Search code examples
node.jsexpressaxiospackage-lock.jsonnpm-vulnerabilities

"found 1 moderate severity vulnerability" warning every time I run npm install

I am trying to install axios for a MERN app but every time I use "npm install" it gives me this:

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

audited 241 packages in 1.113s

30 packages are looking for funding
  run `npm fund` for details

found 1 moderate severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

running "npm audit fix" shows:

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

up to date in 0.874s

30 packages are looking for funding
  run `npm fund` for details

fixed 0 of 1 vulnerability in 241 scanned packages
  1 vulnerability required manual review and could not be updated

for "npm audit":

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance           



Moderate        Got allows a redirect to a UNIX socket                        

  Package         got                                                           

  Patched in      >=11.8.5                                                      

  Dependency of   nodemon [dev]                                                 

  Path            nodemon > update-notifier > latest-version > package-json >   
                  got                                                           

  More info       https://github.com/advisories/GHSA-pfrx-2q88-qq97             

found 1 moderate severity vulnerability in 241 scanned packages
  1 vulnerability requires manual review. See the full report for details.

I tried updating "got" in package-lock.json by manually replacing it's current version with a stable one, but then when I run npm install again, the file reverts back to it's original state. I'm fairly new to this so is that normal or am I updating the wrong way? I tried the same for update-notifier but it does the same thing. It's been days and I've tried countless other things but the warning just won't go away. I'd greatly appreciate any help. Thanks in advance.

Solution

  • do this: npm audit fix --force

    that will make you 0 vulnerabilities