages.
Looks like you can use npm ls #angular/material to tell you the exact version.
If installed with npm
npm list #angular/material
If installed with yarn
yarn list #angular/material
If installed with bower, as in OP case
You can check out what version of angular-material you use by opening the following file:
bower_components/angular-material/bower.json
which will display something like that:
{
"name": "angular-material",
"version": "0.11.0",
...
}
Or as Matt pointed, use bower list, then lookup for angular-material.
if you have npm installed the following may help
npm angular/material -v
I normally use ng --version, this will list the version of everything I have installed
Package Version
--------------------------------------------------------------------
#angular-devkit/architect 0.803.26
#angular-devkit/build-angular 0.803.26
#angular-devkit/build-optimizer 0.803.26
#angular-devkit/build-webpack 0.803.26
#angular-devkit/core 8.3.26
#angular-devkit/schematics 8.3.26
#angular/cdk 8.2.3
#angular/cli 8.3.26
#angular/compiler-cli 8.2.14
#angular/material 8.2.3
#ngtools/webpack 8.3.26
#nguniversal/module-map-ngfactory-loader 8.1.1
#schematics/angular 8.3.26
#schematics/update 0.803.26
rxjs 6.5.4
typescript 3.5.3
webpack 4.39.2
To check the version of a bower package from the terminal, you can use bower list which will render a dependency tree like this one:
bower check-new Checking for new versions of the project dependencies...
My App#0.0.1 C:\Development\my-app
├── angular#1.4.7 (latest is 1.5.1-build.4592+sha.c4e47e4)
├─┬ angular-animate#1.4.7 (latest is 1.5.1-build.4592+sha.c4e47e4)
│ └── angular#1.4.7 (latest is 1.5.1-build.4592+sha.c4e47e4)
├─┬ angular-aria#1.4.7 (latest is 1.5.1-build.4592+sha.c4e47e4)
│ └── angular#1.4.7
├─┬ angular-cookies#1.4.7 (latest is 1.5.1-build.4592+sha.c4e47e4)
│ └── angular#1.4.7
├── angular-local-storage not installed
├─┬ angular-material#0.11.2 (latest is 1.0.5)
│ ├── angular#1.4.7 (1.5.1-build.4592+sha.c4e47e4 available)
│ ├── angular-animate#1.4.7 (1.5.1-build.4592+sha.c4e47e4 available)
│ └── angular-aria#1.4.7 (1.5.1-build.4592+sha.c4e47e4 available)
├─┬ angular-resource#1.4.7 (latest is 1.5.1-build.4592+sha.c4e47e4)
│ └── angular#1.4.7
└─┬ angular-sanitize#1.4.7 (latest is 1.5.1-build.4592+sha.c4e47e4)
└── angular#1.4.7
In my example, angular-material is installed with version 0.11.2 (and I should update it to 1.0.5).
To process this (and a lot more) information via a node script, for example in Jenkins, you can use the --json parameter: bower list --json.
Go to your project, and open the following file:
node_modules/#angular/material/package.json
In this file, the ID contains the version installed for that project.