I am following a TypeScript tutorial.
Unfortunately, the packages are outdated and I got a warning about vulnerabilities.
I followed a bunch of suggestions from npm check and update package if needed, namely:
npm audit fix
npm audit fix --force
npm update
npm audit
says there are still 24 vulnerabilities left.
But none of the above commands will fix them.
npm outdated
results in no output.
The vulnerable packages are :
ansi-regex
glob-parent
node-forge
nth-check
postcss
I don't actually know why they are part of my project.
I don't have them in my package.json
.
What are the next steps for fixing these vulnerabilities?
Below is what I have tried.
package.json
to newer versions and then running npm install
. It didn't have an effect.package-lock.json
as suggested here and then running npm install
again."ansi-regex": "^6.0.1", "glob-parent": "^6.0.2", "node-forge": "^1.3.0", "nth-check": "^2.0.1", "postcss": "^8.4.12"
as devDependencies and running npm install
.npm i npm@latest
as suggested in How to fix npm vulnerabilities.npm update glob-parent --depth 2
just to find out that --depth
is deprecated and that npm always updates any depth [GitHub].npm prune
.node_modules
folder and running npm install
again.You can reproduce my latest state with the following package.json
in an empty directory and running npm install
.
{
"name": "pacman",
"version": "0.0.1",
"description": "I just follow a tutorial. Nothing of interest.",
"keywords": ["game"],
"license": "MIT",
"author": "someone stupid",
"scripts": {
"build": "parcel build index.html",
"dev": "parcel index.html --open",
"start": "npm run build && npm run dev",
"test": "echo \"Error: no test specified\" && exit 1"
},
"devDependencies": {
"@typescript-eslint/eslint-plugin": "^5.16.0",
"@typescript-eslint/parser": "^5.16.0",
"ansi-regex": "^6.0.1",
"eslint": "^8.12.0",
"eslint-config-prettier": "^8.5.0",
"eslint-plugin-prettier": "^4.0.0",
"glob-parent": "^6.0.2",
"node-forge": "^1.3.0",
"nth-check": "^2.0.1",
"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",
"postcss": "^8.4.12",
"prettier": "^2.6.1",
"typescript": "^4.6.3"
},
"dependencies": {
"npm": "^8.5.5"
}
}
This should give you 24 vulnerabilities, 18 moderate and 6 high, at the time of writing, running npm version 8.5.5.
As per the comments, I have already tried all commands for the general case, in which case you need to start analyzing individual packages.
So, what did I do?
Next, perform a binary search by removing half of the dependencies and repeating the following steps
node_modules
foldernpm install
npm audit
to check for the vulnerabilitiesIf there are no vulnerabilites, add the half of the remaining packages you want to install.
If there are vulnerabilities, remove the half of the packages you are currently installing.
In my case, this process boiled it down to the following two lines:
"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",
For parcel-bundler
, NPM spit out a warning:
npm WARN deprecated parcel-bundler@1.12.5: Parcel v1 is no longer maintained.
Please migrate to v2, which is published under the 'parcel' package.
So I guess I don't need parcel-bundler
at all, because it has been integrated into the parcel
package, which I had already updated to version 2 in an earlier step.