I'm getting following warnings while running npm commands, how to update these dependencies ?
npm WARN deprecated graceful-fs#3.0.8: graceful-fs version 3 and before will fail on newer node releases. Please update to graceful-fs#^4.0.0 as soon as possible.
npm WARN deprecated lodash#1.0.2: lodash#<3.0.0 is no longer maintained. Upgrade to lodash#^4.0.0.
npm WARN deprecated npmconf#2.1.1: this package has been reintegrated into npm and is now out of date with respect to npm
My package.json -
{
"name": "lib",
"version": "0.0.0",
"author": {
"name": "user",
"email": "user#gmail.com"
},
"dependencies": {
"gulp-install": "^0.6.0",
"lodash": "^4.5.1"
},
"devDependencies": {
"chai": "^1.9.1",
"chai-jquery": "^1.2.3",
"karma-mocha-reporter": "^0.3.1",
"gulp": "^3.8.7",
"gulp-concat": "^2.3.4",
"gulp-rename": "^1.2.0",
"gulp-uglify": "^0.3.1",
"karma": "^0.12.22",
"karma-chai": "^0.1.0",
"karma-chai-jquery": "^1.0.0",
"karma-chrome-launcher": "^0.1.4",
"gulp-ng-annotate": "^0.3.3",
"karma-jasmine": "^0.1.5",
"karma-jquery": "^0.1.0",
"karma-mocha": "^0.1.8",
"karma-phantomjs-launcher": "^0.1.4",
"karma-sinon-chai": "^0.2.0",
"mocha": "^1.21.4",
"sinon": "^1.10.3",
"sinon-chai": "^2.5.0"
},
"engines": {
"node": ">=0.8.0"
}
}
You have packages, which are using old versions of these plugins.
You won't get rid of these warnings, till the developers of the packages upgrading their plugins (with the dependencies).
You can print all versions with all dependencies to find the targets:
bower list --depth=2
npm list --depth=2
Increase the depth if you don't find them.
Related
Im using npm version 6.17.1
I have React 15.4.0 installed
I try and install npm install pretty-checkbox which gives me
+-- UNMET PEER DEPENDENCY popper.js#^1.16.0
+-- pretty-checkbox#3.0.3
`-- UNMET PEER DEPENDENCY react#15.4.0
I then try and install popper.js and get
+-- popper.js#1.16.0
`-- UNMET PEER DEPENDENCY react#15.4.0
So then I try and install react again. npm i react#15.4.0 and is then met with
`-- UNMET PEER DEPENDENCY react#15.4.0
So Im at a loss why and how this is suppose to work
Package.js
{
"private": true,
"scripts": {
"transport": "watchify js/app.js -v -t babelify -p livereactload -o public/js/bundle.js",
"ES6-to-ES5": "npx babel es6 --watch --presets babel-preset-env --out-dir js",
"watch": "gulp medicus-watch"
},
"devDependencies": {
"babel-cli": "^6.26.0",
"babel-plugin-react-transform": "^2.0.2",
"babel-plugin-transform-object-rest-spread": "^6.23.0",
"babel-preset-env": "^1.7.0",
"babel-preset-es2015": "^6.24.1",
"bootstrap-sass": "^3.3.7",
"browserify": "^14.3.0",
"cross-env": "^3.2.3",
"del": "^2.2.2",
"fakerator": "^0.3.0",
"gulp": "^3.9.1",
"gulp-concat": "^2.6.1",
"gulp-less": "^3.3.0",
"gulp-livereload": "^3.8.1",
"gulp-uglify": "^3.0.0",
"gulp-zip": "^4.0.0",
"laravel-elixir": "^5.0.0",
"laravel-mix": "0.*",
"livereactload": "^3.3.0",
"lodash": "^4.17.4",
"react-proxy": "^1.1.8",
"vinyl-buffer": "^1.0.0",
"vinyl-source-stream": "^1.1.0",
"vue": "^2.1.10",
"watchify": "^3.9.0"
},
"dependencies": {
"axios": "^0.15.3",
"babel-plugin-transform-class-properties": "^6.24.1",
"babel-preset-react": "^6.24.1",
"babelify": "^7.3.0",
"create-react-class": "^15.6.0",
"draft-js": "^0.11.4",
"draftjs-to-html": "0.9.1",
"fixed-data-table-2": "^0.7.17",
"jquery": "^3.2.1",
"moment": "^2.18.1",
"node-sass": "^4.5.3",
"pretty-checkbox": "^3.0.3",
"prop-types": "^15.5.10",
"ramda": "^0.23.0",
"react": "^15.4.0",
"react-bootstrap": "^0.31.0",
"react-bootstrap-datetimepicker": "0.0.22",
"react-dom": "^15.4.0",
"react-draft-wysiwyg": "^1.14.4",
"react-google-charts": "^1.5.5",
"react-native-html-to-pdf": "^0.8.0",
"react-radio-buttons": "^1.2.2",
"react-redux": "^4.3.0",
"react-router": "^4.1.1",
"react-router-dom": "^4.2.2",
"react-sortable-hoc": "^0.6.8",
"react-widgets": "^3.4.8",
"redux": "^3.7.2",
"redux-form": "^6.8.0",
"redux-promise": "^0.5.3",
"redux-thunk": "^2.2.0"
},
"browserify": {
"transform": [
[
"babelify"
]
]
}
}
Package-lock.json
.
.
.
"react": {
"version": "15.4.0",
"resolved": "https://registry.npmjs.org/react/-/react-15.4.0.tgz",
"integrity": "sha1-c2wcfFQugIgScQbh9FCwEPhtFys=",
"requires": {
"fbjs": "^0.8.4",
"loose-envify": "^1.1.0",
"object-assign": "^4.1.0"
}
},
.
.
.
I could see pretty-checkbox's developer last published 4 years ago.
Let's say the new module used popper-js#2.0 and someone who already had popper-js#4.0 as direct or sub-dependency in their project is more likely to face unmet peer dependency on using the new module.
Downgrading the version is not recommended due to possible conflict with other modules. A workaround would be to add resolutions.
Before doing anything, ensure there is no other version of react installed globally, delete your node-modules folder and package-lock.json file. Ensure your package.json dependency has react#15.4.0 and only add popperjs#^1.16.0 if you're sure that other modules in your project are not relying on later versions of popperjs.
Take a look at this article for a good explanation on peer dependencies
If there are other modules that needs other versions of popperjs then in your package.json you could add an additional property at the end like below,
{
.....,
"browserify": {
"transform": [
[
"babelify"
]
]
},
"resolutions": {
popperjs: "^1.16.0"
}
}
Note:- You're not removing the previous version, resolutions will just pin your sub-dependency to the specified version.
Good Read:- https://medium.com/learnwithrahul/understanding-npm-dependency-resolution-84a24180901b
I often try this when nothing makes sense:
Removing the node modules folder and Package-lock.json file.
Reset the package.json file to the last stable commit using git.
Then clear npm cache and run npm install.
And at the end try to install the package pretty-checkbox.
We have a web application on AngularJS 1.x which is creating issues with dependencies -> dependent library to raven scan vulnerabilities.
Package.json:
{
"name": "Test",
"dependencies": {
"angular": "1.6.9",
"angular-animate": "1.6.6",
"angular-aria": "1.6.9",
"angular-material": "1.1.9",
"angular-messages": "1.6.9",
"angular-route": "1.6.9",
"angular-touch": "1.6.9",
"angular-ui-router": "0.3.2",
"angular-smart-table": "2.1.8",
"angular-ui-bootstrap": "1.3.3",
"angular-ui-grid": "4.8.3",
"angular-ui-select": "0.12.10",
"uuid": "^3.3.2",
"bootstrap": "3.3.7",
"requirejs": "2.3.6",
"jquery": "3.3.1",
"grunt-cli": "1.3.2",
"grunt": "1.3.0",
"grunt-contrib-uglify": "4.0.1",
"grunt-contrib-jshint": "2.1.0",
"grunt-contrib-requirejs": "1.0.0",
"grunt-contrib-clean": "1.1.0",
"grunt-contrib-copy": "1.0.0",
"grunt-contrib-cssmin": "2.2.1",
"grunt-contrib-concat": "1.0.1",
"grunt-processhtml": "0.4.2",
"grunt-front-end-modules": "1.1.0",
"grunt-karma": "3.0.0",
"underscore": "1.8.3",
"d3": "3.5.17",
"nvd3": "1.8.1",
"angular-file-saver": "1.1.3",
"smart-area": "2.0.0",
"csv-js": "1.0.0",
"pdfmake": "0.1.36",
"file-saver": "1.3.2",
"font-awesome": "4.7.0",
"angular-file-upload": "2.5.0"
}
}
Package-lock.json
...
"htmlprocessor": {
"version": "0.2.6",
"resolved": "https://fakepath",
"integrity": "sha1",
"requires": {
"lodash": "~2.4.1"
},
"dependencies": {
"lodash": {
**"version": "2.4.2",**
"resolved": "https://fakepath",
"integrity": "sha1"
}
}
},
...
For example above - lodash needs to be updated to 4.17.20 of min to fix the vulnerability.
Do i add lodash to be a devDependency or update the package-lock.json manually ?
Note- package-lock.json is not pushed as part of source control but i am studying online that it should be
We're working off security vulnerabilities in our apps as well and have had a similar problem. There is no good answer:
Sure, you can edit your package-lock.json file by hand but that's just cheating around the issue. It won't somehow get rid of the vulnerability that lodash is bringing in because NPM will keep pulling down that version. You would be better off asking for a waiver for this security finding than trying to hide it.
Why is it pulling down that version? One of your devDependencies has a dependency on htmlprocessor. That processor lib specifically calls out the use of that version of lodash. You could submit a merge request to that library to get it updated to a newer version of lodash but it doesn't look like it's maintained anymore.
Adding a newer version of lodash as a devDependency will just mean you now depend on two versions of lodash. It won't fix anything.
This is both the blessing and curse of using NPM. Easy access to tons of libraries... but there are many no-longer-maintained libraries that get pulled in that are chock full of security issues.
I had an old Ionic project whose package.json file is like following:
{
"name": "example",
"version": "1.1.1",
"description": "example: An Ionic project",
"dependencies": {
"angular-messages": "^1.5.1",
"gulp": "^3.5.6",
"gulp-concat": "^2.2.0",
"gulp-minify-css": "^0.3.0",
"gulp-rename": "^1.2.0",
"gulp-sass": "^2.0.4"
},
"devDependencies": {
"bower": "^1.3.3",
"gulp-util": "^2.2.14",
"shelljs": "^0.3.0"
},
"cordovaPlugins": [
"cordova-plugin-device",
"cordova-plugin-console",
"cordova-plugin-whitelist",
"cordova-plugin-splashscreen",
"cordova-plugin-statusbar",
"ionic-plugin-keyboard"
],
"cordovaPlatforms": [
"android"
]
}
Bower.json:
{
"name": "HelloIonic",
"private": "true",
"dependencies": {
"angular": "~1.3.1",
"angular-route": "~1.3.1",
"angular-cookies": "~1.4.0",
"bootstrap": "~3.3.0",
"bootstrap-material-design": "~0.1.5",
"jquery": "~2.1.1",
"ngDialog": "~0.3.3",
"underscore": "~1.7.0",
"ionic": "^1.2.4",
"angular-resource": "^1.5.2",
"angular-google-chart": "^0.1.0",
"angular-ui-router-styles": "^1.1.0",
"angular-audio": "^1.7.2"
}
}
With these settings it is working on one of my machines since a few months. Today I tried to clone this repo on another machine and tried to set it up, but unfortunately ran into errors like $http(...).success is not a function & Error: transition superseded at $StateProvider.$get. Also, if I check in my developer console images are are not loaded.
I simply ran npm install ionic, npm install bower, npm install & then bower install. After that ionic serve
What I should do to run my project on these old settings without having to change my code?
UPDATE:
If I do angular.version in my developer console then I see full: "1.6.4", major: 1, minor: 6, dot: 4, codeName: "phenomenal-footnote" and for ionic.version: 1.2.4
however on old machine angular.version is 1.5.8 and ionic.version is 1.2.4
I have two version of grunt one global and one local.
grunt-cli v1.2.0
grunt v1.0.1
I want to uninstall v1.0.1.
When running grunt debug command it running successfully but while saving code am getting this fatal error:grunt.util._.contains is not a function.
bower.json
{
"name": "__",
"version": "__",
"devDependencies": {
"angular": "^1.5.5",
"angular-ui-router": "^0.2.18",
"angular-mocks": "^1.5.5",
"angular-bootstrap": "^1.3.2",
"ngstorage": "^0.3.10",
"bootstrap": "^3.3.6",
"angular-resource": "^1.2.28",
"ng-file-upload-shim": "^12.0.4",
"ng-file-upload": "^12.0.4"
},
"dependencies": {
"angularjs-slider": "^5.4.1"
}
}
package.json
{
"author": "....",
"name": "....",
"version": "1.0.0",
"homepage": ".....",
"licenses": {
"type": "MIT",
"url": "...."
},
"bugs": "....",
"repository": {
"type": "git",
"url": "..."
},
"dependencies": {},
"devDependencies": {
"grunt": "^1.0.1",
"grunt-bump": "0.0.6",
"grunt-coffeelint": "~0.0.10",
"grunt-contrib-clean": "^0.4.1",
"grunt-contrib-coffee": "^0.7.0",
"grunt-contrib-concat": "^0.3.0",
"grunt-contrib-copy": "^0.4.1",
"grunt-contrib-jshint": "^0.4.3",
"grunt-contrib-less": "~0.11.0",
"grunt-contrib-uglify": "^0.2.7",
"grunt-contrib-watch": "^0.4.4",
"grunt-conventional-changelog": "^0.1.2",
"grunt-html2js": "^0.1.9",
"grunt-karma": "^0.8.2",
"grunt-ng-annotate": "^0.8.0",
"karma": "^0.12.9",
"karma-coffee-preprocessor": "^0.2.1",
"karma-firefox-launcher": "^0.1.3",
"karma-jasmine": "^0.1.5"
}
}
It is due to incompatible grunt version, so I followed the below commands:
I Uninstalled Grunt:
>npm uninstall -g grunt
I Installed Grunt-cli:
>npm install -g grunt-cli
Then i checked the version:
>grunt --version
grunt-cli v1.2.0
grunt v1.0.1
I got the above response, but i needed grunt v0.4.5
Then i installed the needed grunt version:
npm install grunt#0.4.5 --save-dev
Now I don't get the above specified error.
I cant deploy my angular.js app to Heroku. I keep getting the following error. I can however run it locally with grunt serve or do a grunt build. I am using the heroku buildpack https://github.com/adamgoldstein/heroku-buildpack-nodejs-grunt-compass to get compass working. if I dont use the buildpack I get the warning 'Warning: Couldn't find the compass binary.'
remote: Running "wiredep:app" (wiredep) task
remote: Warning: Error: bootstrap-sass-official is not installed. Try running `bower install`. Use --force to continue.
remote:
remote: Aborted due to warnings.
remote:
remote:
remote: Execution Time (2015-09-17 14:11:30 UTC)
remote: loading tasks 332ms ▇▇▇▇▇▇▇▇▇ 18%
remote: clean:dist 130ms ▇▇▇▇ 7%
remote: wiredep:app 1.4s ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ 76%
remote: Total 1.9s
remote:
remote:
remote: ! Push rejected, failed to compile Node.js app
I have cleaned and re-installed both my node_modules and my bower packages by running npm install and bower install.
This is my bower.json dependencies list:
"dependencies": {
"angular": "^1.3.0",
"bootstrap-sass-official": "^3.2.0",
"angular-animate": "^1.3.0",
"angular-aria": "^1.3.0",
"angular-cookies": "^1.3.0",
"angular-messages": "^1.3.0",
"angular-resource": "^1.3.0",
"angular-route": "^1.3.0",
"angular-sanitize": "^1.3.0",
"angular-touch": "^1.3.0",
"ngInfiniteScroll": "~1.2.0",
"angular-moment": "~0.9.2",
"userapp-angular": "~2.0.4",
"ui-bootstrap": "~0.12.1",
"angular-ui-router": "~0.2.13",
"modernizr": "~2.8.3",
"angular-bootstrap": "~0.13.0",
"angular-xeditable": "~0.1.9",
"ngtoast": "~1.5.2",
"restangular": "~1.5.1",
"jquery-bridget": "~1.1.0",
"angular-rangeslider": "~0.0.13",
"angular-auto-focus": "~1.0.3",
"angular-masonry": "~0.11.0",
"angular-masonry-directive": "*",
"angular-rt-popup": "~1.0.6"
},
"devDependencies": {
"angular-mocks": "^1.3.0"
},
and my package.json dependencies:
{
"name": "angularnews",
"version": "0.0.0",
"dependencies": {
"angular": "^1.3.x",
"bower": "~1.4.1",
"compass": "^0.1.1",
"express": "~4.12.3",
"generator-angular": "~0.11.1",
"generator-karma": "~1.0.0",
"grunt-cli": "~0.1.13",
"gzippo": "~0.2.0",
"morgan": "~1.5.2",
"yo": "~1.4.6"
},
"repository": {},
"devDependencies": {
"grunt": "^0.4.5",
"grunt-autoprefixer": "^2.0.0",
"grunt-concurrent": "^1.0.0",
"grunt-contrib-clean": "^0.6.0",
"grunt-contrib-compass": "^1.0.3",
"grunt-contrib-concat": "^0.5.0",
"grunt-contrib-connect": "^0.9.0",
"grunt-contrib-copy": "^0.7.0",
"grunt-contrib-cssmin": "^0.12.0",
"grunt-contrib-htmlmin": "^0.4.0",
"grunt-contrib-imagemin": "^0.9.2",
"grunt-contrib-jshint": "^0.11.0",
"grunt-contrib-uglify": "^0.7.0",
"grunt-contrib-watch": "^0.6.1",
"grunt-filerev": "^2.1.2",
"grunt-google-cdn": "^0.4.3",
"grunt-newer": "^1.1.0",
"grunt-ng-annotate": "^0.9.2",
"grunt-svgmin": "^2.0.0",
"grunt-usemin": "^3.0.0",
"grunt-wiredep": "^2.0.0",
"jshint-stylish": "^1.0.0",
"load-grunt-tasks": "^3.1.0",
"time-grunt": "^1.0.0"
},
"engines": {
"node": ">=0.10.0"
},
"scripts": {
"test": "grunt test",
"postinstall": "bower cache clean && bower install"
}
}
Any ideas?
Adding the https://github.com/heroku/heroku-buildpack-nodejs buildpack to heroku solved my problem.