how to fix the npm audit report

Question

When I run npm audit command

=== npm audit security report ===

`Manual Review 

 Some vulnerabilities require your attention to resolve 

 Visit https://go.npm.me/audit-guide for additional guidance `



High          │ Arbitrary File Overwrite                                     

Package       │ tar                                                          
Patched in    │ >=4.4.2                                                       
Dependency of │ @angular-devkit/build-angular [dev]                           
Path          │ @angular-devkit/build-angular > node-sass > node-gyp >tar 
More info     │ https://nodesecurity.io/advisories/803

its saying found 1 high severity vulnerability in 42611 scanned packages 1 vulnerability requires manual review. As its related to @angular-devkit/build-angular, I am afraid whether it will create any other issue in my project.

When I run npm audit fix command

    npm WARN optional SKIPPING OPTIONAL 
    DEPENDENCY:fsevents@1.2.9 (node_modules/fsevents):
    npm WARN notsup SKIPPING OPTIONAL 
    DEPENDENCY:Unsupported platform for 
    fsevents@1.2.9: wanted {"os":"darwin","arch":"any"} 
    (current: {"os":"linux","arch":"x64"})

So how to fix this in any system having linux operating system. Lets consider ignoring the above npm audit fix result,because somehow its an warning. But the result of npm audit is considered as a high severity vulnerability. How to fix this.

Angular CLI Version

      Angular CLI: 7.3.8
      Node: 10.0.0
      OS: linux x64
      Angular: 7.2.14
      ... animations, common, compiler, compiler-cli, core, forms
      ... language-service, platform-browser, platform-browser-dynamic
      ... router

      Package                           Version
      -----------------------------------------------------------
      @angular-devkit/architect         0.13.8
      @angular-devkit/build-angular     0.13.8
      @angular-devkit/build-optimizer   0.13.8
      @angular-devkit/build-webpack     0.13.8
      @angular-devkit/core              7.3.8
      @angular-devkit/schematics        7.3.8
      @angular/cli                      7.3.8
      @ngtools/webpack                  7.3.8
      @schematics/angular               7.3.8
      @schematics/update                0.13.8
      rxjs                              6.3.3
      typescript                        3.2.4
      webpack                           4.29.0

Help me in fixing this. thank you

Possible duplicate of [npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.0.14](https://stackoverflow.com/questions/40226745/npm-warn-notsup-skipping-optional-dependency-unsupported-platform-for-fsevents) — R. Richards, May 03 '19 at 22:52
no, first you see the npm audit security report. `1 high severity vulnerability` is there.and its related to `@angular-devkit//build-angular`. I am worried for this. If I ll ignore the npm audit fix result then also my problem is not solved. How to fix this. As its listed as a high severity vulnerability. — Abhiz, May 06 '19 at 05:52

score 2 · Answer 1 · answered May 15 '19 at 19:24

2

This vulnerability has been fixed.

Delete the node_modules andpackage-lock.json, then run the commands:

npm install
npm audit
npm audit fix
npm audit

Found 0 vulnerabilities will appear, problem fixed.

answered May 15 '19 at 19:24

Braian Silva

1,986
1
15
21

In the "When I run npm audit command" section the first line says `Manual Review Some vulnerabilities require your attention to resolve ` .These can not be fixxed directly using the above command. I have already tried this. So using this npm audit fix does not resolve my issue. Thanks – Abhiz May 17 '19 at 06:04
`npm audit` shows the vulnerabilities and to fix this you need to use `npm audit fix`, then you use `npm audit` to check if the problem has been fixed. – Braian Silva May 17 '19 at 20:23
When you see that some vulnerabilities need manual attention, it will give you a command above the vulnerability. I would recommend updating one by one and check that your app is still working correctly. Sometimes updates can brake you app and sometimes you cannot actually fix vulnerabilities yourself because they are dependencies of packages you are using. – C-Dev Aug 03 '21 at 20:41

score 1 · Answer 2 · answered May 12 '19 at 14:57

i want trough this. This is what i've done to fix the audit.

The problem is TAR, which is a dependencies of node-gyp.

The solution is here : https://github.com/sass/node-sass/issues/2625 Do what 'mohsenari' has suggested. It worked for me.

For the optional fsevents not supported, it's another story, but it's just a warning, no big deal.

It occurs because fsevents is an optional dependency, used only when project is run on macOS environment (the package provides 'Native Access to Mac OS-X FSEvents').

Source : npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.0.14

Your answer is definitely informative , but didnt work for me. thanks. — Abhiz, May 14 '19 at 13:32

how to fix the npm audit report

2 Answers2

Linked