npm audit fix breaks nodejs project by removing required asn1 package


(Jacques L Chereau) #1

What I Wanted to Do

npm audit fix to fix vulnerabilities

What Happened Instead

npm audit fix removed asn1 package which is required

Reproduction Steps

Use https://github.com/Memba/Memba-Blog and run npm install && npm audit fix

Alternatively use (only check that asn1 is removed):

{
  "name": "Memba.Blog",
  "filename": "memba.blog",
  "version": "0.3.8",
  "compatible": "0.0.1",
  "description": "A blog engine powered by nodeJS and pulling markdown from GitHub",
  "author": "Memba Sarl",
  "copyright": "Copyright ©2013-2018 Memba® Sarl. All rights reserved.",
  "license": "AGPL-3.0",
  "homepage": "https://www.memba.com",
  "keywords": [
    "Memba",
    "Kidoju",
    "Activity",
    "Assessment",
    "Brain",
    "Educate",
    "eEducation",
    "eLearning",
    "Exercise",
    "Game",
    "Learn",
    "Knowledge",
    "Quiz",
    "Teach",
    "Test"
  ],
  "repository": {
    "type": "git",
    "url": "http://github.com/Memba/Memba-Blog.git"
  },
  "bugs": {
    "url": "https://github.com/Memba/Memba-Blog/issues"
  },
  "main": "webapp/server.js",
  "scripts": {
    "start": "forever --minUptime 5000 --spinSleepTime 10000 webapp/server.js",
    "test": "grunt test"
  },
  "dependencies": {
    "async": "^2.6.1",
    "body-parser": "^1.18.3",
    "chalk": "^2.4.1",
    "chokidar": "^2.0.4",
    "compression": "^1.7.3",
    "cors": "^2.8.5",
    "deep-extend": "^0.6.0",
    "ejs": "^2.6.1",
    "express": "^4.16.4",
    "helmet": "^3.15.0",
    "highlight.js": "^9.13.1",
    "i18n": "^0.8.3",
    "markdown-it": "^8.4.2",
    "markdown-it-video": "^0.6.3",
    "moment": "^2.22.2",
    "nconf": "^0.10.0",
    "qs": "^6.6.0",
    "request": "^2.88.0",
    "uuid": "^3.3.2"
  },
  "devDependencies": {
    "@babel/cli": "^7.2.0",
    "@babel/core": "^7.2.0",
    "@babel/plugin-transform-runtime": "^7.2.0",
    "@babel/polyfill": "^7.0.0",
    "@babel/preset-env": "^7.2.0",
    "autoprefixer": "^9.4.2",
    "babel-eslint": "^10.0.1",
    "babel-loader": "^8.0.4",
    "babel-plugin-istanbul": "^5.1.0",
    "babel-plugin-module-resolver": "^3.1.1",
    "bundle-loader": "^0.5.6",
    "chai": "^4.2.0",
    "css-loader": "^1.0.1",
    "eslint": "^5.9.0",
    "eslint-config-airbnb-base": "^13.1.0",
    "eslint-config-prettier": "^3.3.0",
    "eslint-import-resolver-babel-module": "^5.0.0-beta.1",
    "eslint-import-resolver-webpack": "^0.10.1",
    "eslint-plugin-import": "^2.14.0",
    "eslint-plugin-node": "^8.0.0",
    "eslint-plugin-prettier": "^3.0.0",
    "file-loader": "^2.0.0",
    "grunt": "^1.0.3",
    "grunt-contrib-copy": "^1.0.0",
    "grunt-contrib-jshint": "^2.0.0",
    "grunt-contrib-less": "^2.0.0",
    "grunt-contrib-uglify": "^4.0.0",
    "grunt-eslint": "^21.0.0",
    "grunt-jscs": "^3.0.1",
    "grunt-mocha-test": "^0.13.3",
    "grunt-nsp": "^2.3.1",
    "grunt-stylelint": "^0.10.1",
    "grunt-webdriver": "^2.0.3",
    "grunt-webpack": "^3.1.3",
    "json-loader": "^0.5.7",
    "less": "^3.9.0",
    "less-loader": "^4.1.0",
    "less-plugin-autoprefix": "^2.0.0",
    "less-plugin-clean-css": "^1.5.1",
    "loader-utils": "^1.1.0",
    "mocha": "^5.2.0",
    "phantomjs-prebuilt": "^2.1.16",
    "postcss-loader": "^3.0.0",
    "prettier": "^1.15.3",
    "sinon": "^7.1.1",
    "sinon-chai": "^3.3.0",
    "style-loader": "^0.23.1",
    "stylelint": "^9.9.0",
    "stylelint-config-standard": "^18.2.0",
    "supertest": "^3.3.0",
    "systemjs-plugin-babel": "0.0.25",
    "url-loader": "^1.1.2",
    "wdio-mocha-framework": "^0.6.4",
    "wdio-phantomjs-service": "^0.2.2",
    "wdio-selenium-standalone-service": "0.0.11",
    "webdriverio": "^4.14.1",
    "webpack": "^4.27.0",
    "webpack-bundle-analyzer": "^3.0.3",
    "webpack-cli": "^3.1.2"
  },
  "engines": {
    "node": ">=6"
  },
  "config": {
    "msvs_version": "2015"
  }
}

Details

The project starts after running npm install only. It is broken after running npm audit fix. The nodejs error is

Error: Cannot find module 'asn1',
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:603:15),
at Function.Module._load (internal/modules/cjs/loader.js:529:25),
at Module.require (internal/modules/cjs/loader.js:658:17),
at require (internal/modules/cjs/helpers.js:22:18),
at Object.<anonymous> (./node_modules\sshpk\lib\formats\pem.js:9:12),
at Module._compile (internal/modules/cjs/loader.js:722:30),
at Object.Module._extensions..js (internal/modules/cjs/loader.js:733:10),
at Module.load (internal/modules/cjs/loader.js:620:32),
at tryModuleLoad (internal/modules/cjs/loader.js:560:12),
at Function.Module._load (internal/modules/cjs/loader.js:552:3)

The project can be repaired by running npm install asn1 so it appears npm audit fix has removed a package it should not have removed.

Platform Info

$ npm --versions
6.4.1
$ node -p process.platform
win32