7

I am following a TypeScript tutorial.
Unfortunately, the packages are outdated and I got a warning about vulnerabilities.

I followed a bunch of suggestions from npm check and update package if needed, namely:

npm audit fix
npm audit fix --force
npm update

npm audit says there are still 24 vulnerabilities left. But none of the above commands will fix them.

npm outdated results in no output.

The vulnerable packages are:

ansi-regex
glob-parent
node-forge
nth-check
postcss

I don't actually know why they are part of my project.
I don't have them in my package.json configuration.

What are the next steps for fixing these vulnerabilities?

Below is what I have tried.

You can reproduce my latest state with the following package.json in an empty directory and running npm install.

{
  "name": "pacman",
  "version": "0.0.1",
  "description": "I just follow a tutorial. Nothing of interest.",
  "keywords": ["game"],
  "license": "MIT",
  "author": "someone stupid",
  "scripts": {
    "build": "parcel build index.html",
    "dev": "parcel index.html --open",
    "start": "npm run build && npm run dev",
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^5.16.0",
    "@typescript-eslint/parser": "^5.16.0",
    "ansi-regex": "^6.0.1",
    "eslint": "^8.12.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-prettier": "^4.0.0",
    "glob-parent": "^6.0.2",
    "node-forge": "^1.3.0",
    "nth-check": "^2.0.1",
    "parcel": "^2.4.0",
    "parcel-bundler": "^1.12.5",
    "postcss": "^8.4.12",
    "prettier": "^2.6.1",
    "typescript": "^4.6.3"
  },
  "dependencies": {
    "npm": "^8.5.5"
  }
}

This should give you 24 vulnerabilities, 18 moderate and 6 high, at the time of writing, running npm version 8.5.5.

Henke
  • 4,445
  • 3
  • 31
  • 44
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
  • At a certain point, maybe you _can't_ fix them. Are there actually fixed versions compatible with your other local dependencies? – jonrsharpe Mar 27 '22 at 09:52
  • @jonrsharpe So people simply release their software with vulnerabilities in place? – Thomas Weller Mar 27 '22 at 09:55
  • Yes, of course, although they don't necessarily know it at the time. – jonrsharpe Mar 27 '22 at 09:55
  • Fundamentally this is a dupe of what you've already found in the general case and you don't give enough information to solve (or more likely tell you exactly why you can't) in the specific case. `npm ls ` will tell you what version(s) of a package are required in your dependency tree, likely you have a transitive dependency on a vulnerable version without a semver-compatible fix, so installing a newer version directly wouldn't be expected to help. – jonrsharpe Mar 27 '22 at 10:09
  • 1
    We need a [mre]. How can someone else reproduce the problem locally? What's the least you can put into an empty directory such that `npm audit` recreates (maybe _one of_) the warnings on a vulnerable dependency. If you're just running through a tutorial, though (or they're e.g. development deps), do the warnings even _matter_? – jonrsharpe Mar 27 '22 at 10:16
  • @jonrsharpe: probably I can get through the tutorial by ignoring the warnings. It's just that I don't like vulnerabilites and IMHO part of the learning experience should be to know how to resolve them. I have written an answer. Does it make sense what I did there? – Thomas Weller Mar 27 '22 at 10:27
  • 1
    It's _reproducible_, anyway... `npm init -y && npm i parcel-bundler@1` -> `24 vulnerabilities (19 moderate, 5 high)`. Or e.g. `npm ls node-forge` on what you posted, as suggested above, would show that despite the direct dependency on `1.3.0`, you have a transitive dependency on `0.10.0` via `parcel-bundler`. – jonrsharpe Mar 27 '22 at 10:48
  • *I just follow a tutorial.* Would you mind telling what tutorial you were following that led to this question? The main reason I ask is that you have added the packages ansi-regex, glob-parent, node-forge, nth-check, postcss as direct dependencies to the original `package.json`. Were the direct dependencies `parcel` and `parcel-bundler` included in the original `package.json`? Or did you add them later? – Henke Mar 31 '23 at 13:57
  • 1
    @Henke: it was a Pacman tutorial, but I can't remember which one. I don't have the link any more. From the commit history of the project,the first commit already contains the fixed packages. It seems I never committed the broken version. – Thomas Weller Mar 31 '23 at 18:03

3 Answers3

3

As per the comments, I have already tried all commands for the general case, in which case you need to start analyzing individual packages.

So, what did I do?

  1. Update all dependencies to the latest version.

Next, perform a binary search by removing half of the dependencies and repeating the following steps

  1. delete the node_modules folder
  2. run npm install
  3. run npm audit to check for the vulnerabilities

If there are no vulnerabilites, add the half of the remaining packages you want to install.

If there are vulnerabilities, remove the half of the packages you are currently installing.

In my case, this process boiled it down to the following two lines:

"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",

For parcel-bundler, NPM spit out a warning:

npm WARN deprecated parcel-bundler@1.12.5: Parcel v1 is no longer maintained. 
Please migrate to v2, which is published under the 'parcel' package.

So I guess I don't need parcel-bundler at all, because it has been integrated into the parcel package, which I had already updated to version 2 in an earlier step.

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
1

Try to update all your npm with this command. It helped me

npm install -g npm@latest
yellowdopamine
  • 21
  • 4
-1

This answer is correct.

Reproducing your findings

Thanks for including the package.json in your question!
By doing that, anyone can reproduce your findings.

I ran npm install npm@latest -g, and then npm --version, which responded 9.6.3.

In an empty directory, I added a stripped version of your package.json, then ran npm install. 1

The package.json I used.

{
  "license": "MIT",
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^5.16.0",
    "@typescript-eslint/parser": "^5.16.0",
    "eslint": "^8.12.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-prettier": "^4.0.0",
    "parcel": "^2.4.0",
    "parcel-bundler": "^1.12.5",
    "prettier": "^2.6.1",
    "typescript": "^4.6.3"
  }
}

The response said 29 vulnerabilities (15 moderate, 14 high).

Here is the beginning of the resulting NPM audit security report, running npm audit.

Start of NPM audit security report, at first

# npm audit report
glob-parent  <5.1.2
Severity: high
…

As noted in your self-answer, the package parcel-bundler is deprecated.
The latter link contains a link that explains how to migrate.

As you already concluded, the recommended action is to simply remove the parcel-bundler package. When I did that and then ran npm install again, I got 9 moderate severity vulnerabilities.

Now, here comes an ugly trick.
I downgraded the version of npm itself by running npm install npm@8.0.0 --global. 2
Then I upgraded it back by running npm install npm --global.

This resulted in found 0 vulnerabilities :

Finally, 'found 0 vulnerabilities'

References

1 Since you added the packages ansi-regex, glob-parent, node-forge, nth-check, and postcss as direct devDependencies, I decided to undo that by removing them from package.json.
I also removed the dependency on npm@^8.5.5, which I believe stems from you running npm i npm@latest which installs npm locally. By contrast, I always install npm only globally, npm i npm@latest --global.

2 It seems that any version 8.x.x will do. Version 8.0.0 is easy to remember.
Unfortunately, I cannot tell why this trick works. – I happened to discover that it does.

Henke
  • 4,445
  • 3
  • 31
  • 44