CODEWITHSUNDEEP
node.jsangularnpm
Ayush M.
Ayush M.

Reputation: 899

Npm install gives warnings, npm audit fix not working

I am working on an angular app with a .net core web api.

When I cloned this repository, I tried to run npm install on the angular application, but I got a strange error:

npm install
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

audited 34090 packages in 14.711s
found 15 vulnerabilities (9 low, 6 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Also, if I try to do npm audit fix, I get even more errors:


npm audit fix
npm ERR! code ELOCKVERIFY
npm ERR! Errors were found in your package-lock.json, run  npm install  to fix them.
npm ERR!     Invalid: lock file's @progress/kendo-theme-default@file:https:/registry.npmjs.org/@progress/kendo-theme-default/-/kendo-theme-default-2.48.1.tgz does not satisfy @progress/kendo-theme-default@file:lib/kendo-theme-default
npm ERR!     Invalid: lock file's bootstrap@file:https:/registry.npmjs.org/bootstrap/-/bootstrap-4.0.0.tgz does not satisfy bootstrap@file:lib/bootstrap

How can I resolve this?

Upvotes: 90

Views: 180831

Answers (5)

Lysander
Lysander

Reputation: 336

In my case, I use yarn to install the dependencies.

I have used the below steps to fix my issues:

  • Remove package-lock.json and node_modules
  • Use yarn install and yarn audit to check what versions have vulnerabilities.
  • Add a resolutions block into the package.json to patch the updated version.

Example:

{
  // ... other package.json content
  "resolutions": {
    "postcss": ">=8.4.31",
    "nth-check": ">=2.0.1"
  }
}
  • Use yarn install and yarn audit to check again.

If you are using npm to fix, the corresponding modifications for it would be:

{
  // ... other package.json content
  "overrides": {
    "postcss": ">=8.4.31",
    "nth-check": ">=2.0.1"
  }
}

(Replace "resolutions" with "overrides")

Upvotes: 1

Herbert
Herbert

Reputation: 5635

I had the same issue, npm audit fix --force would promise to fix everything but rather report the same issues over and over again. Additionally to @CodeMyLife's answer, I resolved the issues by reinstalling everything without dependency requirements, i.e.

  • Delete your package-lock.json
  • Delete your node_modules folder
  • In package-lock.json empty the dependencies, but use your favorite editor (e.g. kate) to
    • remove packages that
      • you don't use anymore,
      • you use for basic stuff or are poorly maintained - as per github commits / npm releases etc - and just use native js,
    • create a space separated list of the packages without versions
  • Run npm install ... list of packages without versions ...
  • In my case this was npm install "@emotion/react" "@emotion/styled" "@mui/icons-material" "@mui/material" "@mui/styled-engine" "@mui/x-charts" "@mui/x-data-grid" "@mui/x-data-grid-generator" "axios" "colormap" "d3" "filesize" "moment" "react" "react-color" "react-dom" "react-in-viewport" "react-router-dom" "styled-components" "wkx"

The ethos is: fewer packages cause less dependency issues; and they might be nastier to fix than using native js.

It's a crude thing to do, and ideally I'd have a way to run the dependency solver such that it simply ignored deprecated or vulnerable versions, and reports on version-ranges that are too tight.

Upvotes: 0

tam
tam

Reputation: 262

I had a similar issue, what ultimately helped me was updating my top-level dependency, which relied on a dependency that had the vulnerability, to the newest version.

Upvotes: 1

CodeMylife
CodeMylife

Reputation: 1611

Often times, this is related to package-lock.json messing. I would suggest to try to:

  1. Delete your package-lock.json

  2. Delete your node_modules folder

  3. Try npm install again

This used to fix several issues when adding new packages in my angular apps.

Good luck!

Please note that since then, a lot changed and there are now another option to use ncu to consolidate updates. It could be worth trying before going with this solution.

The alternative solution is described in another response in this thread, please refer to it.

Upvotes: 130

rld
rld

Reputation: 2763

The best thing I recently learn was install the npm-check-updates. It does everything automatically.

run ncu for list in my case was this:

 $ ncu

 babel-core           ^6.26.0  →  ^6.26.3
 babel-loader          ^7.1.5  →   ^8.0.6
 babel-preset-env      ^1.6.1  →   ^1.7.0
 copy-webpack-plugin   ^4.6.0  →   ^5.0.5
 style-loader         ^0.20.2  →   ^1.0.1
 webpack                4.0.0  →   4.41.2

then run ncu -u to upgrade automatically.

Upvotes: 79

Related Questions