Npm install gives warnings, npm audit fix not working

npm audit fix --force
npm audit-ci
npm install without audit
npm audit fix moderate
npm update
yarn audit
npm repair
npm 10 vulnerabilities required manual review and could not be updated

I am working on an angular app with a .net core web api.

When I cloned this repository, I tried to run npm install on the angular application, but I got a strange error:

npm install
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

audited 34090 packages in 14.711s
found 15 vulnerabilities (9 low, 6 high)
  run `npm audit fix` to fix them, or `npm audit` for details 

Also, if I try to do npm audit fix, I get even more errors:

npm audit fix
npm ERR! code ELOCKVERIFY
npm ERR! Errors were found in your package-lock.json, run  npm install  to fix them.
npm ERR!     Invalid: lock file's @progress/kendo-theme-default@file:https:/registry.npmjs.org/@progress/kendo-theme-default/-/kendo-theme-default-2.48.1.tgz does not satisfy @progress/kendo-theme-default@file:lib/kendo-theme-default
npm ERR!     Invalid: lock file's bootstrap@file:https:/registry.npmjs.org/bootstrap/-/bootstrap-4.0.0.tgz does not satisfy bootstrap@file:lib/bootstrap

How can I resolve this?

Often times, this is related to package-lock.json messing. I would suggest to try to:

1 - Delete your package-lock.json

2 - Delete your node_modules folder

3 - Try npm install again

This used to fix several issues when adding new packages in my angular apps.

Good luck!

Auditing package dependencies for security vulnerabilities, npm audit automatically runs when you install a package with npm install . Running npm audit will produce a report of security vulnerabilities with the affected may be semver-breaking changes; for more information, see “​SEMVER warnings”.) If you do not want to fix the vulnerability or update the dependent package  This isn't a fix for npm, but it worked for me for now: Do the npm audit suggestions that aren't npm updates; Delete package-lock.json; Delete the node_modules folder (I didn't have to clear my npm cache, but if you continue to run into issues, you may want to look into that) Run npm install again

I used the command:

npm audit fix --force

and after I run:

$ npm install
npm WARN assets No description

audited 7779 packages in 3.914s
found 0 vulnerabilities

The npm Blog, have been found to be vulnerable and may carry a significant risk without proper security auditing of your project's dependencies. Try running npm audit fix, which will still leave you with some warnings which can be fixed with npm audit fix --force There is one last issue that needs to be manually fixed. --force won't fix it, but if you run npm audit fix again, it will allow you to scroll & update the package manually.

The best thing I recently learn was install the npm-check-updates. It does everything automatically.

run ncu for list in my case was this:

 $ ncu

 babel-core           ^6.26.0  →  ^6.26.3
 babel-loader          ^7.1.5  →   ^8.0.6
 babel-preset-env      ^1.6.1  →   ^1.7.0
 copy-webpack-plugin   ^4.6.0  →   ^5.0.5
 style-loader         ^0.20.2  →   ^1.0.1
 webpack                4.0.0  →   4.41.2

then run ncu -u to upgrade automatically.

10 npm Security Best Practices, Scan your project for vulnerabilities and automatically install any compatible Have audit fix install semver-major updates to toplevel dependencies, not just npm install – so things like npm audit fix --package-lock-only will work as expected. Looks like it's working to me, most of those warnings you can ignore. It's odd that its warning you about rxjs though, installing @angular/cli@latest should automatically pull and install the needed version of rxjs. (nvm just saw that you are using angular ver 2) – diopside Jul 10 '18 at 16:56

npm-audit, Scroll until you find a line of text separating two issues. Manually run the command given in the text to upgrade one package at a time, e.g. npm i --save-dev jest@24.8.0. After upgrading a package make sure to check for breaking changes before upgrading the next package. Avoid running npm audit fix --force. Looks like npm's own proxy config breaks npm audit. Side note: I am not sure if that has something to do with it and I cannot test it but I have a different registry (artifactory) configured in /usr/etc/npmrc which does not support npm audit so I do npm set registry https://registry.npmjs.org before npm audit.

NPM Audit Fix: Fixing NPM Dependencies Vulnerabilities, I am working on an angular app with a .net core web api. When I cloned this repository, I tried to run npm install on the angular application, but I got a strange​  `npm audit`: identify and fix insecure dependencies Last month, we announced npm@6 , which includes a powerful new tool to protect the safety of your code, npm audit . Together with new automatic alerts when a user installs code with a known security risk, audit is a dramatic step to ensure the quality and integrity of the code you use, and

Npm install gives warnings, npm audit fix not working, Here is an example of running npm audit against your-fantastic-app : We've also built in a summary security report into npm install if vulnerabilities are We'​re not aware of any third-party registry clients that currently support In the longer term, prominent vulnerability warnings and actionable security  When I run npm install it says found 33 vulnerabilities (2 low, 31 moderate) run `npm audit fix` to fix them, or `npm audit` for details.. However, npm audit fix outputs up to date in 11s fixed 0 of 33 vulnerabilities in 24653 scanned packages 33 vulnerabilities required manual review and could not be updated

Comments
  • please include your error trace not image.
  • Okay, after looking to the error itself, what it says is that it cannot find these packages you are looking for on npm. These seems to be bootstrap and kendo ui themes. I am going to send just an idea, maybe try uninstalling and reinstalling those manually would do the trick.
  • While in OP's case it's probably fine, this course of action can backfire pretty bad otherwise. Package lock is there for a reason - it makes sure that your dependency structure is consistent between installs. If you delete it, you lose this, and your code might easily misbehave. Also possible that it's not immediately noticeable. If you do this, make sure you have great test coverage at least.