Login/Register
How to fix these vulnerabilities? (npm audit fix fails to fix these vulnerabilities)
Asked Answered
Solved angularnpm
B

3

11

My project has 6 high severity vulnerabilities and I have no idea how to fix them. npm audit fix fails. Please help me to fix this.

I was installing https://www.npmjs.com/package/toastr to my project and after it has installed the vulnerabilities were shown. I don't know is there any connection. === npm audit security report === 

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance           


High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   @angular/cli [dev]                                            

Path            @angular/cli > @schematics/update > pacote >                  
                make-fetch-happen > https-proxy-agent                         

More info       https://npmjs.com/advisories/1184                             

High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   @angular/cli [dev]                                            

Path            @angular/cli > pacote > make-fetch-happen >                   
                https-proxy-agent                                             

More info       https://npmjs.com/advisories/1184                             

High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   @angular/cli [dev]                                            

Path            @angular/cli > @schematics/update > pacote >                  
                npm-registry-fetch > make-fetch-happen > https-proxy-agent    

More info       https://npmjs.com/advisories/1184                             

High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   @angular/cli [dev]                                            

Path            @angular/cli > pacote > npm-registry-fetch >                  
                make-fetch-happen > https-proxy-agent                         

More info       https://npmjs.com/advisories/1184                             

High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   protractor [dev]                                              

Path            protractor > browserstack > https-proxy-agent                 

More info       https://npmjs.com/advisories/1184                             

High            Machine-In-The-Middle                                         

Package         https-proxy-agent                                             

Patched in      >=3.0.0                                                       

Dependency of   protractor [dev]                                              

Path            protractor > saucelabs > https-proxy-agent                    

More info       https://npmjs.com/advisories/1184
Bake answered 18/10, 2019 at 20:27 Comment(0)
D
13

1) npm i --save-dev npm-force-resolutions

2) Add this to your package.json

"resolutions": { "https-proxy-agent": "^3.0.0" }

3) Let npm-force-resolutions do it's thing

rm -r node_modules
npx npm-force-resolutions
npm install

4) re-run your audit npm audit.

Font: https://github.com/TooTallNate/node-https-proxy-agent/issues/84#issuecomment-543884972

Daytoday answered 19/10, 2019 at 7:39 Comment(2)
This solution works only for some amount of time and again the same problem comes upBake
@user11135351 See #64606305.Saviour
P
2

Fixes BUILD problems and general installation problems:

package.json

{
  ...
  "scripts": {
     "resolve-install": "npx npm-force-resolutions && npm install"
  },
  "resolutions": {
    "https-proxy-agent": "^3.0.0"
  }
}

Then instead of npm install just run in cmd or Dockerfile:

npm run resolve-install
Pricecutting answered 21/10, 2019 at 0:14 Comment(0)
S
0

Have a look at this thread: How do I override nested NPM dependency versions?

Just replace the corresponding packages to the ones listed in the audit.

Severalty answered 22/10, 2019 at 1:59 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.