npm showing severity vulnerabilities Laravel

Question

npm showing severity vulnerabilities, but using

npm chache clear
npm cache clear --force
npm audit fix
npm install

I have tried all of them but none of these solving my problem, please give some idea how I can solve it?

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 1505 packages from 755 contributors and audited 18951 packages in 378.007s
found 11 moderate severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

Running npm audit fix results

>npm audit fix npm WARN ajv-keywords@3.2.0 requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"}) up to date in 118.757s fixed 0 of 11 vulnerabilities in 18990 scanned packages 11 vulnerabilities required manual review and could not be updated

and my package.json

{
    "private": true,
    "scripts": {
        "dev": "npm run development",
        "development": "cross-env NODE_ENV=development node_modules/webpack/bin/webpack.js --progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js",
        "watch": "npm run development -- --watch",
        "watch-poll": "npm run watch -- --watch-poll",
        "hot": "cross-env NODE_ENV=development node_modules/webpack-dev-server/bin/webpack-dev-server.js --inline --hot --config=node_modules/laravel-mix/setup/webpack.config.js",
        "prod": "npm run production",
        "production": "cross-env NODE_ENV=production node_modules/webpack/bin/webpack.js --no-progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js"
    },
    "devDependencies": {
        "axios": "^0.18",
        "babel-preset-react": "^6.24.1",
        "bootstrap": "^4.0.0",
        "cross-env": "^5.1",
        "jquery": "^3.2",
        "laravel-mix": "^2.0",
        "lodash": "^4.17.4",
        "popper.js": "^1.12",
        "vue": "^2.5.7"
    },
    "dependencies": []
}

Answer 1

try this :

npm install npm@latest -g

You can install lastest npm version. The vulnerabilities alerts will be gone.

Answer 2

if someone is still interested to solve this issue, I google it and found this solution

append this key value to the scripts section in "package.json" file

"scripts": {
    ...
    "preinstall": "npx npm-force-resolutions", // <-- appended
},

then add a new section after the "scripts" section as below

"resolutions": { // <-- appended
    "yargs-parser": "^18.1.3" 
},

now save the file and run "npm install", the vulnerabilities are gone :)

Answer 3

The current Laravel package.json has this vulnerabilities because of hoek and tunnel-agent. laravel-mix is using the packages and load them through their package.json.

See more information about the issues here: https://nodesecurity.io/advisories/566
https://nodesecurity.io/advisories/598

If you remove "laravel-mix": "^2.0", the vulnerabilities are gone, but you can't use Laravel Mix any more.

As per discussion here, I think the issue is fixed.

Answer 4

That means, you have 11 severity vulnerabilities in your downloaded packages.

Run npm audit and it will show you which packages are affected. Then check clearly, if the author has provided an update. If not, you can fix it by yourself, which can be very hard because you're not deep in their sources...

However, most of the up-to-date packages provide fixed in newer versions.