node.jsangularnpmnpm-audit

npm audit --force is not recommended if you are not expert. What to do then? Is my app on production insecure?

I am new to Angular and when I was doing the typical

npm install

I found the also usual (at least for me) warnings like these:

    found 42 vulnerabilities (40 moderate, 2 high)
    run `npm audit fix` to fix them, or `npm audit` for details

After executing

npm audit fix

I found then than only a few vulnerabilities could be fixed

    fixed 4 of 42 vulnerabilities in 1636 scanned packages
      3 vulnerabilities required manual review and could not be updated
      2 package updates for 35 vulnerabilities involved breaking changes
      (use `npm audit fix --force` to install breaking changes; or refer to `npm    audit` for steps to fix these manually)

I want to learn to do things properly, I am very concerned about my project's security but, as I said, I am very new to fix things manually I guess.

Looking for info, I have read on official npm Docs :

If you don't have a clear idea of what you want to do, it is strongly recommended that you do not use this option!

And as I of course I have no idea, I would like to know:

To give more content according to the answer given by @Trott herte is my package.json file

{
  "name": "test-exercise",
  "version": "0.0.0",
  "scripts": {
    "ng": "ng",
    "start": "ng serve",
    "build": "ng build",
    "test": "ng test",
    "lint": "ng lint",
    "e2e": "ng e2e"
  },
  "private": true,
  "dependencies": {
    "@angular/animations": "~11.1.2",
    "@angular/common": "~11.1.2",
    "@angular/compiler": "~11.1.2",
    "@angular/core": "~11.1.2",
    "@angular/forms": "~11.1.2",
    "@angular/platform-browser": "~11.1.2",
    "@angular/platform-browser-dynamic": "~11.1.2",
    "@angular/router": "~11.1.2",
    "rxjs": "~6.6.0",
    "tslib": "^2.0.0",
    "zone.js": "~0.11.3"
  },
  "devDependencies": {
    "@angular-devkit/build-angular": "~0.1101.4",
    "@angular/cli": "~11.1.4",
    "@angular/compiler-cli": "~11.1.2",
    "@types/jasmine": "~3.6.0",
    "@types/node": "^12.11.1",
    "codelyzer": "^6.0.0",
    "jasmine-core": "~3.6.0",
    "jasmine-spec-reporter": "~5.0.0",
    "karma": "~5.2.0",
    "karma-chrome-launcher": "~3.1.0",
    "karma-coverage": "~2.0.3",
    "karma-jasmine": "~4.0.0",
    "karma-jasmine-html-reporter": "^1.5.0",
    "protractor": "~7.0.0",
    "ts-node": "~8.3.0",
    "tslint": "~6.1.0",
    "typescript": "~4.1.2"
  }
}
Solution

  • The answer to how seriously you should take the npm audit warnings is: It depends. (For future reference, it's a lot easier to discuss/answer these types of questions if you can share your package.json file, or at least the dependencies and devDependencies entries.)

    If the modules that npm audit lists are there because they are either in devDependencies or are in the dependency tree for your devDependencies, then it is very likely that the vulnerable code will never be executed by users. You should still fix things if/when you can, but as a rule of thumb, devDependencies vulnerabilities are not as alarming as dependencies vulnerabilities. (Consider making an exception for vulnerabilities marked as critical by npm audit and making sure those get fixed regardless of where they are, but you don't have any of those according to the output you posted.)

    On the other hand, if the modules that npm audit lists (especially those with are flagged as high or critical) are showing up because they are in your dependencies entry or are required by entries in your dependencies, then that is something that may warrant investigation.

    The output for npm audit is the source of some controversy, with many people feeling that it is often unnecessarily alarming and difficult to understand. You are not alone.

    UPDATE (after user posted their package.json): Using npm version 6.x, when I run npm audit on the results, all of the issues (as of this writing, of course!) are in dev dependencies. You can tell (in npm version 6--other versions have different output) by the [dev] in lines like this:

    │ Dependency of │ karma [dev] |

    So, on the one hand, there's probably not a whole lot to worry about too much here. On the other hand, you may be a lot happier and have fewer problems if you manage to update some of these outdated packages that are reporting problems. One easy-seeming and safe-seeming thing to do that will get you down to (I think) just two warnings is update @angular-devkit/build-angular from 0.1101.4 to 0.1102.14 (which is the most recent 0.x version as of this writing).