Reputation:
Vulnerabilities problem using "npm install"
I have installed an express server using express coserver command, then I used .npm install' command to install other node packages/dependencies, but I got this result:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of jade
Path jade > transformers > uglify-js
More info https://nodesecurity.io/advisories/39
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of jade
Path jade > transformers > uglify-js
More info https://nodesecurity.io/advisories/48
Critical Sandbox Bypass Leading to Arbitrary Code Execution
Package constantinople
Patched in >=3.1.1
Dependency of jade
Path jade > constantinople
More info https://nodesecurity.io/advisories/568
Low Regular Expression Denial of Service
Package clean-css
Patched in >=4.1.11
Dependency of jade
Path jade > clean-css
More info https://nodesecurity.io/advisories/785
found 4 vulnerabilities (3 low, 1 critical) in 194 scanned packages
4 vulnerabilities require manual review. See the full report for details.
My node --version is v10.15.0 and express --version is 4.16.1 and I use Windows 10. I don't know if other information is needed to put here but let me know that if so.
Upvotes: 5
Views: 6113
Answers (3)
Reputation: 81
reason: Jade has been renamed to pug, please install the latest version of pug instead of jade
fix:
- npm uninstall jade
- npm install pug
Upvotes: 8
Reputation: 71
When the problem occurs
You probably created the skeleton website by using the express application generator. This problem is faced when the app is created without specifying which view engine is to be used. express <appname> installs the packages below as dependencies (at the time of writing this post) and the problem is with the 'jade' package. 'jade' is the default view engine for express-generator tool but 'jade' was renamed to 'pug' and and jade is now deprecated.
"cookie-parser": "~1.4.4",
"debug": "~2.6.9",
"express": "~4.16.1",
"http-errors": "~1.6.3",
"jade": "~1.11.0",
"morgan": "~1.9.1"
how to fix
- with view engine
use 'pug' (renamed version of jade) as view engine
express myapp --view=pug
if 'pug' has low severity vulnerability, try
npm audit fix
- without view engine
generate app without view engine
exprees myapp --no-view
For more info about 'jade' package: https://www.npmjs.com/package/jade
Upvotes: 6
Reputation: 1
I faced this exact same error when I tried to install Express using npx express-generator myapp command.
To resolve this error, Following steps were taken:
Deleted my folder (myapp), in which I was trying to install express.
Start afresh.
Follow the step by step instruction given in https://expressjs.com/en/starter/generator.html
npm installthrew 1 Low severity vulnerability, which got later fixed bynpm audit fixYour Express.js should get installed successfully.
Upvotes: 0
Related Questions
- Fixing npm vulnerabilities
- NodeJS & NPM: Package Security
- NodeJs: How do I fix package vulnerabilities dependent on another npm package?
- I cannot fix node vulnerabilities even with npm audit fix --force
- NPM installation
- I installed npm and it had 7 vulnerabilities that had to be fixed manually
- when Install the npm, found 12 high severity vulnerabilities
- npm install vulnaribilities are different for different projects
- NPM install error? Vulnerabilities found
- Warning while installing npm