5

Dear all, after trying several times to fix vulnerabilities with npm, it still gives the messages below; Do you have any solution to fix these problems? thank you for your help.

To address all issues, run: npm audit fix PS D:\openclassroom\P7\P7groupomania\backend> npm audit fix npm WARN config global --global, --local are deprecated. Use --location=global instead.

up to date, audited 231 packages in 2s

npm audit report

glob-parent <5.1.2 Severity: high Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via npm audit fix node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar nodemon >=1.3.5 Depends on vulnerable versions of chokidar Depends on vulnerable versions of update-notifier node_modules/nodemon

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via npm audit fix node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier >=0.2.0 Depends on vulnerable versions of latest-version node_modules/update-notifier

7 vulnerabilities (4 moderate, 3 high)

To address all issues, run: npm audit fix PS D:\openclassroom\P7\P7groupomania\backend>

Improve this question

1 Answer 1

Reset to default
2

I just received the got vulnerability from github dependabot, and resolved it by:

  1. It looks like it's a nested dependency of nodemon. https://github.com/remy/nodemon/issues/2023 Which they are going to fix by removing their dependency.
  2. It's for nodemon, which is run during dev not on production, so you could and I did ignore it as it's not vulnerable code :D.
  3. Other option - maybe set up an override for got in your package.json? or wait till nodemon next update?

Note: Sometimes npm audit fix does nothing, I always assumed it was because it couldn't figure out how to fix it, e.g. in nodemon it's a nested dependency so might struggle? Also npm audit fix sometimes fixes something by upgrading but that brakes something else, so I don't have 100% faith in it. (No bugs or articles to back this up, just anecdotal evidence).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.