karen
karen

Reputation: 105

npm warning: It is recommended you upgrade to 3.2.7 or 4.3.1

I'm getting the warning:

npm WARN deprecated [email protected]: 
Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity 
ReDos regression when used in a Node.js environment. 
It is recommended you upgrade to 3.2.7 or 4.3.1.  

Versions of npm and node:

npm -v

7.3.0

node -v 

v15.5.0

EDIT: package.json:

{
  "name": "example",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "repository": {
    "type": "git",
    "url": 
"git+https://[email protected]/username/example.git"
  },
  "author": "",
  "license": "ISC",
  "homepage": "https://bitbucket.org/karenshahmuusernameadyan/example#readme",
  "dependencies": {
    "socket.io": "^3.0.4"
  }
}

Upvotes: 4

Views: 21632

Answers (2)

Trott
Trott

Reputation: 70095

Looking at your package.json, the issue is in the current version of socket.io. Since it looks like you're just getting started developing something, you can ignore the warning for now and keep an eye out for a new release. There is already a pull request open to update the debug dependency. My guess is that this vulnerability was disclosed only recently and that this will be fixed soon-ish.

Original answer (before the package.json was added to the question) for people facing similar-but-not-identical issues:

If you want to try the scorched-earth approach: First remove node_modules and package-lock.json. Then run npm install. That will update everything it can while conforming to your package.json requirements. A potential downside is that it will likely update a lot of other things and you may not want those updates for various reasons.

A more focused approach: It is possible npm can fix this automatically for you. Run npm audit and see if it flags the Debug library. If it does, do what it says to try to fix it. (It might just be npm audit fix but in some cases, the fix is more involved.) Sometimes, you run npm audit fix and it doesn't fix things. In that case, use one of the other approaches.

A fully manual approach: Use npm ls to find out where [email protected] is installed. You will then need to figure out if it's a dependency you can update yourself (if it's a direct dependency in your own package.json) or if it's a dependency of a dependency and you are reliant on someone else to have updated. Since the fixed version is 4.x, it's likely that simply reinstalling the dependency using Debug will fix it.

Upvotes: 5

Łukasz Łabuński
Łukasz Łabuński

Reputation: 587

Check versions in package-lock.json file. When you find somewhere 4.1.1 version of debug dependency then just bump version of that dependency in package.json.

Upvotes: 0

Related Questions