Running suggested command doesn't fix NPM Vulnerability

node.js npm fsevents npm-audit
Ki Jéy picture Ki Jéy · May 13, 2018 · Viewed 9.4k times · Source

After each installation of a new NPM module in my project I get the following error : 

[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
    Severity: 8 Low | 24 Moderate | 8 High

So then I run npm audit and I get the details for each of the 40 vulnerabilities such as :

# Run  npm install [email protected]  to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk >  │
│               │ boom > hoek                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

or this :

# Run  npm update fsevents --depth 2  to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ chokidar > fsevents > node-pre-gyp > tar-pack > debug        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

So I run npm install [email protected] (even though I already had 6.0.1) then npm update fsevents --depth 2 But after that I re-run npm audit and nothing has changed, I still have the same 40 vulnerabilities and some of them are really scary. What should I do ?

Answer

Flo picture Flo · May 25, 2018

This worked for me on MacOS:

  • Update NPM to the new 6.1.0. It introduces a 'npm audit fix' command, more info here.
  • Run 'npm audit fix'.

When you run 'npm audit' again, the only vulnerabilities left should be "Manual Review" issues.

Related questions

Not compatible with your operating system or architecture: [email protected]

I'm using Ubuntu 15.04. While running the following command: npm install fsevents I'm getting following error: npm WARN optional Skipping failed optional dependency /chokidar/fsevents: npm WARN notsup Not compatible with your operating system or architecture: [email protected] npm WARN [email protected] No …

Read More
How do I completely uninstall Node.js, and reinstall from beginning (Mac OS X)

My version of node is always v0.6.1-pre even after I install brew node and NVM install v0.6.19. My node version is: node -v v0.6.1-pre NVM says this (after I install a version of node for the first time …

Read More
How can I update NodeJS and NPM to the next versions?

I just installed Node.js and npm (for additional modules). How can I update Node.js and the modules which I'm using to the latest versions? Can npm do it, or do I have to remove and reinstall Node.js …

Read More