vulnerability audit on npm install

Question

I'm making a website with a node express backend, which serves a react app from the public directory. Everything was working fine on my computer, I put all of this on an AWS server, ran npm install for my server, and for my app in the public directory, that's where I got that message:

/public$ npm audit fix

up to date, audited 1960 packages in 5s

# npm audit report

public  *
Severity: high
Cross-Site Scripting - https://npmjs.com/advisories/1000
Path Traversal - https://npmjs.com/advisories/571
Cross-Site Scripting - https://npmjs.com/advisories/609
fix available via `npm audit fix`


1 high severity vulnerability

To address all issues, run:
  npm audit fix

Everything was fine on my computer, I tried starting over again, emptying the node_modules directory then reinstall, but same thing again. I guess I must have not copied/deleted some files but I have no idea where to start, and I don't get what's the "public *" is that a module? You're welcome if you have some ideas!

Answer 1

By default, when you run npm install, another command, called npm audit is also executed. It's a tool to check if your project's dependencies have some known vulnerabilities.

It has nothing to do with your environment, local or AWS, it's all about dependencies.

Auditing package dependencies for security vulnerabilities

The npm audit --fix can automatically fix vulnerabilities, however, documentation says that in some cases manual intervention might be required.

npm audit command

You need to closely look at the output of the command, maybe, if interested, read about the vulnerability and fix it.