0

I am trying to install axios for a MERN app but every time I use "npm install" it gives me this:

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

audited 241 packages in 1.113s

30 packages are looking for funding
  run `npm fund` for details

found 1 moderate severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

running "npm audit fix" shows:

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

up to date in 0.874s

30 packages are looking for funding
  run `npm fund` for details

fixed 0 of 1 vulnerability in 241 scanned packages
  1 vulnerability required manual review and could not be updated

for "npm audit":

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance           



Moderate        Got allows a redirect to a UNIX socket                        

  Package         got                                                           

  Patched in      >=11.8.5                                                      

  Dependency of   nodemon [dev]                                                 

  Path            nodemon > update-notifier > latest-version > package-json >   
                  got                                                           

  More info       https://github.com/advisories/GHSA-pfrx-2q88-qq97             

found 1 moderate severity vulnerability in 241 scanned packages
  1 vulnerability requires manual review. See the full report for details.

I tried updating "got" in package-lock.json by manually replacing it's current version with a stable one, but then when I run npm install again, the file reverts back to it's original state. I'm fairly new to this so is that normal or am I updating the wrong way? I tried the same for update-notifier but it does the same thing. It's been days and I've tried countless other things but the warning just won't go away. I'd greatly appreciate any help. Thanks in advance.

Roman N.
  • 11
  • 1
  • 3
  • You can ignore security audits from development packages, they won't harm you unless you use them in production which they are not meant to be – Orkhan Alikhanov Jun 29 '22 at 07:20

3 Answers3

0

You stated that you've tried updating the package-lock file, but you should be updating the package.json file instead. You can also try some other common fixes below.

1 - Delete your package-lock.json

2 - Delete your node_modules folder

3 - Try npm install again

Quoted from here.

Chandler Dowd
  • 13
  • 7
  • I did it, but now it says that it found 2 moderate severity vulnerabilities, namely "angular vulnerable to regular expression denial of service (ReDoS)" and "Got allows a redirect to a UNIX socket" again, both listed as Moderate – Roman N. Jun 29 '22 at 01:23
0

If you want npm to install from package-lock.json run npm ci

Orkhan Alikhanov
  • 9,122
  • 3
  • 39
  • 60
  • I've never used it. Do I run `npm ci axios`? my main goal is to have this package installed, but I need to update the `got` nodemon dependency in `package-lock.json`, and it won't let me. – Roman N. Jun 29 '22 at 01:46
0

do this: npm audit fix --force

that will make you 0 vulnerabilities

Agung Sudrajat
  • 120
  • 9