My project's package.json dependencies:
"dependencies": {
"@babel/cli": "^7.0.0-beta.51",
"@babel/core": "^7.0.0-beta.51",
"@babel/preset-env": "^7.0.0-beta.51",
"babel-loader": "^8.0.0-beta.4",
"babel-plugin-add-module-exports": "^1.0.0",
"babel-plugin-istanbul": "^5.1.0",
"babel-preset-env": "^7.0.0-beta.3",
"babel-register": "^7.0.0-beta.3",
"build": "^0.1.4",
"jsdom": "^14.0.0",
"jsdom-global": "3.0.2",
"moment": "^2.24.0",
"nyc": "^13.1.0",
"rimraf": "^2.6.3",
"webpack": "^4.12.2",
"webpack-cli": "^3.0.8",
"yargs": "^13.2.2"
},
When I run "npm i", I still see:
audited 14173 packages in 5.084s
found 6 vulnerabilities (4 low, 1 moderate, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
When I run "npm audit":
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Denial of Service
Package js-yaml
Patched in >=3.13.0
Dependency of build
Path build > jxLoader > js-yaml
More info https://npmjs.com/advisories/788
Critical Deserialization Code Execution
Package js-yaml
Patched in >= 2.0.5
Dependency of build
Path build > jxLoader > js-yaml
More info https://npmjs.com/advisories/16
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of build
Path build > uglify-js
More info https://npmjs.com/advisories/39
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of build
Path build > uglify-js
More info https://npmjs.com/advisories/48
Low Regular Expression Denial of Service
Package braces
Patched in >=2.3.1
Dependency of babel-register
Path babel-register > babel-core > micromatch > braces
More info https://npmjs.com/advisories/786
Low Regular Expression Denial of Service
Package timespan
Patched in No patch available
Dependency of build
Path build > timespan
More info https://npmjs.com/advisories/533
When I try to run "npm audit fix" it say:
up to date in 4.704s
fixed 0 of 6 vulnerabilities in 14173 scanned packages
6 vulnerabilities required manual review and could not be updated
I already tried to delete the "package-lock.json" file and try again, already tried to clear npm cache, and tried to update the packages manually, none of these steps seems to be working. Does anybody know how to solve this? Thanks.
I finally fixed it myself, updated all packages to the latest version manually, and removed the "build": "^0.1.4" package, since it no longer updates.