javascript - Is there a better way to fix npm vulnerabilities? - Stack Overflow

admin管理员组

文章数量:1415420

I'm having a problem fixing the vulnerabilities in my expo react-native project. It is a react-native app under development.

I keep getting this;

up to date, audited 1375 packages in 1m

73 packages are looking for funding
  run `npm fund` for details

18 vulnerabilities (10 moderate, 8 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Here's my package.json file;

{
  "name": "xxxxx",
  "version": "1.0.0",
  "main": "node_modules/expo/AppEntry.js",
  "scripts": {
    "start": "expo start",
    "android": "expo start --android",
    "ios": "expo start --ios",
    "web": "expo start --web"
  },
  "dependencies": {
    "@expo/vector-icons": "^13.0.0",
    "@react-native-munity/masked-view": "^0.1.11",
    "@react-navigation/drawer": "^6.5.8",
    "@react-navigation/native": "*",
    "@react-navigation/native-stack": "*",
    "expo": "^47.0.9",
    "expo-constants": "~14.0.2",
    "expo-contacts": "~11.0.1",
    "expo-file-system": "~15.1.1",
    "expo-font": "~11.0.1",
    "expo-location": "~15.0.1",
    "expo-sms": "~11.0.0",
    "expo-speech": "~11.0.0",
    "expo-status-bar": "~1.4.2",
    "firebase": "^9.16.0",
    "from": "^0.1.7",
    "native": "^0.3.3",
    "react": "18.1.0",
    "react-native": "0.70.8",
    "react-native-elements": "^3.4.3",
    "react-native-gesture-handler": "~2.8.0",
    "react-native-google-places-autoplete": "*",
    "react-native-maps": "1.3.2",
    "react-native-maps-directions": "^1.9.0",
    "react-native-paper": "4.9.2",
    "react-native-reanimated": "~2.12.0",
    "react-native-safe-area-context": "4.4.1",
    "react-native-screens": "~3.18.0",
    "react-native-sha256": "^1.4.9",
    "react-native-svg": "13.4.0",
    "react-navigation": "^4.4.4",
    "reanimated-bottom-sheet": "*"
  },
  "devDependencies": {
    "@babel/core": "^7.12.9",
    "react-native-dotenv": "^3.4.8"
  },
  "private": true
}

I tried multiple solutions such as;

npm audit
npm audit fix
npm audit fix --force
npm update
npm upgrade
npx remove-node-modules
npm install
npm install --check

I also tried manually fixing the dependencies to make them patible but to no avail. In most cases, the errors only got worse.

By running npx expo-doctor however, this was the result;

$ npx expo-doctor

✔ Validating global prerequisites versions passed
✔ Checking for inpatible packages passed
✔ Checking for conflicting global packages in project passed
✔ Verifying prebuild support package versions are patible passed
✔ Checking dependency versions for patibility with the installed Expo SDK passed
✔ Validating Expo Config passed
✔ Checking package.json for mon issues passed

Didn't find any issues with the project!

Yet the dependency errors still remain.

How can I fix the dependencies?

I'm having a problem fixing the vulnerabilities in my expo react-native project. It is a react-native app under development.

I keep getting this;

up to date, audited 1375 packages in 1m

73 packages are looking for funding
  run `npm fund` for details

18 vulnerabilities (10 moderate, 8 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Here's my package.json file;

{
  "name": "xxxxx",
  "version": "1.0.0",
  "main": "node_modules/expo/AppEntry.js",
  "scripts": {
    "start": "expo start",
    "android": "expo start --android",
    "ios": "expo start --ios",
    "web": "expo start --web"
  },
  "dependencies": {
    "@expo/vector-icons": "^13.0.0",
    "@react-native-munity/masked-view": "^0.1.11",
    "@react-navigation/drawer": "^6.5.8",
    "@react-navigation/native": "*",
    "@react-navigation/native-stack": "*",
    "expo": "^47.0.9",
    "expo-constants": "~14.0.2",
    "expo-contacts": "~11.0.1",
    "expo-file-system": "~15.1.1",
    "expo-font": "~11.0.1",
    "expo-location": "~15.0.1",
    "expo-sms": "~11.0.0",
    "expo-speech": "~11.0.0",
    "expo-status-bar": "~1.4.2",
    "firebase": "^9.16.0",
    "from": "^0.1.7",
    "native": "^0.3.3",
    "react": "18.1.0",
    "react-native": "0.70.8",
    "react-native-elements": "^3.4.3",
    "react-native-gesture-handler": "~2.8.0",
    "react-native-google-places-autoplete": "*",
    "react-native-maps": "1.3.2",
    "react-native-maps-directions": "^1.9.0",
    "react-native-paper": "4.9.2",
    "react-native-reanimated": "~2.12.0",
    "react-native-safe-area-context": "4.4.1",
    "react-native-screens": "~3.18.0",
    "react-native-sha256": "^1.4.9",
    "react-native-svg": "13.4.0",
    "react-navigation": "^4.4.4",
    "reanimated-bottom-sheet": "*"
  },
  "devDependencies": {
    "@babel/core": "^7.12.9",
    "react-native-dotenv": "^3.4.8"
  },
  "private": true
}

I tried multiple solutions such as;

npm audit
npm audit fix
npm audit fix --force
npm update
npm upgrade
npx remove-node-modules
npm install
npm install --check

I also tried manually fixing the dependencies to make them patible but to no avail. In most cases, the errors only got worse.

By running npx expo-doctor however, this was the result;

$ npx expo-doctor

✔ Validating global prerequisites versions passed
✔ Checking for inpatible packages passed
✔ Checking for conflicting global packages in project passed
✔ Verifying prebuild support package versions are patible passed
✔ Checking dependency versions for patibility with the installed Expo SDK passed
✔ Validating Expo Config passed
✔ Checking package.json for mon issues passed

Didn't find any issues with the project!

Yet the dependency errors still remain.

How can I fix the dependencies?

• javascript
• react-native
• npm
• expo
• native

Share Improve this question Follow edited Feb 23, 2024 at 22:56 John B. Amedzo asked May 12, 2023 at 23:08 John B. AmedzoJohn B. Amedzo 4311 silver badge77 bronze badges 1

• Note that sometimes you won't be able to fix everything immediately because those fixes need be done by the maintainers of library x, y or z (which you use) which themselves have an out-of-date library as a dependency which needs to be fixed by its maintainers. – Andy Commented May 13, 2023 at 0:00

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 4

From my experience, there's no magic mand to fix all the vulnerabilities in a project, as the project gets older and versions outdated security issues start raising. That said, how do we fix them?

The best way is to upgrade your packages.

Start by running npm audit, this will give you the full list of vulnerabilities, tell in which version it was patched and what package is using that dependency (labeled as dependency of), all you need to do is upgrade the package either with npm install package-name or manually setting the version in your package.json and then running npm install.

Repeat the process till you fix them all.

Now there's more way of fixing these vulnerabilities without upgrading the package, you can directly upgrade the dependency in the package-lock.json, however I don't remend this way unless you're using a tool like Dependabot.

I don't think using npm update is a good solution, nor is the accepted answer. Npm update could bring in many breaking changes and the accepted answer does not actually update the packages of packages, which is usually the actual problem.

The actual process is to use package.json overrides and the remended actions of npm audit. Remember devDependencies are not production vuns, so don't waste time with them unless really needing too. You can skip over devDeps with npm audit --omit=dev.

A quick example:

• npm audit says semver < 1.0.0 has a vun
• If npm audit says to update the parent package and it won't be a breaking change, do it, problem solved.

Otherwise

• npm i semver@1
• Add overrides: {} as a root key to package.json
• Add semver: $semver to replace all references of semver across the application/library
• Run npm i to update the lockfile.

https://docs.npmjs./cli/v9/configuring-npm/package-json#overrides

If using yarn or pnpm its different.

Remember to periodically remove all overrides and check audit when updating packages. Vuns are not forever and not doing so will force your app to use more and more out of date versions of thngs, which could cause problems.

本文标签： javascriptIs there a better way to fix npm vulnerabilitiesStack Overflow