Why do I get vulnerabilities problem using "npm install"

My node --version is v10.15.0 and express --version is 4.16.1 and I use Windows 10. I don’t know if other information is needed to put here but let me know that if so.

I have installed an express server using express coserver command, then I used .npm install’ command to install other node packages/dependencies, but I got this result:

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Low             Incorrect Handling of Non-Boolean Comparisons During
                  Minification

  Package         uglify-js

  Patched in      >= 2.4.24

  Dependency of   jade

  Path            jade > transformers > uglify-js

  More info       https://nodesecurity.io/advisories/39


  Low             Regular Expression Denial of Service

  Package         uglify-js

  Patched in      >=2.6.0

  Dependency of   jade

  Path            jade > transformers > uglify-js

  More info       https://nodesecurity.io/advisories/48


  Critical        Sandbox Bypass Leading to Arbitrary Code Execution

  Package         constantinople

  Patched in      >=3.1.1

  Dependency of   jade

  Path            jade > constantinople

  More info       https://nodesecurity.io/advisories/568


  Low             Regular Expression Denial of Service

  Package         clean-css

  Patched in      >=4.1.11

  Dependency of   jade

  Path            jade > clean-css

  More info       https://nodesecurity.io/advisories/785

found 4 vulnerabilities (3 low, 1 critical) in 194 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

Also posted as: https://stackoverflow.com/questions/57923270/vulnerabilities-problem-using-npm-install

and: Vulnerabilities problem using "npm install"

You have (indirectly) installed jade, and when I installed that I saw a message saying:

npm WARN deprecated jade@1.11.0: Jade has been renamed to pug, please install the latest version of pug instead of jade

jade specifies a dependency on a version of transformers which in term specifies a dependency on a version of uglify-js which has a known vulnerability.

There is not a magic solution to vulnerable dependency problems. The most practical approach is often to look for an update of the high level package you are using to resolve the problem.

For the purposes of a tutorial (which may be referring to old versions of packages) you can likely continue with the instructions with a known low severity vulnerability. Edit: I did not scroll, some are higher! Read the vulnerabilities and decide if they only affect abuse of a production service (which you will not be running), or are trojan horses or malware which could affect you running them locally.

Thanks bro!
But as I am a new learner of nodeJS, and just following a tutorial, don’t know what to do now?

I tried npm audit fix --force but I got:

fixed 0 of 4 vulnerabilities in 194 scanned packages
4 vulnerabilities required manual review and could not be updated

I can’t understand the meaning of manual view? Where should be revied manually and what can I do manually to solve this these problems there?

The “Manual Review” means npm can not fix the issues for you.

What you can review is visiting the “More info” links and deciding if the issue is something that you need to worry about for your current project (tutorial).

I expect these are warnings and did not prevent the install? i.e. npm is making sure you know there are some known problems with some of those packages, but you can carry on if you wish.