I'm trying to upload my code onto a server but it won't allow me because of moderate vulnerabilities. I've narrowed down my issue to an old version postcss downloaded from installing react app, specifically react-scripts. I've tried uninstalling postcss and react-scripts then installing postcss first, but whenever I do the installation it installs a bad version in its dependencies on node-modules folder.
Log of some of the errors in case my issues without postcss
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of react-scripts
Path react-scripts > postcss-preset-env > postcss-place > postcss
More info https://npmjs.com/advisories/1693
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of react-scripts
Path react-scripts > postcss-preset-env >
postcss-pseudo-class-any-link > postcss
More info https://npmjs.com/advisories/1693
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of react-scripts
Path react-scripts > postcss-preset-env >
postcss-replace-overflow-wrap > postcss
More info https://npmjs.com/advisories/1693
Log of my uninstall/reinstall to show its the react-scripts
found 79 moderate severity vulnerabilities in 1994 scanned packages
79 vulnerabilities require manual review. See the full report for details.
PS C:\Users\pet22\JavaScriptProjects\skp-forum\front> npm uninstall react-scripts
removed 1839 packages and audited 152 packages in 17.069s
10 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
PS C:\Users\pet22\JavaScriptProjects\skp-forum\front> npm i react-scripts
npm WARN deprecated babel-eslint#10.1.0: babel-eslint is now #babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated request-promise-native#1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator#5.1.5: this library is no longer supported
npm WARN deprecated chokidar#2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents#1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated rollup-plugin-babel#4.4.0: This package has been deprecated and is no longer maintained. Please use #rollup/plugin-babel.
npm WARN deprecated #hapi/joi#15.1.1: Switch to 'npm install joi'
npm WARN deprecated #hapi/hoek#8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated #hapi/address#2.1.4: Moved to 'npm install #sideway/address'
npm WARN deprecated #hapi/bourne#1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated #hapi/topo#3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated core-js#2.6.12: core-js#<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js#3.
> core-js#2.6.12 postinstall C:\Users\pet22\JavaScriptProjects\skp-forum\front\node_modules\babel-runtime\node_modules\core-js
> node -e "try{require('./postinstall')}catch(e){}"
Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!
The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:
> https://opencollective.com/core-js
> https://www.patreon.com/zloirock
Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)
> core-js#3.12.1 postinstall C:\Users\pet22\JavaScriptProjects\skp-forum\front\node_modules\core-js
> node -e "try{require('./postinstall')}catch(e){}"
> ejs#2.7.4 postinstall C:\Users\pet22\JavaScriptProjects\skp-forum\front\node_modules\ejs
> node ./postinstall.js
Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#^2.1.3 (node_modules\react-scripts\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#^1.2.7 (node_modules\watchpack-chokidar2\node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#^1.2.7 (node_modules\webpack-dev-server\node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN #babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining#7.13.12 requires a peer of #babel/core#^7.13.0 but none is installed. You must install peer dependencies yourself.
npm WARN tsutils#3.21.0 requires a peer of typescript#>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer
dependencies yourself.
+ react-scripts#4.0.3
added 1839 packages from 659 contributors and audited 1994 packages in 57.301s
139 packages are looking for funding
run `npm fund` for details
found 79 moderate severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
npm audit fix does nothing for me.
Question: How do I install react-scripts without installing postcss lower than 8.2.10?
I solved the problem for myself temporarily with better npm audit. better npm audit
You have to create some .nsprc file on top level and add the exception according the example (number 1693). Put the audit command into the package.json and maybe change the build script (instead of "npm audit" you should use "npm run audit").
This is not fixing the original issue, but at least builds are not failing anymore.
Related
I am new to javascript. I am trying to learn javascript by following instructions here. I am trying to install live-server package using npm but I am seeing the following error.
$ npm install -g live-server
npm WARN deprecated source-map-url#0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated opn#6.0.0: The package has been renamed to `open`
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve#0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated fsevents#1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar#2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
changed 208 packages, and audited 209 packages in 7s
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
sshil-414HTD6:IssueTracker sshil$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
up to date, audited 1 package in 192ms
found 0 vulnerabilities
$ npm i live-server
npm WARN deprecated source-map-url#0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated opn#6.0.0: The package has been renamed to `open`
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve#0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated fsevents#1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar#2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
added 208 packages, and audited 209 packages in 6s
3 high severity vulnerabilities
To address all issues, run:
npm audit fix
Run `npm audit` for details.
$ npm version
{
issuetracker: '1.0.0',
npm: '8.19.2',
node: '19.0.0',
v8: '10.7.193.13-node.16',
uv: '1.43.0',
zlib: '1.2.11',
brotli: '1.0.9',
ares: '1.18.1',
modules: '111',
nghttp2: '1.47.0',
napi: '8',
llhttp: '8.1.0',
openssl: '3.0.5+quic',
cldr: '41.0',
icu: '71.1',
tz: '2022b',
unicode: '14.0',
ngtcp2: '0.8.1',
nghttp3: '0.7.0'
}
You shouldn't bother too much about it. It's more an warning than error. And there is not much you can do. To check if the package is installed, go in package.json file, it should be in dependencies object.
Nowadays if you use vscode you don't need to install live-server as it is already built in.
You can read more about npm audit here npm audit: Broken by Design
I'm not sure what it means or how to fix it. I just got a new machine and before I pulled down my repo, I installed the latest node, Angular Cli, npm and any other package/framework needed by my app. I cloned the repo and updated all local packages in my project to current versions using npm-check-updates. I then installed the updated packages with >npm install -force to resolve a couple of peer dependency issues. I'll post a screen shoot at the very bottom. But now ng serve doesn't run see error below. Not sure why?
➜ client git:(master) ✗ ng serve
⠋ Generating browser application bundles (phase: setup)...An unhandled exception occurred: Dev-server address info is not defined.
See "/private/var/folders/l6/zz0rl4793838rf924b4y0tqc0000gn/T/ng-5kND02/angular-errors.log" for further details.
➜ client git:(master) ✗
The error in the index.js file is from this below.
const devServer = createWebpackDevServer(webpackCompiler, devServerConfig);
devServer.startCallback(() => {
var _a;
const address = (_a = devServer.server) === null || _a === void 0 ? void 0 : _a.address();
if (!address) {
obs.error(new Error(`Dev-server address info is not defined.`));
return;
}
result = {
success: true,
port: typeof address === 'string' ? 0 : address.port,
family: typeof address === 'string' ? '' : address.family,
address: typeof address === 'string' ? address : address.address,
};
});
>npm install -force
➜ client git:(master) ✗ npm install -f
npm WARN using --force Recommended protections disabled.
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: ngx-gallery-9#1.0.6
npm WARN Found: tslib#2.3.1
npm WARN node_modules/tslib
npm WARN tslib#"^2.3.1" from the root project
npm WARN 22 more (#angular-devkit/build-angular, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer tslib#"^1.10.0" from ngx-gallery-9#1.0.6
npm WARN node_modules/ngx-gallery-9
npm WARN ngx-gallery-9#"^1.0.6" from the root project
npm WARN
npm WARN Conflicting peer dependency: tslib#1.14.1
npm WARN node_modules/tslib
npm WARN peer tslib#"^1.10.0" from ngx-gallery-9#1.0.6
npm WARN node_modules/ngx-gallery-9
npm WARN ngx-gallery-9#"^1.0.6" from the root project
npm WARN deprecated har-validator#5.1.5: this library is no longer supported
npm WARN deprecated source-map-resolve#0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated uuid#3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated popper.js#1.16.1: You can find the new Popper v2 at #popperjs/core, this package is dedicated to the legacy v1
npm WARN deprecated tslint#6.1.3: TSLint has been deprecated in favor of ESLint. Please see https://github.com/palantir/tslint/issues/4534 for more information.
added 1163 packages, and audited 1164 packages in 37s
118 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
I then installed the updated packages with npm install -force to resolve a couple of peer dependency issues.
Did you actually manually resolve all the issues or think that the command above would do it for you?
My guess is that the dependencies are not installed properly, but I can be wrong.
You might want to try the solution I just posted npm not installing unable to resolve dependency tree. I also included the link in the post for further troubleshooting.
This might be due to the old version of the node.
Kindly update your node version to the latest then run the following command.
sudo n lts
Then run the following command.
ng run serve
This might help you
When I was trying to serve my Vue Project by using command
npm run serve
It gives me error mentioned as below
vue-heroes#0.1.0 serve /home/numan/Desktop/vue-getting-started/07-accessing-data/begin/vue-heroes
vue-cli-service serve
sh: 1: vue-cli-service: not found
npm ERR! code ELIFECYCLE
npm ERR! syscall spawn
npm ERR! file sh
npm ERR! errno ENOENT
npm ERR! vue-heroes#0.1.0 serve: vue-cli-service serve
npm ERR! spawn ENOENT
npm ERR!
npm ERR! Failed at the vue-heroes#0.1.0 serve script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm WARN Local package.json exists, but node_modules missing, did you mean to install?
npm ERR! A complete log of this run can be found in:
npm ERR! /home/numan/.npm/_logs/2021-10-08T10_47_52_241Z-debug.log
numan#numan-khan:~/Desktop/vue-getting-started/07-accessing-data/begin/vue-heroes$ npm i
yorkie#2.0.0 install /home/numan/Desktop/vue-getting-started/07-accessing-data/begin/vue-heroes/node_modules/yorkie
node bin/install.js
setting up Git hooks
can't find .git directory, skipping Git hooks installation
node-sass#4.14.1 install /home/numan/Desktop/vue-getting-started/07-accessing-data/begin/vue-heroes/node_modules/node-sass
node scripts/install.js
Cached binary found at /home/numan/.npm/node-sass/4.14.1/linux-x64-83_binding.node
core-js#2.6.9 postinstall /home/numan/Desktop/vue-getting-started/07-accessing-data/begin/vue-heroes/node_modules/core-js
node scripts/postinstall || echo "ignore"
Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!
The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:
https://opencollective.com/core-js
https://www.patreon.com/zloirock
Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)
node-sass#4.14.1 postinstall /home/numan/Desktop/vue-getting-started/07-accessing-data/begin/vue-heroes/node_modules/node-sass
node scripts/build.js
Binary found at /home/numan/Desktop/vue-getting-started/07-accessing-data/begin/vue-heroes/node_modules/node-sass/vendor/linux-x64-83/binding.node
Testing binary
Binary is fine
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#2.3.2 (node_modules/watchpack/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#1.2.9 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
added 1324 packages from 972 contributors and audited 1393 packages in 46.741s
12 packages are looking for funding
run npm fund for details
found 104 vulnerabilities (1 low, 43 moderate, 60 high)
run npm audit fix to fix them, or npm audit for details
numan#numan-khan:~/Desktop/vue-getting-started/07-accessing-data/begin/vue-heroes$ npm audit fixnpm WARN registry Unexpected warning for https://registry.npmjs.org/: Miscellaneous Warning EAI_AGAIN: request to https://registry.npmjs.org/is-fullwidth-code-point failed, reason: getaddrinfo EAI_AGAIN registry.npmjs.org
npm WARN registry Using stale data from https://registry.npmjs.org/ due to a request error during revalidation.
npm WARN deprecated mkdirp#0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#2.3.2 (node_modules/watchpack/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#1.2.9 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
added 65 packages from 52 contributors, removed 12 packages and updated 32 packages in 140.847s
52 packages are looking for funding
run npm fund for details
fixed 20 of 104 vulnerabilities in 1393 scanned packages
66 vulnerabilities required manual review and could not be updated
4 package updates for 18 vulnerabilities involved breaking changes
(use npm audit fix --force to install breaking changes; or refer to npm audit for steps to fix these manually)
Idont khow how to fix it mnually
It was because because my Project was built. Then I update my npm simply
npm i -g npm
Then I develop my project by using command
npm run dev
This will solve the error
there are a few steps:
Use node v10+ instead of v14+.
(IMPT) add the following path to ~/.zshrc (if you are using zsh)
/Users/[yourUsername]/.npm-packages/bin
/Users/[yourUsername]/.npm-global/bin
run source ~/.zshrc after modifying the file.
Much thanks to #kissu and #Lakindu Hewawasam !!
-------original question-------
I'm on MacOS 10.15.5, node version v14.15.4, npm version 6.14.10.
I've been getting the error zsh: command not found: vue, after trying multiple ways to download Vue.
I first tried npm install -g #vue/cli, and it was giving me this error, so I uninstalled and tried again with sudo npm install -g #vue/cli #vue/cli-init --unsafe-perm referring to this. Still, it doesn't work:
yingjieqiao#Yingjies-MacBook-Pro ~ % sudo npm install -g #vue/cli #vue/cli-init --unsafe-perm
npm WARN deprecated request#2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated #hapi/joi#15.1.1: Switch to 'npm install joi'
npm WARN deprecated #hapi/hoek#8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated #hapi/topo#3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated #hapi/address#2.1.4: Moved to 'npm install #sideway/address'
npm WARN deprecated #hapi/bourne#1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated har-validator#5.1.5: this library is no longer supported
npm WARN deprecated resolve-url#0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix#0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated chokidar#2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents#1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated vue-cli#2.9.6: This package has been deprecated in favour of #vue/cli
npm WARN deprecated coffee-script#1.12.7: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
> yarn#1.22.10 preinstall /Users/yingjieqiao/.npm-global/lib/node_modules/#vue/cli/node_modules/yarn
> :; (node ./preinstall.js > /dev/null 2>&1 || true)
/Users/yingjieqiao/.npm-global/bin/vue -> /Users/yingjieqiao/.npm-global/lib/node_modules/#vue/cli/bin/vue.js
> fsevents#1.2.13 install /Users/yingjieqiao/.npm-global/lib/node_modules/#vue/cli/node_modules/fsevents
> node install.js
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
SOLINK_MODULE(target) Release/fse.node
> core-js#3.8.2 postinstall /Users/yingjieqiao/.npm-global/lib/node_modules/#vue/cli/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"
Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!
The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:
> https://opencollective.com/core-js
> https://www.patreon.com/zloirock
Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)
> #apollo/protobufjs#1.0.5 postinstall /Users/yingjieqiao/.npm-global/lib/node_modules/#vue/cli/node_modules/#apollo/protobufjs
> node scripts/postinstall
> nodemon#1.19.4 postinstall /Users/yingjieqiao/.npm-global/lib/node_modules/#vue/cli/node_modules/nodemon
> node bin/postinstall || exit 0
> ejs#2.7.4 postinstall /Users/yingjieqiao/.npm-global/lib/node_modules/#vue/cli/node_modules/ejs
> node ./postinstall.js
Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)
npm WARN #vue/compiler-sfc#3.0.5 requires a peer of vue#3.0.5 but none is installed. You must install peer dependencies yourself.
+ #vue/cli#4.5.9
+ #vue/cli-init#4.5.9
added 1367 packages from 714 contributors and updated 1 package in 43.692s
yingjieqiao#Yingjies-MacBook-Pro ~ % vue --version
zsh: command not found: vue
yingjieqiao#Yingjies-MacBook-Pro ~ % npm update -g #vue/cli
yingjieqiao#Yingjies-MacBook-Pro ~ % vue --version
zsh: command not found: vue
yingjieqiao#Yingjies-MacBook-Pro ~ %
In the warning message, it mentioned "xxx package will break on node v14+" a few times. But I think the download command in the official docs should work regardless?
Looking for the comments just below the other answer, you may try adding those
export PATH="$PATH:$(yarn global bin)"
export PATH="$PATH:$HOME/.npm-global/bin"
to your ~/.zshrc file since vue-cli is properly installed apparently.
Ofc, source ~/.zshrc before trying to call the CLI again.
In my experience the node version 10.23.0 works best for myself. So I recommend using this because I have solved errors like this using the version 10.23.0.
Download here: https://nodejs.org/dist/latest-v10.x/
And then, once you have this version of node installed, run the command $ npm install vue
You should not install any package w/ a sudo prefix.
How is your node version installed btw, via nvm or manually ?
Maybe try to install it w/ yarn.
Best idea would probably be to rollback and try to debug the issues on the recommended way. Maybe digging into specific issues on the github repo.
Btw, the post you're referencing is an old one so things probably changed in between.
I'm on Linux running the following versions (#vue/cli 4.5.9 is fine too, just upgraded).
EDIT: Also, this post may maybe help somehow.
I'm starting a brand new project with react-js, after installing the project with npm, I get high severity vulnerabilities, how can I fix these vulnerabilities? would it cause any problems?
when I run the command npm start everything seems to work just fine.
I have tried running "npm audit fix" but it says: fixed 0 of 8646 vulnerabilities.
When I run this command:
npx create-react-app my-app
OUTPUT:
npx: installed 91 in 27.693s
Creating a new React app in E:\My project\ReactJS\Training\my-app.
Installing packages. This might take a couple of minutes.
Installing react, react-dom, and react-scripts...
> core-js#2.6.9 postinstall E:\My project\ReactJS\Training\my-app\node_modules\babel-runtime\node_modules\core-js
> node scripts/postinstall || echo "ignore"
> core-js-pure#3.1.4 postinstall E:\My project\ReactJS\Training\my-app\node_modules\core-js-pure
> node scripts/postinstall || echo "ignore"
+ react-dom#16.8.6
+ react#16.8.6
+ react-scripts#3.0.1
added 1411 packages from 726 contributors and audited 902137 packages in 287.343s
found 8646 high severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
Initialized a git repository.
Success! Created my-app at E:\My project\ReactJS\Training\my-app
Inside that directory, you can run several commands:
npm start
Starts the development server.
npm run build
Bundles the app into static files for production.
npm test
Starts the test runner.
npm run eject
Removes this tool and copies build dependencies, configuration files
and scripts into the app directory. If you do this, you can’t go back!
We suggest that you begin by typing:
cd my-app
npm start
Happy hacking!
After that, I tried running this:
npm audit fix
OUTPUT:
npm WARN #typescript-eslint/eslint-plugin#1.6.0 requires a peer of typescript#* but none
is installed. You must install peer dependencies yourself.
npm WARN #typescript-eslint/parser#1.6.0 requires a peer of typescript#* but none is installed. You must install peer dependencies yourself.
npm WARN #typescript-eslint/typescript-estree#1.6.0 requires a peer of typescript#* but none is installed. You must install peer dependencies yourself.
npm WARN ts-pnp#1.1.2 requires a peer of typescript#* but none is installed. You must install peer dependencies yourself.
npm WARN tsutils#3.14.0 requires a peer of typescript#>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#1.2.9 (node_modules\jest-haste-map\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#1.2.9 (node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents#2.0.6 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents#2.0.6: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
up to date in 10.513s
fixed 0 of 8646 vulnerabilities in 902137 scanned packages
8646 vulnerabilities required manual review and could not be updated
I believe there is nothing to worry about according to gaearon
"This is not a real “vulnerability” in the context of Create React App because it produces static bundles. So it can’t possibly affect you in any way.
The false positive warnings are unfortunate."
EDIT: For me currently is says there are now 0 vulnerabilities