Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit fix --force reverts [email protected] to 1.12.4 #7550

Closed
henriquemattos opened this issue Jan 11, 2022 · 2 comments
Closed

npm audit fix --force reverts [email protected] to 1.12.4 #7550

henriquemattos opened this issue Jan 11, 2022 · 2 comments
Labels
🔥 Security

Comments

@henriquemattos
Copy link

🐛 bug report

As of this moment, [email protected] is the latest release of v2, but installing it via npm install --save-dev [email protected] generates an auditing report of 55 vulnerabilities (42 low, 13 moderate), and executing npm audit fix --force reverts parcel to [email protected].

parcel % npm install [email protected]
npm WARN deprecated [email protected]: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

added 668 packages, and audited 669 packages in 27s

141 packages are looking for funding
  run `npm fund` for details

55 vulnerabilities (42 low, 13 moderate)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

and fixing the audited packages:

parcel % npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating parcel to 1.12.4,which is a SemVer major change.

🎛 Configuration (package.json)

npm init -y && npm install --save-dev [email protected]

{
  "name": "parcel",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "parcel": "^1.12.4"
  }
}

🤔 Expected Behavior

I would expect a patched version 2 to be installed, not reverted to v1.

🌍 Your Environment

Software Version(s)
Parcel 2.1.1
Node 17.3.0
npm 8.3.0
Operating System macOS Monterey 12.1
@henriquemattos
Copy link
Author

Also this is a problem because of issue #5943 (#5943)

@devongovett
Copy link
Member

Security issues should be fixed in v2.2.1. Not sure what was up with npm audit fix, but seems like a bug in npm?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔥 Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@devongovett @henriquemattos