Skip to content

Npm audit fix and npm "synk" 0.0.02 error

Solution is to with new npm 8.3+ "overrides" field to force specific dependency resolution

  "overrides": {
    "minimist": "1.2.6"
  },

npm audit giving an error around minimist package:

# npm audit report

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/sharkdown/node_modules/minimist
  sharkdown  *
  Depends on vulnerable versions of minimist
  node_modules/sharkdown
    @mapbox/geojson-rewind  <=0.4.1
    Depends on vulnerable versions of sharkdown
    node_modules/@mapbox/geojson-rewind
      @antv/l7-source  *
      Depends on vulnerable versions of @mapbox/geojson-rewind
      node_modules/@antv/l7-source
        @antv/l7  >=2.0.0-alpha.27
        Depends on vulnerable versions of @antv/l7-layers
        Depends on vulnerable versions of @antv/l7-scene
        Depends on vulnerable versions of @antv/l7-source
        node_modules/@antv/l7
          @antv/l7plot  *
          Depends on vulnerable versions of @antv/l7
          node_modules/@antv/l7plot
        @antv/l7-layers  *
        Depends on vulnerable versions of @antv/l7-source
        node_modules/@antv/l7-layers
          @antv/l7-scene  >=2.3.10
          Depends on vulnerable versions of @antv/l7-layers
          node_modules/@antv/l7-scene

8 vulnerabilities (7 moderate, 1 critical)

To address all issues, run:
  npm audit fix

Clean pull of dev branch and npm install giving an error on synk, resolution: removed this dependency (it was a binary for doing synchronization).

npm verb type version
npm verb stack synk: No matching version found for synk@0.0.02.
npm verb stack     at module.exports (/usr/lib/node_modules/npm/node_modules/npm-pick-manifest/lib/index.js:209:23)
npm verb stack     at RegistryFetcher.manifest (/usr/lib/node_modules/npm/node_modules/pacote/lib/registry.js:125:24)
npm verb stack     at processTicksAndRejections (node:internal/process/task_queues:96:5)
npm verb stack     at async RegistryFetcher.resolve (/usr/lib/node_modules/npm/node_modules/pacote/lib/registry.js:57:5)
npm verb stack     at async Arborist.[extractOrLink] (/usr/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js:676:7)
npm verb stack     at async /usr/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js:606:9
npm verb cwd /home/ro/peerplays/fix-npm-audit-fix/NEX
npm verb Linux 5.13.0-41-generic
npm verb node v16.15.1
npm verb npm  v8.11.0
npm ERR! code ETARGET
npm ERR! notarget No matching version found for synk@0.0.02.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.
npm verb exit 1
npm timing npm Completed in 21730ms
npm verb unfinished npm timer reify 1655151837196
npm verb unfinished npm timer reify:unpack 1655151838556
npm verb unfinished npm timer reifyNode:node_modules/synk 1655151838563
npm verb code 1