Npm vulnerbilities that cannot be fixed

Why does NPM give me all these errors and ask me to review them manually??

124 packages are looking for funding
  run `npm fund` for details        

fixed 0 of 12 vulnerabilities in 1461 scanned packages
  12 vulnerabilities required manual review and could not be updated

宏誓@DESKTOP-CEOD39I MINGW64 /c/zhou_xiang/Coding Projects/codingBlocksVuetify (master)
$ npm fund
codingBlocksVuetify@1.0.0
+-- https://opencollective.com/core-js
| `-- core-js@3.14.0, core-js-compat@3.14.0
+-- https://opencollective.com/eslint
| `-- eslint@7.29.0
+-- https://github.com/sponsors/sindresorhus
| `-- is-plain-obj@3.0.0, globby@11.0.4, read-pkg-up@7.0.1, import-modules@2.1.0, parse-json@5.2.0, p-limit@2.3.0, escape-string-regexp@4.0.0, globals@13.9.0, import-fresh@3.3.0, strip-json-comments@3.1.1, type-fest@0.20.2, pify@5.0.0, boxen@5.0.1, pretty-bytes@5.6.0, camelcase@6.2.0, cli-boxes@2.2.1, get-stream@6.0.1, onetime@5.1.2, is-docker@2.2.1, normalize-url@6.0.1, query-string@6.14.1, ansi-escapes@4.3.2, figures@3.2.0, type-fest@0.21.3, make-dir@3.1.0, p-limit@3.1.0, p-map@4.0.0, yocto-queue@0.1.0, gzip-size@6.0.0
+-- https://github.com/sponsors/RubenVerborgh
| `-- follow-redirects@1.14.1
+-- https://github.com/sponsors/jonschlinkert
| `-- picomatch@2.3.0
+-- https://github.com/sponsors/feross
| `-- eslint-config-standard@16.0.3, eslint-plugin-standard@4.1.0, run-parallel@1.2.0, queue-microtask@1.2.3, buffer@5.7.1, base64-js@1.5.1, ieee754@1.2.1, safe-buffer@5.2.1
+-- https://www.patreon.com/feross
| `-- eslint-config-standard@16.0.3, eslint-plugin-standard@4.1.0, run-parallel@1.2.0, queue-microtask@1.2.3, buffer@5.7.1, base64-js@1.5.1, ieee754@1.2.1, safe-buffer@5.2.1
+-- https://feross.org/support
| `-- eslint-config-standard@16.0.3, eslint-plugin-standard@4.1.0, run-parallel@1.2.0, queue-microtask@1.2.3, buffer@5.7.1, base64-js@1.5.1, ieee754@1.2.1, safe-buffer@5.2.1
+-- https://github.com/sindresorhus/eslint-plugin-unicorn?sponsor=1
| `-- eslint-plugin-unicorn@28.0.2
+-- https://github.com/sponsors/ljharb
| `-- array-includes@3.1.3, array.prototype.flat@1.2.4, is-core-module@2.4.0, object.values@1.1.4, resolve@1.20.0, call-bind@1.0.2, es-abstract@1.18.3, get-intrinsic@1.1.1, is-string@1.0.6, es-to-primitive@1.2.1, has-symbols@1.0.2, is-callable@1.2.3, is-negative-zero@2.0.1, is-regex@1.1.3, object-inspect@1.10.3, object.assign@4.1.2, string.prototype.trimend@1.0.4, string.prototype.trimstart@1.0.4, unbox-primitive@1.0.1, is-date-object@1.0.4, is-symbol@1.0.4, has-bigints@1.0.1, which-boxed-primitive@1.0.2, is-bigint@1.0.2, is-boolean-object@1.1.1, is-number-object@1.0.5, qs@6.10.1, side-channel@1.0.4, util.promisify@1.0.1, object.getownpropertydescriptors@2.1.2
+-- https://opencollective.com/typescript-eslint
| `-- @typescript-eslint/experimental-utils@4.27.0, @typescript-eslint/scope-manager@4.27.0, @typescript-eslint/types@4.27.0, @typescript-eslint/typescript-estree@4.27.0, @typescript-eslint/visitor-keys@4.27.0
+-- https://github.com/sponsors/mysticatea
| `-- eslint-utils@3.0.0, eslint-plugin-es@3.0.1, eslint-utils@2.1.0, regexpp@3.2.0, vue-eslint-parser@7.6.0
+-- https://opencollective.com/babel
| `-- @babel/core@7.14.6
+-- https://opencollective.com/browserslist
| `-- browserslist@4.16.6, caniuse-lite@1.0.30001238
+-- https://opencollective.com/webpack
| `-- eslint-webpack-plugin@2.5.4, schema-utils@3.0.0, sass-loader@10.2.0, file-loader@6.2.0, css-loader@4.3.0, terser-webpack-plugin@4.2.3, thread-loader@3.0.4, url-loader@4.1.1, webpack@4.46.0, webpack-dev-middleware@4.3.0, schema-utils@2.7.1
+-- https://github.com/sponsors/epoberezkin
| `-- ajv@6.12.6, ajv@8.6.0
+-- https://github.com/sponsors/johnleider
| `-- vuetify@2.5.4
+-- https://github.com/chalk/chalk?sponsor=1
| `-- chalk@4.1.1
+-- https://github.com/chalk/ansi-styles?sponsor=1
| `-- ansi-styles@4.3.0
+-- https://github.com/sponsors/isaacs
| `-- rimraf@3.0.2, glob@7.1.7
+-- https://github.com/chalk/slice-ansi?sponsor=1
| `-- slice-ansi@4.0.0
+-- https://github.com/chalk/wrap-ansi?sponsor=1
| `-- wrap-ansi@7.0.0
+-- https://github.com/sindresorhus/execa?sponsor=1
| `-- execa@5.1.1
+-- https://github.com/sponsors/fb55
| `-- css-select@4.1.3, css-what@5.0.1, domelementtype@2.2.0, css-what@3.4.2, htmlparser2@6.1.0       
+-- https://github.com/fb55/domhandler?sponsor=1
| `-- domhandler@4.2.0
+-- https://github.com/fb55/domutils?sponsor=1
| `-- domutils@2.7.0
+-- https://github.com/fb55/nth-check?sponsor=1
| `-- nth-check@2.0.0
+-- https://github.com/cheeriojs/dom-serializer?sponsor=1
| `-- dom-serializer@1.3.2
+-- https://github.com/fb55/entities?sponsor=1
| `-- entities@2.2.0
+-- https://opencollective.com/ua-parser-js
| `-- ua-parser-js@0.7.28
+-- https://paypal.me/faisalman
| `-- ua-parser-js@0.7.28
+-- https://opencollective.com/postcss/
| `-- postcss@7.0.36, postcss-load-config@2.1.2
+-- https://github.com/avajs/find-cache-dir?sponsor=1
| `-- find-cache-dir@3.3.1
+-- https://github.com/sponsors/wooorm
| `-- vendors@1.0.4
+-- https://github.com/fb55/htmlparser2?sponsor=1
| `-- htmlparser2@6.1.0
+-- https://tidelift.com/funding/github/npm/autoprefixer
| `-- autoprefixer@9.8.6
`-- https://github.com/sindresorhus/mem?sponsor=1
  `-- mem@8.1.1

I deleted package.lock.json file as well as node modules folder and run npm install again

Here’s what is being shown now:

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  Moderate        Regular expression denial of service                          

  Package         glob-parent                                                   

  Patched in      >=5.1.2                                                       

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/builder > @nuxt/webpack > webpack > watchpack >  
                  watchpack-chokidar2 > chokidar > glob-parent                  

  More info       https://npmjs.com/advisories/1751                             


  Moderate        Regular expression denial of service                          

  Package         glob-parent                                                   

  Patched in      >=5.1.2                                                       

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/webpack > webpack > watchpack >                  
                  watchpack-chokidar2 > chokidar > glob-parent                  

  More info       https://npmjs.com/advisories/1751                             


  High            Denial of Service                                             

  Package         css-what                                                      

  Patched in      >=5.0.1                                                       

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/builder > @nuxt/webpack > cssnano >              
                  cssnano-preset-default > postcss-svgo > svgo > css-select >   
                  css-what                                                      

  More info       https://npmjs.com/advisories/1754                             


  High            Denial of Service                                             

  Package         css-what                                                      

  Patched in      >=5.0.1                                                       

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/webpack > cssnano > cssnano-preset-default >     
                  postcss-svgo > svgo > css-select > css-what                   

  More info       https://npmjs.com/advisories/1754                             


  High            Denial of Service                                             

  Package         css-what                                                      

  Patched in      >=5.0.1                                                       

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/builder > @nuxt/webpack >                        
                  optimize-css-assets-webpack-plugin > cssnano >                
                  cssnano-preset-default > postcss-svgo > svgo > css-select >   
                  css-what                                                      

  More info       https://npmjs.com/advisories/1754                             


  High            Denial of Service                                             

  Package         css-what                                                      

  Patched in      >=5.0.1                                                       

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/webpack > optimize-css-assets-webpack-plugin >   
                  cssnano > cssnano-preset-default > postcss-svgo > svgo >      
                  css-select > css-what                                         

  More info       https://npmjs.com/advisories/1754                             


  High            Regular Expression Denial of Service                          

  Package         normalize-url                                                 

  Patched in      >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                   

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/builder > @nuxt/webpack > cssnano >              
                  cssnano-preset-default > postcss-normalize-url >              
                  normalize-url                                                 

  More info       https://npmjs.com/advisories/1755                             


  High            Regular Expression Denial of Service                          

  Package         normalize-url                                                 

  Patched in      >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                   

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/webpack > cssnano > cssnano-preset-default >     
                  postcss-normalize-url > normalize-url                         

  More info       https://npmjs.com/advisories/1755                             


  High            Regular Expression Denial of Service                          

  Package         normalize-url                                                 

  Patched in      >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                   

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/builder > @nuxt/webpack >                        
                  optimize-css-assets-webpack-plugin > cssnano >                
                  cssnano-preset-default > postcss-normalize-url >              
                  normalize-url                                                 

  More info       https://npmjs.com/advisories/1755                             


  High            Regular Expression Denial of Service                          

  Package         normalize-url                                                 

  Patched in      >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                   

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/webpack > optimize-css-assets-webpack-plugin >   
                  cssnano > cssnano-preset-default > postcss-normalize-url >    
                  normalize-url                                                 

  More info       https://npmjs.com/advisories/1755                             


  High            Regular Expression Denial of Service                          

  Package         normalize-url                                                 

  Patched in      >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                   

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/builder > @nuxt/webpack >                        
                  extract-css-chunks-webpack-plugin > normalize-url             

  More info       https://npmjs.com/advisories/1755                             


  High            Regular Expression Denial of Service                          

  Package         normalize-url                                                 

  Patched in      >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                   

  Dependency of   nuxt                                                          

  Path            nuxt > @nuxt/webpack > extract-css-chunks-webpack-plugin >    
                  normalize-url                                                 

  More info       https://npmjs.com/advisories/1755                             

found 12 vulnerabilities (2 moderate, 10 high) in 1461 scanned packages
  12 vulnerabilities require manual review. See the full report for details.

It is asking you to review them manually so that you can decide whether it’s an issue or not. They are dependencies of dependencies of a build tool, so probably all fine.

Specifically, means nuxt needs it’s dependencies updating: if the nuxt developers have updated them and released a new version, then you would update your nuxt dependency. Or you could fix it and submit a PR. Or you could patch your package to update the dependencies.

1 Like

Thanks for the reply. After checking it seems there are 3 packages are causing me issue:

  1. glob-parent
  2. css-what
  3. normalize-url

Here are the versions of those dependencies:

  "dependencies": {
    "@nuxtjs/axios": "^5.13.6",
    "core-js": "^3.14.0",
    "css-what": "^5.0.1",
    "glob-parent": "^6.0.0",
    "normalize-url": "^6.0.1",
    "nuxt": "^2.15.7"
  },

after manually install glob-parent again, the error went from high to moderate.
But the last two packages’ error message did not change at all. I did install the latest version of them… So…


So you need to either do nothing (it might not matter: this is entirely up to you to decide, if any of those are just build time tools for example then for it matter?). Or if it’s really important that you don’t have any packages that might have security vulnerabilities, then you either fix the packages yourself and PR the fixes, or you patch the packages yourself (updating the dependencies and fixing anything that breaks as a result), locally (using patch-package or similar)

I see. Thanks…

The reason I was doing this cos I was trying to install something…
And now I forget why those warnings interrupted me from doing work… :disappointed_relieved:

1 Like