CODEWITHSUNDEEP
angularangular-clidevkitangular-cli-v7
Abhiz
Abhiz

Reputation: 1030

how to fix the npm audit report

When I run npm audit command

=== npm audit security report === 

`Manual Review 

 Some vulnerabilities require your attention to resolve 

 Visit https://go.npm.me/audit-guide for additional guidance `



High          │ Arbitrary File Overwrite                                     

Package       │ tar                                                          
Patched in    │ >=4.4.2                                                       
Dependency of │ @angular-devkit/build-angular [dev]                           
Path          │ @angular-devkit/build-angular > node-sass > node-gyp >tar 
More info     │ https://nodesecurity.io/advisories/803

its saying found 1 high severity vulnerability in 42611 scanned packages 1 vulnerability requires manual review. As its related to @angular-devkit/build-angular, I am afraid whether it will create any other issue in my project.

When I run npm audit fix command

    npm WARN optional SKIPPING OPTIONAL 
    DEPENDENCY:[email protected] (node_modules/fsevents):
    npm WARN notsup SKIPPING OPTIONAL 
    DEPENDENCY:Unsupported platform for 
    [email protected]: wanted {"os":"darwin","arch":"any"} 
    (current: {"os":"linux","arch":"x64"})

So how to fix this in any system having linux operating system. Lets consider ignoring the above npm audit fix result,because somehow its an warning. But the result of npm audit is considered as a high severity vulnerability. How to fix this.

Angular CLI Version

      Angular CLI: 7.3.8
      Node: 10.0.0
      OS: linux x64
      Angular: 7.2.14
      ... animations, common, compiler, compiler-cli, core, forms
      ... language-service, platform-browser, platform-browser-dynamic
      ... router

      Package                           Version
      -----------------------------------------------------------
      @angular-devkit/architect         0.13.8
      @angular-devkit/build-angular     0.13.8
      @angular-devkit/build-optimizer   0.13.8
      @angular-devkit/build-webpack     0.13.8
      @angular-devkit/core              7.3.8
      @angular-devkit/schematics        7.3.8
      @angular/cli                      7.3.8
      @ngtools/webpack                  7.3.8
      @schematics/angular               7.3.8
      @schematics/update                0.13.8
      rxjs                              6.3.3
      typescript                        3.2.4
      webpack                           4.29.0

Help me in fixing this. thank you

Upvotes: 5

Views: 5905

Answers (2)

Braian Silva
Braian Silva

Reputation: 2174

This vulnerability has been fixed.

Delete the node_modules andpackage-lock.json, then run the commands:

  1. npm install
  2. npm audit
  3. npm audit fix
  4. npm audit

Found 0 vulnerabilities will appear, problem fixed.

Upvotes: 2

jerulz
jerulz

Reputation: 11

i want trough this. This is what i've done to fix the audit.

The problem is TAR, which is a dependencies of node-gyp.

The solution is here : https://github.com/sass/node-sass/issues/2625 Do what 'mohsenari' has suggested. It worked for me.

For the optional fsevents not supported, it's another story, but it's just a warning, no big deal.

It occurs because fsevents is an optional dependency, used only when project is run on macOS environment (the package provides 'Native Access to Mac OS-X FSEvents').

Source : npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]

Upvotes: 1

Related Questions