2

When running npm audit, it says I have 87 vulnerabilities. npm audit fix and npm audit fix --force do not fix the issues.

Here is the output for the main problems on npm audit fix.

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service


dns-packet  <5.2.2
Severity: high
Memory Exposure - https://npmjs.com/advisories/1745
fix available via `npm audit fix --force`
Will install react-scripts@1.1.5, which is a breaking change

postcss  7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service

upon further inspection in package-lock.json here is the dns-packet:


    "dns-packet": {
      "version": "1.3.1",
      "resolved": "https://registry.npmjs.org/dns-packet/-/dns-packet-1.3.1.tgz",
      "integrity": "sha512-0UxfQkMhYAUaZI+xrNZOz/as5KgDU0M/fQ9b6SpkyLbk3GEswDi6PADJVaYJradtRVsRIlF1zLyOodbcTCDzUg==",
      "requires": {
        "ip": "^1.1.0",
        "safe-buffer": "^5.0.1"
      }
    },

It says on npm documentation that the latest version of dns-packet should be 5.2.3. I tried deleting package-lock.json and node modules and running npm install but that did not work. Here is what npm install spits out:

npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

At this point I have no idea what the problem is. I hadn't installed anything for a while. Went to go install redux and react-redux and it started telling me there were vulnerabilities. Not sure where to go from here.

edit: I ran npm i npm@latest and shows this in the console:

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! Found: @babel/core@7.12.3
npm ERR! node_modules/@babel/core
npm ERR!   @babel/core@"7.12.3" from react-scripts@4.0.3
npm ERR!   node_modules/react-scripts
npm ERR!     react-scripts@"4.0.3" from the root project
npm ERR!   @babel/core@"^7.12.3" from @svgr/webpack@5.5.0
npm ERR!   node_modules/@svgr/webpack
npm ERR!     @svgr/webpack@"5.5.0" from react-scripts@4.0.3
npm ERR!     node_modules/react-scripts
npm ERR!       react-scripts@"4.0.3" from the root project
npm ERR!   9 more (babel-jest, babel-loader, ...)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer @babel/core@"^7.13.0" from @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.13.12
npm ERR! node_modules/@babel/preset-env/node_modules/@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining
npm ERR!   @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@"^7.13.12" from @babel/preset-env@7.14.2
npm ERR!   node_modules/@babel/preset-env
npm ERR!     @babel/preset-env@"^7.12.1" from @svgr/webpack@5.5.0
npm ERR!     node_modules/@svgr/webpack
npm ERR!       @svgr/webpack@"5.5.0" from react-scripts@4.0.3
npm ERR!       node_modules/react-scripts
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
Cole Ogrodnick
  • 124
  • 2
  • 9
  • The most important information is missing in your question : the full **`package.json`**. – Henke Mar 25 '23 at 16:41

2 Answers2

1

run npm audit fix --force with root privilege

if does not work you have to update npm

npm install npm@latest -g
Mhammed Talhaouy
  • 1,129
  • 10
  • 14
-1

the possible solution is to update all node modules don't forget to take a backup of your packages.json file

npm i npm@latest
Nabeel Sajid
  • 193
  • 6