Stack Overflow
Stack Overflow

Questions tagged [npm-vulnerabilities]

52 questions
20
votes
3 answers

Running 'npm audit fix --force' downgrades react-scripts

I have a huge problem with my project in React. I'm trying to update the libraries on my project, but something goes wrong. This is the package.json. Note that the react-scripts version is set to "^4.0.3". { "name": "server", "version":…
Jonny Chuck
  • 343
  • 1
  • 3
  • 8
11
votes
1 answer

Fix for vulnerability - "Critical Prototype Pollution in immer" Patched >=9.0.6

Here's a fix for the following vulnerability: Critical Prototype Pollution in immer Package immer Patched in >=9.0.6 …
Juno Sprite
  • 569
  • 6
  • 12
7
votes
3 answers

Fixing NPM vulnerabilities

I am following a TypeScript tutorial. Unfortunately, the packages are outdated and I got a warning about vulnerabilities. I followed a bunch of suggestions from npm check and update package if needed, namely: npm audit fix npm audit fix --force npm…
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
6
votes
2 answers

loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)

I got some errors in my VSCode terminal in my Angular App: loader-utils 3.0.0 - 3.2.0 Severity: high loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable -…
luca88
  • 105
  • 2
  • 10
4
votes
2 answers

I cant Fix NPM vulnerabilities

I dont know much about npm and i need to fix that problem. # npm audit report semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix…
Zübeyir
  • 53
  • 5
4
votes
0 answers

npm audit force increases vulnerabilities

it initially says 23 issues but after using audit fix --force, it tries to install some depricated files? i think and the vulnerabilities increase to 56. but after using audit fix force again, it goes back to 23... PS…
Vikram
  • 41
  • 1
4
votes
1 answer

Npm dependency conflict

I am working on a project with Vue. I run Vue Cli and I added the Typescript plugin. I have several vulnerabilities. When I run npm audit fix it can't resolve the dependency conflict: npm ERR! code ERESOLVE npm ERR! ERESOLVE could not resolve npm…
Pau Baguer
  • 43
  • 1
  • 1
  • 4
3
votes
0 answers

High Vulnerability Detected in Dependency (NPM inflight) of mocha

How to Remediate: Vulnerability Detected in inflight package (Missing Release of Resource after Effective Lifetime) I recently ran a security scan using Checkmarx One and detected a high vulnerability in the npm inflight package (version…
Kathrine Breboneria
  • 31
  • 2
1
vote
1 answer

SemVer vulnerabilities issue with Vite+React JS

I've created a new project to work on with vite & react JS. Running the command npm create vite@latest works fine, and them I have to run npm install this doesn't quite end well, because it says that there are 5 modern vulnerabilites. and then…
Aymen ahmed Houasnia
  • 11
  • 3
1
vote
1 answer

Semver , 7 moderate severity vulnerabilities

I have a problem with a ViteJS project, I have 7 moderate vulnerabilities with Semver: # npm audit report semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service -…
Pimpus
  • 21
  • 2
1
vote
0 answers

Receiving Amazon Inspector Vulnerability for xlsx, even after it has been updated to the version it asks for, any idea why?

Currently during my normal scans I am receiving a high vulnerability on my front end ECR image. It is showing: As you can see it registers the installed version equal to the fixed version. My npm package has the following: "xlsx":…
user68288
  • 702
  • 2
  • 6
  • 27
1
vote
0 answers

Are there alternatives to using "fix available via npm audit fix --force"?

I downloaded a file, still trying to remember the name of it ( I will update, looking for it currently ). I never finished installing it because I seen a message about vulnerabilities and a bunch of critical ones. I immediately reverted what I had…
AIAssistant
  • 11
  • 2
1
vote
1 answer

Snyk vulnerability scan not recognizing overriden nested package dependencies

I am running the snyk test command on my project to identify vulnerabilities with third party libraries and came across the following vulnerabilities in react-scripts@5.0.1 ->@svgr/webpack": "^5.5.0" Regular Expression Denial of Service (ReDoS) -…
svs
  • 23
  • 5
1
vote
0 answers

Installed Electron 21.0.1 vulnerability warnings but npm audit fix --force keeps swapping vulnerabilities

I recently install node 18.12.0, and Electron 21.0.1. At the completion of the install of electron I was given a warning about 3 moderate vulnerabilities. I ran the suggested npm audit fix --force; but that resulted in a high vulnerability. I…
clichekiller
  • 169
  • 4
1
vote
1 answer

How to handle outdated packages that are required by a dependency in package-lock.json?

Let’s say I have a dependency some_dep that has a vulnerability. I’m told on GitHub “Upgrade some_dep to version 2.2.3 or later.” 

However, things get complicated when I see some_dep is a required dependency of a required dependency etc. 
run npm…
Dashiell Rose Bark-Huss
  • 2,173
  • 3
  • 28
  • 48
1
2 3 4