The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
Why do I get vulnerabilities problem using "npm install"
node --version is
express --version is
4.16.1 and I use Windows 10. I don’t know if other information is needed to put here but let me know that if so.
I have installed an express server using
express coserver command, then I used .npm install’ command to install other node packages/dependencies, but I got this result:
=== npm audit security report === Manual Review Some vulnerabilities require your attention to resolve Visit https://go.npm.me/audit-guide for additional guidance Low Incorrect Handling of Non-Boolean Comparisons During Minification Package uglify-js Patched in >= 2.4.24 Dependency of jade Path jade > transformers > uglify-js More info https://nodesecurity.io/advisories/39 Low Regular Expression Denial of Service Package uglify-js Patched in >=2.6.0 Dependency of jade Path jade > transformers > uglify-js More info https://nodesecurity.io/advisories/48 Critical Sandbox Bypass Leading to Arbitrary Code Execution Package constantinople Patched in >=3.1.1 Dependency of jade Path jade > constantinople More info https://nodesecurity.io/advisories/568 Low Regular Expression Denial of Service Package clean-css Patched in >=4.1.11 Dependency of jade Path jade > clean-css More info https://nodesecurity.io/advisories/785 found 4 vulnerabilities (3 low, 1 critical) in 194 scanned packages 4 vulnerabilities require manual review. See the full report for details.
You have (indirectly) installed jade, and when I installed that I saw a message saying:
npm WARN deprecated firstname.lastname@example.org: Jade has been renamed to pug, please install the latest version of pug instead of jade
jade specifies a dependency on a version of transformers which in term specifies a dependency on a version of uglify-js which has a known vulnerability.
There is not a magic solution to vulnerable dependency problems. The most practical approach is often to look for an update of the high level package you are using to resolve the problem.
For the purposes of a tutorial (which may be referring to old versions of packages) you can likely continue with the instructions with a known low severity vulnerability. Edit: I did not scroll, some are higher! Read the vulnerabilities and decide if they only affect abuse of a production service (which you will not be running), or are trojan horses or malware which could affect you running them locally.
But as I am a new learner of nodeJS, and just following a tutorial, don’t know what to do now?
npm audit fix --force but I got:
fixed 0 of 4 vulnerabilities in 194 scanned packages
4 vulnerabilities required manual review and could not be updated
I can’t understand the meaning of manual view? Where should be revied manually and what can I do manually to solve this these problems there?
The “Manual Review” means npm can not fix the issues for you.
What you can review is visiting the “More info” links and deciding if the issue is something that you need to worry about for your current project (tutorial).
I expect these are warnings and did not prevent the install? i.e. npm is making sure you know there are some known problems with some of those packages, but you can carry on if you wish.