Found 4 vulnerabilities on npm install

Question

I am just getting started with react-native. On installing this package

npm install --save react-native-validator-form

https://github.com/NewOldMax/react-native-validator-form/issues/3

I was prompted to npm audit and I was shown 4 vulnerabilities (listed above)

After running the 2 helper commands, I was prompted with another 2 vulnerabilities (see link)

How can I fix the remaining issues?

Updating the respective npm packages didn't work.

Not sure how to proceed?

Just to make things a bit more interesting, I thought I'd run `npm audit` in another directory. I got 164 vulnerabilities found - Packages audited: 20493 (312 dev, 1044 optional). Severity: 110 low | 35 moderate | 19 high. — Dazzle, May 09 '18 at 00:48
have reduced this to 20 low | 33 moderate | 15 high in project B, other directory. Is this a cause for serious concern?? — Dazzle, May 09 '18 at 01:16
In March 2023, the package `react-native-validator-form` has *0 vulnerabilities*, so apparently, it has since been fixed. — Henke, Mar 28 '23 at 09:50

score 31 · Accepted Answer · answered Sep 02 '18 at 18:36

31

This is a result of the new npm version including the audit command.

It isn't some new issue with the Angular CLI, npm just introduced new functionality in npm to warn users about vulnerabilities in the packages they're installing - so there's no "new" vulnerability in Angular, it's just that now npm is now warning you about vulnerabilities that already existed:

https://blog.npmjs.org/

Most of the issues stem from Karma, so it'd need to be fixed there for the Angular team to pull in a new Karma version karma-runner/karma#2994

answered Sep 02 '18 at 18:36

herbertug

593
6
9

20

So what is the fix? – William Nov 04 '21 at 08:45
4

how does this answer the question? – devnull Ψ Sep 14 '22 at 06:45

score 27 · Answer 2 · answered May 28 '18 at 23:05

If you have ran npm audit and got vulnerabilities, then you can have different scenarios:

Security vulnerabilities found with suggested updates

Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies.
Run the recommended commands individually to install updates to vulnerable dependencies. (Some updates may be semver-breaking changes; for more information, see "SEMVER warnings".)

Security vulnerabilities found requiring manual review

If security vulnerabilities are found, but no patches are available, the audit report will provide information about the vulnerability so you can investigate further.

Source: Reviewing and acting on the security audit report

score 13 · Answer 3 · edited Feb 28 '23 at 10:05

13

Even after running npm audit fix if it is not fixed, then to proceed I think you should Turn off npm audit. Use below command to turn off npm audit.

when installing a single package.

npm install example-package-name --no-audit

To turn off npm audit when installing all packages

npm set audit false

it will set the audit setting to false in your user and global npmrc config files.

for reference visit : turn-off-npm-audit

edited Feb 28 '23 at 10:05

Adriaan

17,741
7
42
75

answered Jun 25 '19 at 13:35

vijaychoudhary24

195
1
8

4

This is basically... Silencing the alert? – Pitto Sep 11 '22 at 09:54

score 2 · Answer 4 · answered Jan 06 '19 at 18:20

I had the same issue and log was like below:

Testing binary
Binary is fine
added 1166 packages from 1172 contributors and audited 39128 packages in 112.505s
found 1 high severity vulnerability

I executed the below command and it was fixed.

npm audit fix

log shows as below:

Testing binary
Binary is fine
+ @angular-devkit/build-angular@0.11.4
added 18 packages from 47 contributors, removed 14 packages and updated 52 packages in 64.529s
fixed 1 of 1 vulnerability in 39128 scanned packages

score 1 · Answer 5 · edited Oct 24 '21 at 16:18

1

I faced the same issue while installing react-native navigation, using:

npm install react-navigation

For me, npm audit-fix didn't worked well. npm use to have some limitations. For me, yarn worked:

yarn add <package-name>

edited Oct 24 '21 at 16:18

Fudge

49
4

answered Feb 03 '20 at 07:52

Huzaifa Habib

11
1

score 0 · Answer 6 · answered Jul 20 '23 at 14:50

These are the vulnerabilities issues of the package, run npm audit fix it will fix all the vulnerabilities that can be auto-fixed But it will not fix the high vulnerabilities, in order to fix the high vulnerabilities, you can checkout the package that is causing the vulnerabilities on npmjs.org and try installing the new version of it, In some cases,you may need to remove it and replace it with other alternative because some packages may be vulnerable to your application

Thank you

score -7 · Answer 7 · edited Jun 14 '18 at 13:52

-7

I had the same problem while running this command:

npm install ngx-bootstrap --save

...and solved it by running the Command Prompt as Administrator.

So Open the Command Prompt as Administrator and then try again. Hopefully it will work.

edited Jun 14 '18 at 13:52

Ronan Boiteau

9,608
6
34
56

answered May 16 '18 at 05:42

A T M Khairul Alam

19
3

4

OP never mentioned he was on Windows. Also, how will having higher permissions on the project fix vulnerabilities in the dependencies. – Kevin Gagnon Nov 06 '18 at 18:38
2

You should never ever run ```npm install``` with administrative privileges! You should change the folder privileges, not the command. Check [this](https://stackoverflow.com/questions/16151018/npm-throws-error-without-sudo/24404451#24404451) – Andre Ravazzi May 06 '19 at 21:00
that is a dangerous practice. Don't do that. – Ale DC Feb 09 '22 at 16:25

Found 4 vulnerabilities on npm install

7 Answers7

Security vulnerabilities found with suggested updates

Security vulnerabilities found requiring manual review

Linked

Related