npm audit fix breaks nodejs project by removing required asn1 package

help-wanted
cli
triaged
priority:medium
(Jacques L Chereau) #1

What I Wanted to Do

npm audit fix to fix vulnerabilities

What Happened Instead

npm audit fix removed asn1 package which is required

Reproduction Steps

Use https://github.com/Memba/Memba-Blog and run npm install && npm audit fix

Alternatively use (only check that asn1 is removed):

{
  "name": "Memba.Blog",
  "filename": "memba.blog",
  "version": "0.3.8",
  "compatible": "0.0.1",
  "description": "A blog engine powered by nodeJS and pulling markdown from GitHub",
  "author": "Memba Sarl",
  "copyright": "Copyright ยฉ2013-2018 Membaยฎ Sarl. All rights reserved.",
  "license": "AGPL-3.0",
  "homepage": "https://www.memba.com",
  "keywords": [
    "Memba",
    "Kidoju",
    "Activity",
    "Assessment",
    "Brain",
    "Educate",
    "eEducation",
    "eLearning",
    "Exercise",
    "Game",
    "Learn",
    "Knowledge",
    "Quiz",
    "Teach",
    "Test"
  ],
  "repository": {
    "type": "git",
    "url": "http://github.com/Memba/Memba-Blog.git"
  },
  "bugs": {
    "url": "https://github.com/Memba/Memba-Blog/issues"
  },
  "main": "webapp/server.js",
  "scripts": {
    "start": "forever --minUptime 5000 --spinSleepTime 10000 webapp/server.js",
    "test": "grunt test"
  },
  "dependencies": {
    "async": "^2.6.1",
    "body-parser": "^1.18.3",
    "chalk": "^2.4.1",
    "chokidar": "^2.0.4",
    "compression": "^1.7.3",
    "cors": "^2.8.5",
    "deep-extend": "^0.6.0",
    "ejs": "^2.6.1",
    "express": "^4.16.4",
    "helmet": "^3.15.0",
    "highlight.js": "^9.13.1",
    "i18n": "^0.8.3",
    "markdown-it": "^8.4.2",
    "markdown-it-video": "^0.6.3",
    "moment": "^2.22.2",
    "nconf": "^0.10.0",
    "qs": "^6.6.0",
    "request": "^2.88.0",
    "uuid": "^3.3.2"
  },
  "devDependencies": {
    "@babel/cli": "^7.2.0",
    "@babel/core": "^7.2.0",
    "@babel/plugin-transform-runtime": "^7.2.0",
    "@babel/polyfill": "^7.0.0",
    "@babel/preset-env": "^7.2.0",
    "autoprefixer": "^9.4.2",
    "babel-eslint": "^10.0.1",
    "babel-loader": "^8.0.4",
    "babel-plugin-istanbul": "^5.1.0",
    "babel-plugin-module-resolver": "^3.1.1",
    "bundle-loader": "^0.5.6",
    "chai": "^4.2.0",
    "css-loader": "^1.0.1",
    "eslint": "^5.9.0",
    "eslint-config-airbnb-base": "^13.1.0",
    "eslint-config-prettier": "^3.3.0",
    "eslint-import-resolver-babel-module": "^5.0.0-beta.1",
    "eslint-import-resolver-webpack": "^0.10.1",
    "eslint-plugin-import": "^2.14.0",
    "eslint-plugin-node": "^8.0.0",
    "eslint-plugin-prettier": "^3.0.0",
    "file-loader": "^2.0.0",
    "grunt": "^1.0.3",
    "grunt-contrib-copy": "^1.0.0",
    "grunt-contrib-jshint": "^2.0.0",
    "grunt-contrib-less": "^2.0.0",
    "grunt-contrib-uglify": "^4.0.0",
    "grunt-eslint": "^21.0.0",
    "grunt-jscs": "^3.0.1",
    "grunt-mocha-test": "^0.13.3",
    "grunt-nsp": "^2.3.1",
    "grunt-stylelint": "^0.10.1",
    "grunt-webdriver": "^2.0.3",
    "grunt-webpack": "^3.1.3",
    "json-loader": "^0.5.7",
    "less": "^3.9.0",
    "less-loader": "^4.1.0",
    "less-plugin-autoprefix": "^2.0.0",
    "less-plugin-clean-css": "^1.5.1",
    "loader-utils": "^1.1.0",
    "mocha": "^5.2.0",
    "phantomjs-prebuilt": "^2.1.16",
    "postcss-loader": "^3.0.0",
    "prettier": "^1.15.3",
    "sinon": "^7.1.1",
    "sinon-chai": "^3.3.0",
    "style-loader": "^0.23.1",
    "stylelint": "^9.9.0",
    "stylelint-config-standard": "^18.2.0",
    "supertest": "^3.3.0",
    "systemjs-plugin-babel": "0.0.25",
    "url-loader": "^1.1.2",
    "wdio-mocha-framework": "^0.6.4",
    "wdio-phantomjs-service": "^0.2.2",
    "wdio-selenium-standalone-service": "0.0.11",
    "webdriverio": "^4.14.1",
    "webpack": "^4.27.0",
    "webpack-bundle-analyzer": "^3.0.3",
    "webpack-cli": "^3.1.2"
  },
  "engines": {
    "node": ">=6"
  },
  "config": {
    "msvs_version": "2015"
  }
}

Details

The project starts after running npm install only. It is broken after running npm audit fix. The nodejs error is

Error: Cannot find module 'asn1',
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:603:15),
at Function.Module._load (internal/modules/cjs/loader.js:529:25),
at Module.require (internal/modules/cjs/loader.js:658:17),
at require (internal/modules/cjs/helpers.js:22:18),
at Object.<anonymous> (./node_modules\sshpk\lib\formats\pem.js:9:12),
at Module._compile (internal/modules/cjs/loader.js:722:30),
at Object.Module._extensions..js (internal/modules/cjs/loader.js:733:10),
at Module.load (internal/modules/cjs/loader.js:620:32),
at tryModuleLoad (internal/modules/cjs/loader.js:560:12),
at Function.Module._load (internal/modules/cjs/loader.js:552:3)

The project can be repaired by running npm install asn1 so it appears npm audit fix has removed a package it should not have removed.

Platform Info

$ npm --versions
6.4.1
$ node -p process.platform
win32
(Lars Willighagen) #2

It worked fine for me (not getting an error from that file either). Are you still seeing the problems?

My log
$ npm ls asn1
Memba.Blog@0.3.8 /.../Memba-Blog-master
โ”œโ”€โ”ฌ chokidar@2.0.3
โ”‚ โ””โ”€โ”ฌ UNMET OPTIONAL DEPENDENCY fsevents@1.1.3
โ”‚   โ””โ”€โ”ฌ UNMET OPTIONAL DEPENDENCY node-pre-gyp@0.6.39
โ”‚     โ””โ”€โ”ฌ UNMET OPTIONAL DEPENDENCY request@2.81.0
โ”‚       โ””โ”€โ”ฌ UNMET OPTIONAL DEPENDENCY http-signature@1.1.1
โ”‚         โ””โ”€โ”ฌ UNMET OPTIONAL DEPENDENCY sshpk@1.13.0
โ”‚           โ””โ”€โ”€ UNMET OPTIONAL DEPENDENCY asn1@0.2.3 
โ””โ”€โ”ฌ request@2.85.0
  โ””โ”€โ”ฌ http-signature@1.2.0
    โ””โ”€โ”ฌ sshpk@1.13.1
      โ””โ”€โ”€ asn1@0.2.3 

$ npm audit fix
npm WARN deprecated nsp@2.8.1: The Node Security Platform service is shutting down 9/30 - https://blog.npmjs.org/post/175511531085/the-node-security-platform-service-is-shutting
npm WARN ajv-keywords@3.1.0 requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN sinon-chai@3.0.0 requires a peer of sinon@^4.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

+ chokidar@2.0.4
+ webdriverio@4.14.1
+ request@2.88.0
+ webpack@4.27.1
+ grunt@1.0.3
+ eslint-plugin-import@2.14.0
+ stylelint@9.9.0
+ grunt-mocha@1.1.0
added 158 packages from 243 contributors, removed 379 packages, updated 178 packages and moved 10 packages in 63.881s
fixed 599 of 928 vulnerabilities in 20104 scanned packages
  9 vulnerabilities required manual review and could not be updated
  4 package updates for 320 vulns involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)

$ npm ls asn1
Memba.Blog@0.3.8 /.../Memba-Blog-master
โ””โ”€โ”ฌ request@2.88.0
  โ””โ”€โ”ฌ http-signature@1.2.0
    โ””โ”€โ”ฌ sshpk@1.13.1
      โ””โ”€โ”€ asn1@0.2.3
1 Like
(Kat Marchรกn) #3

Looks like this canโ€™t get reproduced anymore, so Iโ€™m gonna consider it resolved. If this is still happening, please open a new topic with reproducible steps.

(Jacques L Chereau) #4

I have upgraded npm to v6.5.0 which does not have the issue.

1 Like
(system) closed #5

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.