Login/Register
What did a npm audit fix --force change and how do you fix it?
Asked Answered
node.jsnpmapnnode-forge
E

1

21

I was trying to npm install apn --save and used npm audit fix --force. The 'Hope you know what you are doing' message made me realize that I dont know what I am doing. After that I originally was getting

node /home/ec2-user/myapp/bin/www: symbol lookup error: 
/home/ec2-user/myapp/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: undefined symbol: napi_add_finalizer

so I updated node to V14.16.0 but that didn't help so I decided to delete package-lock.json and node_modules and ran npm install after. This error would now come up,

PM2 error: Error: spawn node ENOENT
    at Process.ChildProcess._handle.onexit (internal/child_process.js:269:19)
    at onErrorNT (internal/child_process.js:465:16)
    at processTicksAndRejections (internal/process/task_queues.js:80:21)

and I realized that PM2 didnt use the new node version. I upgraded PM2 and now it shows that my app is online opposed to errored.
But I still get a 502 error if my node server was running(port 8080) when trying to run my website

[proxy_http:error] [pid 22860] (20014)Internal error 
(specific information not available): [client my IP address]
 AH01102: error reading status line from remote server 127.0.0.1:8080

and a 503 error if I stopped my node server.

[proxy:error] [pid 13022] (111)Connection refused:
 AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed

Has anyone else experienced this? Any and all help would be much appreciated. Also I believe node-forge was a dependent for apn and needed the npm audit fix -- force

Erythritol answered 10/4, 2021 at 2:30 Comment(0)
I
42

npm audit is a utility that reads your package.json and checks the version of it's dependencies against a security vulnerability database. When something is found it gives you the severity of vulnerability and the option to fix it.

What the fixing does is upgrade the unsafe dependencies of your project. npm audit fix only modifies the dependencies that shouldn't cause problems based on SEMVER rules.

The --force is a dangerious option because it upgrades the dependencies regardless of any rules. This can cause a dependency to go from version 1.2.0 to version 2.3.0, for example. That means that functions that you use in your project may not exist anymore or have a different behaviour effectively breaking your application.

One option to fix this issue is going back on your versioning system (git, cvs, etc.) and recover the previous package.json and package-lock.json. Then you should delete node_module and any npm cache and run npm install.

More info on npm audit can be found here.

Inequity answered 10/4, 2021 at 3:6 Comment(3)
Thank you for the quick response and lots of information. I can see why it's important to have a versioning system, unfortunately I was just mainly backing up the app, routes, and view files. It sounds like everyone can have different problems here, sorry I'm not much help there. With a --force fix does it upgrade every dependency or just the ones that the audit suggests?Erythritol
It will upgrade just the suggested dependencies. If you can't determine which ones got upgraded, as a last resort you can change the dependencies on your package.json one by one to use major versions (e.g 2.0.0, 3.0.0, ...) and run npm install after each change to see if it works. Personally I would start with client-facing (parsers, file handling, webservers), cryptography or framework dependencies as people look for vulnerabilities more often on them.Inequity
It is my understanding that npm install apn added one dependency "apn": "^2.2.0" to my package.json and 3 packages to package-lock.json notably ` "node-forge": { "version": "0.7.6" ` . The npm audit report suggests that node-forge <= 0.9.2 is a high severity and that a npm audit fix --force will fix it. Not wanting to use that again I npm uninstall apn and with it went any reference to apn or node-forge. I understand that if I was using that code anywhere during a force I could expect it to break, but I only had that code after doing the inital apn install.Erythritol

© 2022 - 2024 — McMap. All rights reserved.