npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit fix breaks nodejs project by removing required asn1 package

What I Wanted to Do

npm audit fix to fix vulnerabilities

What Happened Instead

npm audit fix removed asn1 package which is required

Reproduction Steps

Use https://github.com/Memba/Memba-Blog and run npm install && npm audit fix

Alternatively use (only check that asn1 is removed):

{
  "name": "Memba.Blog",
  "filename": "memba.blog",
  "version": "0.3.8",
  "compatible": "0.0.1",
  "description": "A blog engine powered by nodeJS and pulling markdown from GitHub",
  "author": "Memba Sarl",
  "copyright": "Copyright ©2013-2018 Memba® Sarl. All rights reserved.",
  "license": "AGPL-3.0",
  "homepage": "https://www.memba.com",
  "keywords": [
    "Memba",
    "Kidoju",
    "Activity",
    "Assessment",
    "Brain",
    "Educate",
    "eEducation",
    "eLearning",
    "Exercise",
    "Game",
    "Learn",
    "Knowledge",
    "Quiz",
    "Teach",
    "Test"
  ],
  "repository": {
    "type": "git",
    "url": "http://github.com/Memba/Memba-Blog.git"
  },
  "bugs": {
    "url": "https://github.com/Memba/Memba-Blog/issues"
  },
  "main": "webapp/server.js",
  "scripts": {
    "start": "forever --minUptime 5000 --spinSleepTime 10000 webapp/server.js",
    "test": "grunt test"
  },
  "dependencies": {
    "async": "^2.6.1",
    "body-parser": "^1.18.3",
    "chalk": "^2.4.1",
    "chokidar": "^2.0.4",
    "compression": "^1.7.3",
    "cors": "^2.8.5",
    "deep-extend": "^0.6.0",
    "ejs": "^2.6.1",
    "express": "^4.16.4",
    "helmet": "^3.15.0",
    "highlight.js": "^9.13.1",
    "i18n": "^0.8.3",
    "markdown-it": "^8.4.2",
    "markdown-it-video": "^0.6.3",
    "moment": "^2.22.2",
    "nconf": "^0.10.0",
    "qs": "^6.6.0",
    "request": "^2.88.0",
    "uuid": "^3.3.2"
  },
  "devDependencies": {
    "@babel/cli": "^7.2.0",
    "@babel/core": "^7.2.0",
    "@babel/plugin-transform-runtime": "^7.2.0",
    "@babel/polyfill": "^7.0.0",
    "@babel/preset-env": "^7.2.0",
    "autoprefixer": "^9.4.2",
    "babel-eslint": "^10.0.1",
    "babel-loader": "^8.0.4",
    "babel-plugin-istanbul": "^5.1.0",
    "babel-plugin-module-resolver": "^3.1.1",
    "bundle-loader": "^0.5.6",
    "chai": "^4.2.0",
    "css-loader": "^1.0.1",
    "eslint": "^5.9.0",
    "eslint-config-airbnb-base": "^13.1.0",
    "eslint-config-prettier": "^3.3.0",
    "eslint-import-resolver-babel-module": "^5.0.0-beta.1",
    "eslint-import-resolver-webpack": "^0.10.1",
    "eslint-plugin-import": "^2.14.0",
    "eslint-plugin-node": "^8.0.0",
    "eslint-plugin-prettier": "^3.0.0",
    "file-loader": "^2.0.0",
    "grunt": "^1.0.3",
    "grunt-contrib-copy": "^1.0.0",
    "grunt-contrib-jshint": "^2.0.0",
    "grunt-contrib-less": "^2.0.0",
    "grunt-contrib-uglify": "^4.0.0",
    "grunt-eslint": "^21.0.0",
    "grunt-jscs": "^3.0.1",
    "grunt-mocha-test": "^0.13.3",
    "grunt-nsp": "^2.3.1",
    "grunt-stylelint": "^0.10.1",
    "grunt-webdriver": "^2.0.3",
    "grunt-webpack": "^3.1.3",
    "json-loader": "^0.5.7",
    "less": "^3.9.0",
    "less-loader": "^4.1.0",
    "less-plugin-autoprefix": "^2.0.0",
    "less-plugin-clean-css": "^1.5.1",
    "loader-utils": "^1.1.0",
    "mocha": "^5.2.0",
    "phantomjs-prebuilt": "^2.1.16",
    "postcss-loader": "^3.0.0",
    "prettier": "^1.15.3",
    "sinon": "^7.1.1",
    "sinon-chai": "^3.3.0",
    "style-loader": "^0.23.1",
    "stylelint": "^9.9.0",
    "stylelint-config-standard": "^18.2.0",
    "supertest": "^3.3.0",
    "systemjs-plugin-babel": "0.0.25",
    "url-loader": "^1.1.2",
    "wdio-mocha-framework": "^0.6.4",
    "wdio-phantomjs-service": "^0.2.2",
    "wdio-selenium-standalone-service": "0.0.11",
    "webdriverio": "^4.14.1",
    "webpack": "^4.27.0",
    "webpack-bundle-analyzer": "^3.0.3",
    "webpack-cli": "^3.1.2"
  },
  "engines": {
    "node": ">=6"
  },
  "config": {
    "msvs_version": "2015"
  }
}

Details

The project starts after running npm install only. It is broken after running npm audit fix. The nodejs error is

Error: Cannot find module 'asn1',
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:603:15),
at Function.Module._load (internal/modules/cjs/loader.js:529:25),
at Module.require (internal/modules/cjs/loader.js:658:17),
at require (internal/modules/cjs/helpers.js:22:18),
at Object.<anonymous> (./node_modules\sshpk\lib\formats\pem.js:9:12),
at Module._compile (internal/modules/cjs/loader.js:722:30),
at Object.Module._extensions..js (internal/modules/cjs/loader.js:733:10),
at Module.load (internal/modules/cjs/loader.js:620:32),
at tryModuleLoad (internal/modules/cjs/loader.js:560:12),
at Function.Module._load (internal/modules/cjs/loader.js:552:3)

The project can be repaired by running npm install asn1 so it appears npm audit fix has removed a package it should not have removed.

Platform Info

$ npm --versions
6.4.1
$ node -p process.platform
win32


It worked fine for me (not getting an error from that file either). Are you still seeing the problems?

My log
$ npm ls asn1
Memba.Blog@0.3.8 /.../Memba-Blog-master
├─┬ chokidar@2.0.3
│ └─┬ UNMET OPTIONAL DEPENDENCY fsevents@1.1.3
│   └─┬ UNMET OPTIONAL DEPENDENCY node-pre-gyp@0.6.39
│     └─┬ UNMET OPTIONAL DEPENDENCY request@2.81.0
│       └─┬ UNMET OPTIONAL DEPENDENCY http-signature@1.1.1
│         └─┬ UNMET OPTIONAL DEPENDENCY sshpk@1.13.0
│           └── UNMET OPTIONAL DEPENDENCY asn1@0.2.3 
└─┬ request@2.85.0
  └─┬ http-signature@1.2.0
    └─┬ sshpk@1.13.1
      └── asn1@0.2.3 

$ npm audit fix
npm WARN deprecated nsp@2.8.1: The Node Security Platform service is shutting down 9/30 - https://blog.npmjs.org/post/175511531085/the-node-security-platform-service-is-shutting
npm WARN ajv-keywords@3.1.0 requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN sinon-chai@3.0.0 requires a peer of sinon@^4.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

+ chokidar@2.0.4
+ webdriverio@4.14.1
+ request@2.88.0
+ webpack@4.27.1
+ grunt@1.0.3
+ eslint-plugin-import@2.14.0
+ stylelint@9.9.0
+ grunt-mocha@1.1.0
added 158 packages from 243 contributors, removed 379 packages, updated 178 packages and moved 10 packages in 63.881s
fixed 599 of 928 vulnerabilities in 20104 scanned packages
  9 vulnerabilities required manual review and could not be updated
  4 package updates for 320 vulns involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)

$ npm ls asn1
Memba.Blog@0.3.8 /.../Memba-Blog-master
└─┬ request@2.88.0
  └─┬ http-signature@1.2.0
    └─┬ sshpk@1.13.1
      └── asn1@0.2.3


Looks like this can’t get reproduced anymore, so I’m gonna consider it resolved. If this is still happening, please open a new topic with reproducible steps.


I have upgraded npm to v6.5.0 which does not have the issue.