CODEWITHSUNDEEP
node.jsnpmnpm-install
Simon Flambeaux
Simon Flambeaux

Reputation: 71

I cannot fix node vulnerabilities even with npm audit fix --force

Dear all, after trying several times to fix vulnerabilities with npm, it still gives the messages below; Do you have any solution to fix these problems? thank you for your help.

To address all issues, run: npm audit fix PS D:\openclassroom\P7\P7groupomania\backend> npm audit fix npm WARN config global --global, --local are deprecated. Use --location=global instead.

up to date, audited 231 packages in 2s

npm audit report

glob-parent <5.1.2 Severity: high Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via npm audit fix node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar nodemon >=1.3.5 Depends on vulnerable versions of chokidar Depends on vulnerable versions of update-notifier node_modules/nodemon

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via npm audit fix node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier >=0.2.0 Depends on vulnerable versions of latest-version node_modules/update-notifier

7 vulnerabilities (4 moderate, 3 high)

To address all issues, run: npm audit fix PS D:\openclassroom\P7\P7groupomania\backend>

Upvotes: 5

Views: 4262

Answers (1)

benmoses
benmoses

Reputation: 31

I just received the got vulnerability from github dependabot, and resolved it by:

  1. It looks like it's a nested dependency of nodemon. https://github.com/remy/nodemon/issues/2023 Which they are going to fix by removing their dependency.
  2. It's for nodemon, which is run during dev not on production, so you could and I did ignore it as it's not vulnerable code :D.
  3. Other option - maybe set up an override for got in your package.json? or wait till nodemon next update?

Note: Sometimes npm audit fix does nothing, I always assumed it was because it couldn't figure out how to fix it, e.g. in nodemon it's a nested dependency so might struggle? Also npm audit fix sometimes fixes something by upgrading but that brakes something else, so I don't have 100% faith in it. (No bugs or articles to back this up, just anecdotal evidence).

Upvotes: 2

Related Questions