1

I am following a tutorial on youtube and forked the repo. After running npm install I get the following:

found 45634 vulnerabilities (42263 low, 21 moderate, 3349 high, 1 critical) in 1547 scanned packages
  run `npm audit fix` to fix 45333 of them.
  301 vulnerabilities require manual review. See the full report for details.

As I'm not really sure what npm audit fix does I am hesitant in executing the command.

I did run npm audit which gave me a list. Here a snippet :

Moderate        Regular Expression Denial of Service                          

  Package         acorn                                                         

  Patched in      >=5.7.4 <6.0.0 || >=6.4.1 <7.0.0 || >=7.1.1                   

  Dependency of   react-scripts                                                 

  Path            react-scripts > jest > jest-cli > jest-config >               
                  jest-environment-jsdom > jsdom > acorn                        

  More info       https://npmjs.com/advisories/1488

After reading through some forums people suggest to ignore the alert or to delete the package-lock.json and run npm install again. Haven't tried either of those solutions. Was gonna ask here first before blindly following advice I read in some forum.

Thanks for any help.

mike
  • 1,233
  • 1
  • 15
  • 36
Aaron
  • 176
  • 3
  • 14

1 Answers1

0

Since you're just following a tutorial I would ignore the vulnerabilities, most of the time its just deprecated packages that haven't updated to fix these vulnerabilities.

Redseb
  • 199
  • 10
  • 1
    Yeah, it seems the repo is a bit old and hasn't been updated in a while. I haven't dived much into the functionality of npm and was just gonna make sure I'm not breaking anything. After reading through the docs it seems audit fix just updates compatible dependencies and leaves out updates that could break the project. I'll accept this as an answer to my question. Thanks. – Aaron Sep 01 '20 at 11:26