Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Output with errors on npm audit fix --force #58

Open
catafest-work opened this issue Mar 31, 2022 · 0 comments
Open

Output with errors on npm audit fix --force #58

catafest-work opened this issue Mar 31, 2022 · 0 comments

Comments

@catafest-work
Copy link

I try to run this with
npm audit fix --force
... but I got errors about changes and updates.
This is the output I got with these errors:

npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating gulp-jade to 0.1.0,which is a SemVer major change.
npm WARN audit Updating gulp-mocha to 7.0.2,which is a SemVer major change.
npm WARN audit Updating gulp to 3.9.1,which is a SemVer major change.
npm WARN audit Updating gulp-zip to 4.2.0,which is a SemVer major change.
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: [email protected]
npm WARN Found: [email protected]
npm WARN node_modules/gulp
npm WARN   dev gulp@"3.9.1" from the root project
npm WARN
npm WARN Could not resolve dependency:
npm WARN peerOptional gulp@">=4" from [email protected]
npm WARN node_modules/gulp-mocha
npm WARN   dev gulp-mocha@"7.0.2" from the root project
npm WARN
npm WARN Conflicting peer dependency: [email protected]
npm WARN node_modules/gulp
npm WARN   peerOptional gulp@">=4" from [email protected]
npm WARN   node_modules/gulp-mocha
npm WARN     dev gulp-mocha@"7.0.2" from the root project
npm WARN deprecated [email protected]: This module relies on Node.js's internals and will break at some point. Do not use it, and update to [email protected].
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to at least constantinople 3.1.1
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: Jade has been renamed to pug, please install the latest version of pug instead of jade
npm WARN deprecated [email protected]: Deprecated, use jstransformer

added 142 packages, removed 179 packages, changed 56 packages, and audited 1539 packages in 22s

141 packages are looking for funding
  run `npm fund` for details

# npm audit report

constantinople  <=3.1.0
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
Depends on vulnerable versions of uglify-js
No fix available
node_modules/constantinople
  jade  >=0.30.0
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  Depends on vulnerable versions of with
  node_modules/jade
    gulp-jade  *
    Depends on vulnerable versions of jade
    node_modules/gulp-jade

lodash  <=4.17.20
Severity: critical
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix`
node_modules/globule/node_modules/lodash
  globule  <=1.1.0
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of minimatch
  node_modules/globule
    gaze  0.4.0 - 1.0.0
    Depends on vulnerable versions of globule
    node_modules/gaze
      glob-watcher  <=2.0.0
      Depends on vulnerable versions of gaze
      node_modules/glob-watcher

lodash.template  <4.5.0
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/lodash.template
  gulp-util  >=1.1.0
  Depends on vulnerable versions of lodash.template
  node_modules/gulp/node_modules/gulp-util
    gulp  2.6.1 - 3.9.1
    Depends on vulnerable versions of gulp-util
    Depends on vulnerable versions of vinyl-fs
    node_modules/gulp

minimatch  <3.0.2
Severity: high
Regular Expression Denial of Service in minimatch - https://github.com/advisories/GHSA-hxm2-r34f-qmc5
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-stream/node_modules/minimatch
node_modules/globule/node_modules/minimatch
  glob  3.0.0 - 5.0.14
  Depends on vulnerable versions of minimatch
  node_modules/glob-stream/node_modules/glob
  node_modules/globule/node_modules/glob
    glob-stream  0.2.0 - 5.2.0
    Depends on vulnerable versions of glob
    Depends on vulnerable versions of minimatch
    node_modules/glob-stream
      vinyl-fs  <=1.0.0
      Depends on vulnerable versions of glob-stream
      node_modules/vinyl-fs
        gulp  2.6.1 - 3.9.1
        Depends on vulnerable versions of gulp-util
        Depends on vulnerable versions of vinyl-fs
        node_modules/gulp
  globule  <=1.1.0
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of minimatch
  node_modules/globule
    gaze  0.4.0 - 1.0.0
    Depends on vulnerable versions of globule
    node_modules/gaze
      glob-watcher  <=2.0.0
      Depends on vulnerable versions of gaze
      node_modules/glob-watcher

uglify-js  <=2.5.0
Severity: critical
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
No fix available
node_modules/transformers/node_modules/uglify-js
node_modules/uglify-js
node_modules/with/node_modules/uglify-js
  constantinople  <=3.1.0
  Depends on vulnerable versions of uglify-js
  node_modules/constantinople
    jade  >=0.30.0
    Depends on vulnerable versions of constantinople
    Depends on vulnerable versions of transformers
    Depends on vulnerable versions of with
    node_modules/jade
      gulp-jade  *
      Depends on vulnerable versions of jade
      node_modules/gulp-jade
  transformers  2.0.0 - 3.0.1
  Depends on vulnerable versions of uglify-js
  node_modules/transformers
  with  1.1.0 - 2.0.0
  Depends on vulnerable versions of uglify-js
  node_modules/with

17 vulnerabilities (7 high, 10 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant