Fixing npm vulnerabilities

Question

I am following a TypeScript tutorial.
Unfortunately, the packages are outdated and I got a warning about vulnerabilities.

I followed a bunch of suggestions from npm check and update package if needed, namely:

npm audit fix
npm audit fix --force
npm update

npm audit says there are still 24 vulnerabilities left.
But none of the above commands will fix them.

npm outdated results in no output.

The vulnerable packages are :

ansi-regex
glob-parent
node-forge
nth-check
postcss

I don't actually know why they are part of my project. I don't have them in my package.json.

What are the next steps for fixing these vulnerabilities?

Below is what I have tried.

How to fix npm vulnerabilities? which has no answers.
Manually updating the dependencies in package.json to newer versions and then running npm install. It didn't have an effect.
Deleting package-lock.json as suggested here and then running npm install again.
Adding "ansi-regex": "^6.0.1", "glob-parent": "^6.0.2", "node-forge": "^1.3.0", "nth-check": "^2.0.1", "postcss": "^8.4.12" as devDependencies and running npm install.
Running npm i npm@latest as suggested in How to fix npm vulnerabilities.
How to fix npm vulnerabilities? I tried two methods, problems persist
which didn't have any new suggestions.
I have 5 moderate severity vulnerabilities when I checked the npm audit
which also didn't suggest any new commands.
Running npm update glob-parent --depth 2 just to find out that --depth is deprecated and that npm always updates any depth [GitHub].
Running npm prune.
Deleting the node_modules folder and running npm install again.

You can reproduce my latest state with the following package.json in an empty directory and running npm install.

{
  "name": "pacman",
  "version": "0.0.1",
  "description": "I just follow a tutorial. Nothing of interest.",
  "keywords": ["game"],
  "license": "MIT",
  "author": "someone stupid",
  "scripts": {
    "build": "parcel build index.html",
    "dev": "parcel index.html --open",
    "start": "npm run build && npm run dev",
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^5.16.0",
    "@typescript-eslint/parser": "^5.16.0",
    "ansi-regex": "^6.0.1",
    "eslint": "^8.12.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-prettier": "^4.0.0",
    "glob-parent": "^6.0.2",
    "node-forge": "^1.3.0",
    "nth-check": "^2.0.1",
    "parcel": "^2.4.0",
    "parcel-bundler": "^1.12.5",
    "postcss": "^8.4.12",
    "prettier": "^2.6.1",
    "typescript": "^4.6.3"
  },
  "dependencies": {
    "npm": "^8.5.5"
  }
}

This should give you 24 vulnerabilities, 18 moderate and 6 high, at the time of writing, running npm version 8.5.5.

At a certain point, maybe you can't fix them. Are there actually fixed versions compatible with your other local dependencies? — jonrsharpe
– jonrsharpe, Commented Mar 27, 2022 at 9:52
@jonrsharpe So people simply release their software with vulnerabilities in place? — Thomas Weller
– Thomas Weller, Commented Mar 27, 2022 at 9:55
We need a minimal reproducible example. How can someone else reproduce the problem locally? What's the least you can put into an empty directory such that npm audit recreates (maybe one of) the warnings on a vulnerable dependency. If you're just running through a tutorial, though (or they're e.g. development deps), do the warnings even matter? — jonrsharpe
– jonrsharpe, Commented Mar 27, 2022 at 10:16
It's reproducible, anyway... npm init -y && npm i parcel-bundler@1 -> 24 vulnerabilities (19 moderate, 5 high). Or e.g. npm ls node-forge on what you posted, as suggested above, would show that despite the direct dependency on 1.3.0, you have a transitive dependency on 0.10.0 via parcel-bundler. — jonrsharpe
– jonrsharpe, Commented Mar 27, 2022 at 10:48
@Henke: it was a Pacman tutorial, but I can't remember which one. I don't have the link any more. From the commit history of the project,the first commit already contains the fixed packages. It seems I never committed the broken version. — Thomas Weller
– Thomas Weller, Commented Mar 31, 2023 at 18:03

Thomas Weller · Accepted Answer · 2022-03-27 10:22:10Z

As per the comments, I have already tried all commands for the general case, in which case you need to start analyzing individual packages.

So, what did I do?

Update all dependencies to the latest version.

Next, perform a binary search by removing half of the dependencies and repeating the following steps

delete the node_modules folder
run npm install
run npm audit to check for the vulnerabilities

If there are no vulnerabilites, add the half of the remaining packages you want to install.

If there are vulnerabilities, remove the half of the packages you are currently installing.

In my case, this process boiled it down to the following two lines:

"parcel": "^2.4.0",
"parcel-bundler": "^1.12.5",

For parcel-bundler, NPM spit out a warning:

npm WARN deprecated [email protected]: Parcel v1 is no longer maintained. 
Please migrate to v2, which is published under the 'parcel' package.

So I guess I don't need parcel-bundler at all, because it has been integrated into the parcel package, which I had already updated to version 2 in an earlier step.

yellowdopamine · Accepted Answer · 2022-10-03 03:26:51Z

0

Try to update all your npm with this command. It helped me

npm install -g npm@latest

answered Oct 3, 2022 at 3:26

yellowdopamine

175 bronze badges

2 Comments

Fiehra Over a year ago

the OP tried this without the global tag. would it make a difference?

agilgur5 May 19, 2025 at 21:04

This updates the npm CLI itself (the globally installed one in this case), not any of the dependencies of the specific project. It's also duplicative of one of the linked answers that OP tried. If you want to update all dependencies, you can use the npm update command

Henke · Accepted Answer · 2023-11-07 15:54:51Z

As noted in your self-answer, the parcel-bundler package is deprecated :

Parcel v1 is no longer maintained. Please migrate to v2, which is published under the 'parcel' package.

In fact, the npm package name has changed from parcel-bundler to parcel. Having them both in the same package.json means having two different versions of the exact same package twice, so the word deprecated is rather misleading in this case.

Reproducing your findings – can we trust the audit report?

Thanks for including the package.json in your question.
Doing so makes it possible to reproduce your findings.

I run npm install npm@latest -g, and then npm --version, which responds 10.2.3.
In an empty directory, I add a version of your package.json, then run npm install. ¹

package.json :

{
  "name": "soq-71635274-fix-npm",
  "license": "MIT",
  "devDependencies": {
    "@typescript-eslint/eslint-plugin": "^5.16.0",
    "@typescript-eslint/parser": "^5.16.0",
    "eslint": "^8.12.0",
    "eslint-config-prettier": "^8.5.0",
    "eslint-plugin-prettier": "^4.0.0",
    "parcel": "^2.4.0",
    "parcel-bundler": "^1.12.5",
    "prettier": "^2.6.1",
    "typescript": "^4.6.3"
  }
}

To make sure I have the latest versions of all packages, I then run npx npm-check-updates, followed by npx npm-check-updates -u and npm install.
The response says 59 vulnerabilities (47 moderate, 12 high),
and suggests to "Run `npm audit` for details".
So next I run npm audit. Here is the beginning of the resulting npm audit security report.

# npm audit report
glob-parent  <5.1.2
Severity: high
…

Since parcel-bundler is obsolete, I remove it from package.json.
But running npm install doesn't give a clean report.
It still says 11 moderate severity vulnerabilities.
Running npm audit fix neither changes package.json nor package-lock.json.
Running npm audit fix --force once downgrades parcel in package.json from ^2.10.2 to ^1.12.4. The size of package-lock.json increases from 255 kB to 477 kB.
Running npm audit fix --force twice (a second time) re-upgrades parcel from ^1.12.4 back to ^2.10.2 in package.json.
It decreases the size of package-lock.json from 477 kB to 184 kB. ²

This also results in found 0 vulnerabilities :

I find this remarkable.
Fixing all the vulnerabilities and running npm install is not enough to get a clean report.
You then also need to run npm audit fix --force twice. ³

References

^{¹
Since you added the packages ansi-regex, glob-parent, node-forge, nth-check, and postcss as direct devDependencies, I decided to undo that by removing them from package.json.

I also removed the dependency on npm@^8.5.5, which I believe stems from you running npm i npm@latest which installs npm locally.
By contrast, I always install npm only globally, npm i npm --global.
²
The only difference in package-lock.json before running npm audit fix --force and after running it twice, is that a lot of packages have been removed.
I'd assume that the ones removed are packages that parcel-bundler depends on. Thus, npm install alone does not remove these packages.
³
Running npm audit fix --force a third time does not change package.json or package-lock.json anymore.

It seems that once a state of "0 vulnerabilities" is reached, the command npm audit fix --force doesn't induce any more changes.
This makes sense.}

Some users are childish enough to revenge downvote rather than make valuable contributions that benefit the community as a whole. If you are looking for help on the subject of npm audit in general, and/or npm audit fix --force in particular, consider taking a look at one of my other answers on the subject.

Collectives™ on Stack Overflow

Fixing npm vulnerabilities

3 Answers 3

1 Comment

2 Comments

Reproducing your findings – can we trust the audit report?

References

1 Comment

Linked

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

1 Comment

2 Comments

Reproducing your findings – can we trust the audit report?

References

1 Comment

Linked

Related