5

I cloned a repository and did an npm install but at the end some error occured. Now whenever I run npm audit I get the message

found 18 vulnerabilities (5 low, 12 moderate, 1 high) in 15548 scanned packages
  9 vulnerabilities require semver-major dependency updates.
  9 vulnerabilities require manual review. See the full report for details.

No matter what I do they stay the same, I tried npm update, npm audit fix, npm audit fix --force and some other solutions as well but nothing worked. Here is the list of packages that are currently installed:

D:\NewState\opticare>npm list --depth=0
[email protected] D:\NewState\opticare
+-- UNMET PEER DEPENDENCY @angular/[email protected]
+-- @angular/[email protected]
+-- UNMET PEER DEPENDENCY @angular/[email protected]
+-- UNMET PEER DEPENDENCY @angular/[email protected]
+-- @angular/[email protected]
+-- UNMET PEER DEPENDENCY @angular/[email protected]
+-- UNMET PEER DEPENDENCY @angular/[email protected]
+-- @angular/[email protected]
+-- UNMET PEER DEPENDENCY @angular/[email protected]
+-- UNMET PEER DEPENDENCY @angular/[email protected]
+-- @angular/[email protected]
+-- @auth0/[email protected]
+-- @ng-bootstrap/[email protected]
+-- @swimlane/[email protected]
+-- @types/[email protected]
+-- @types/[email protected]
+-- @types/[email protected]
+-- @types/[email protected]
+-- @types/[email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- [email protected]
+-- UNMET PEER DEPENDENCY [email protected]
+-- [email protected]
+-- [email protected]
+-- UNMET PEER DEPENDENCY tslint@^5.0.0
+-- [email protected]
+-- [email protected]
+-- [email protected]
`-- [email protected]

npm ERR! peer dep missing: @angular/animations@^6.0.0, required by [email protected]
npm ERR! peer dep missing: @angular/common@>=6.0.0, required by @auth0/[email protected]
npm ERR! peer dep missing: @angular/common@^6.1.0, required by @ng-bootstrap/[email protected]
npm ERR! peer dep missing: @angular/common@^6.0.0, required by [email protected]
npm ERR! peer dep missing: @angular/common@^6.0.0-rc.0 || ^6.0.0, required by [email protected]
npm ERR! peer dep missing: @angular/common@^6.0.0, required by [email protected]
npm ERR! peer dep missing: @angular/compiler@^6.0.0, required by [email protected]
npm ERR! peer dep missing: @angular/core@^6.1.0, required by @ng-bootstrap/[email protected]
npm ERR! peer dep missing: @angular/core@^6.0.0, required by [email protected]
npm ERR! peer dep missing: @angular/core@^6.0.0-rc.0 || ^6.0.0, required by [email protected]
npm ERR! peer dep missing: @angular/core@^6.0.0, required by [email protected]
npm ERR! peer dep missing: @angular/forms@^6.1.0, required by @ng-bootstrap/[email protected]
npm ERR! peer dep missing: @angular/forms@^6.0.0, required by [email protected]
npm ERR! peer dep missing: @angular/platform-browser@^6.0.0, required by [email protected]
npm ERR! peer dep missing: @angular/platform-browser-dynamic@^6.0.0, required by [email protected]
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/[email protected]
npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]
npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]
npm ERR! peer dep missing: tslint@^5.0.0, required by [email protected]
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/[email protected]
npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]
npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/[email protected]
npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]
npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/[email protected]
npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]
npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]
npm ERR! peer dep missing: rxjs@^6.0.0, required by @ng-bootstrap/[email protected]
npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]
npm ERR! peer dep missing: rxjs@^6.1.0, required by [email protected]
npm ERR! peer dep missing: typescript@~2.7.1 || >=2.8.0-dev || >=2.9.0-dev || ~3.0.0 || >=3.0.0-dev || >=3.1.0-dev || >= 3.2.0-dev || >= 3.3.0-dev, required by [email protected]

and lastly my package.json file

{
  "name": "opticare",
  "version": "0.0.0",
  "license": "MIT",
  "angular-cli": {},
  "scripts": {
    "build": "ng build",
    "ng": "ng",
    "start": "ng serve",
    "test": "ng test",
    "pree2e": "webdriver-manager update --standalone false --gecko false",
    "e2e": "protractor"
  },
  "private": true,
  "dependencies": {
    "@angular/animations": "^5.2.0",
    "@angular/common": "^5.2.0",
    "@angular/compiler": "^5.2.0",
    "@angular/compiler-cli": "^5.2.0",
    "@angular/core": "^5.2.0",
    "@angular/forms": "^5.2.0",
    "@angular/http": "^5.2.0",
    "@angular/platform-browser": "^5.2.0",
    "@angular/platform-browser-dynamic": "^5.2.0",
    "@angular/router": "^5.2.0",
    "@auth0/angular-jwt": "^2.0.0",
    "@ng-bootstrap/ng-bootstrap": "^3.2.2",
    "@swimlane/ngx-charts": "^7.4.0",
    "angular-archwizard": "^3.0.0",
    "angular-datatables": "^6.0.0",
    "angular2-csv": "^0.2.5",
    "angular2-spinner": "^1.0.10",
    "bcrypt-nodejs": "0.0.3",
    "chalk": "^2.4.1",
    "chart.js": "^2.7.2",
    "core-js": "^2.4.1",
    "cron": "^1.3.0",
    "datatables.net": "^1.10.19",
    "datatables.net-dt": "^1.10.19",
    "express": "^4.16.3",
    "file-saver": "^1.3.8",
    "googleapis": "^35.0.0",
    "http-errors": "^1.6.3",
    "install-peerdeps": "^2.0.1",
    "jodit-angular": "^1.0.59",
    "jquery": "^3.3.1",
    "jsonwebtoken": "^8.1.0",
    "jwt-decode": "^2.2.0",
    "lodash": "^4.17.10",
    "moment": "^2.22.2",
    "moment-timezone": "^0.5.21",
    "mongoose": "^5.2.4",
    "mongoose-paginate": "^5.0.3",
    "multer": "^1.3.0",
    "ng2-nouislider": "^1.7.7",
    "ngx-bootstrap": "^2.0.3",
    "ngx-chips": "^1.9.2",
    "ngx-toastr": "^6.4.0",
    "node-cron": "^1.2.1",
    "node-sass": "^4.9.2",
    "nodemailer": "^4.6.8",
    "nouislider": "^11.0.3",
    "rxjs": "^5.5.12",
    "shortid": "^2.2.8",
    "ts-helpers": "^1.1.1",
    "twilio": "^3.19.2",
    "typescript": "^2.4.2",
    "xlsx": "^0.13.0",
    "zone.js": "^0.8.19"
  },
  "devDependencies": {
    "@angular/cli": "^1.7.4",
    "@angular/compiler-cli": "^5.2.0",
    "@types/datatables.net": "^1.10.12",
    "@types/jasmine": "~2.8.3",
    "@types/jquery": "^3.3.4",
    "@types/node": "~6.0.60",
    "@types/systemjs": "^0.20.5",
    "codelyzer": "^4.0.1",
    "jasmine-core": "~2.8.0",
    "jasmine-spec-reporter": "~4.2.1",
    "karma-chrome-launcher": "~2.2.0",
    "karma": "^2.0.4"
  }
}
Improve this question

1 Answer 1

Reset to default
9

You'll have to use npm audit and actually read the audit log. In there will be advice on which versions can be installed to fix vulnerabilities.See https://docs.npmjs.com/cli/audit for more information on npm audit.

Vulnerabilities

You can get a report of all vulnerabilities using npm audit. In that report for each vulnerability you will also see a way to fix it. When you use npm audit fix you are telling npm to execute those fixes. Npm however will not automatically install fixes that might break your project, such as major versions changes. You'll have to manually execute the npm install commands for those if you decide the vulnerability is more important than having to deal with the possible breaking change.

Note: Since writing, npm audit fix --force was introduced which will even execute patches that might introduce breaking changes. Use at your own risk, I've used it and it ended badly, very badly.

Peer dependencies

Another common warning are peer dependency warnings. Peer dependencies specify not dependency, but compatibility. Check out this post for a way better explanation on peer dependencies: https://stackoverflow.com/a/34645112/1016004

You can see a peer dependency warning for 2 reasons: the specified peer dependency is missing, or the peer dependency is of the wrong version. In both cases you will have to figure out the correct response yourself. The core question to answer is whether you can install the dependency in your project:

  • Do you use any deprecated features that will be removed in an update, do any breaking changes apply to your code, ...?
  • Do you have to revert to a version with a known vulnerability that you use in such a way that it might endanger user data, ... ?

The simple solution, not recommended for production, is to just manually try to run npm install for both the vulnerabilities and peer dependencies with the proposed versions. Be sure to have version control or backups so that you can revert if you end up with more errors than you started with.

If the simple solution doesn't cut it you'll have to look for other versions of packages that are part of the unsolvable constraints. Maybe previous versions of any of those packages can work together?

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

I did, but it was there was warning in the end that it could be breaking change like for example: it was written in report that # Run npm install @angular/[email protected] to resolve 1 vulnerability SEMVER WARNING: Recommended action is a potentially breaking change what does the last warning mean ? I know the meaning of semantic versioning, but what does the warning means ?
It means that there will be an upgrade in the major version of angular. The major version in semver is the first number. So probably from Angular 7.x to Angular 8.2. In semantic versioning, if you make increase the major version you are signalling to your users that you might introducebreaking changes: things might stop working. NPM won't automatically install those updates because of that. You will have to explicitly tell npm to install at least Angular 8.2.14
so, if I install my packages one by one that are mention in npm audit report like in above comment for example, will my application run ?
Yes it should, to avoid this you can more regularly keep your dependencies up to date ;) But ofcourse be aware that a lot of things change between major versions and that some of your code might need to be updated to conform to the newer versions you just installed.
I kept installing one by one, untill I get found 0 vulnerabilities but still when I list the installed packages, I keep seeing UNMET PEER DEPENDENCY error ? What to do for that ?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.