Metronic8 npm install vulnerabilities
Hi,
I run npm install in the template Laravel project I see this:
D:\Projects\metronic\metronic_v8.0.38\laravel (main -> origin)
λ npm install
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1
added 1227 packages, and audited 1485 packages in 5m
131 packages are looking for funding
run `npm fund` for details
18 vulnerabilities (13 moderate, 5 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
How do fix these vulnerabilities?
Replies (16)
I`d like to connect to this thread
vue version of metronic 8.x.38
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@2.6.12: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
added 1122 packages, and audited 1123 packages in 3m
140 packages are looking for funding
run `npm fund` for details
21 vulnerabilities (12 moderate, 9 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
I install
npm install svgo and core-js. I have vulnerabilities again...
up to date, audited 1486 packages in 8s
132 packages are looking for funding
run `npm fund` for details
14 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
I forgot to say that these errors happen with the fresh downloaded package v.38
How to fix them?
Hi,
Could you please try to run this command?
npm audit fix --forceThanks
npm WARN using --force Recommended protections disabled.
npm WARN audit fix ansi-regex@5.0.0 node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
npm WARN audit fix ansi-regex@5.0.0 is a bundled dependency of
npm WARN audit fix ansi-regex@5.0.0 npm@7.24.2 at node_modules/npm
npm WARN audit fix ansi-regex@5.0.0 It cannot be fixed automatically.
npm WARN audit fix ansi-regex@5.0.0 Check for updates to the npm package.
npm WARN audit fix ansi-regex@3.0.0 node_modules/npm/node_modules/string-width/node_modules/ansi-regex
npm WARN audit fix ansi-regex@3.0.0 is a bundled dependency of
npm WARN audit fix ansi-regex@3.0.0 npm@7.24.2 at node_modules/npm
npm WARN audit fix ansi-regex@3.0.0 It cannot be fixed automatically.
npm WARN audit fix ansi-regex@3.0.0 Check for updates to the npm package.
npm WARN audit fix json-schema@0.2.3 node_modules/npm/node_modules/json-schema
npm WARN audit fix json-schema@0.2.3 is a bundled dependency of
npm WARN audit fix json-schema@0.2.3 npm@7.24.2 at node_modules/npm
npm WARN audit fix json-schema@0.2.3 It cannot be fixed automatically.
npm WARN audit fix json-schema@0.2.3 Check for updates to the npm package.
npm WARN audit fix jsprim@1.4.1 node_modules/npm/node_modules/jsprim
npm WARN audit fix jsprim@1.4.1 is a bundled dependency of
npm WARN audit fix jsprim@1.4.1 npm@7.24.2 at node_modules/npm
npm WARN audit fix jsprim@1.4.1 It cannot be fixed automatically.
npm WARN audit fix jsprim@1.4.1 Check for updates to the npm package.
npm WARN audit No fix available for quill@<=1.3.7
npm WARN audit No fix available for webpack-rtl-plugin@*
up to date, audited 1486 packages in 11s
132 packages are looking for funding
run `npm fund` for details
# npm audit report
ansi-regex 3.0.0 || 5.0.0
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
node_modules/npm/node_modules/string-width/node_modules/ansi-regex
json-schema <0.4.0
Severity: moderate
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/npm/node_modules/json-schema
jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
Depends on vulnerable versions of json-schema
node_modules/npm/node_modules/jsprim
nth-check <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install webpack-rtl-plugin@1.3.0, which is a breaking change
node_modules/webpack-rtl-plugin/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/webpack-rtl-plugin/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/webpack-rtl-plugin/node_modules/svgo
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/webpack-rtl-plugin/node_modules/postcss-svgo
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-svgo
node_modules/webpack-rtl-plugin/node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/webpack-rtl-plugin/node_modules/cssnano
webpack-rtl-plugin *
Depends on vulnerable versions of @romainberger/css-diff
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of rtlcss
node_modules/webpack-rtl-plugin
postcss <7.0.36
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install webpack-rtl-plugin@1.3.0, which is a breaking change
node_modules/@romainberger/css-diff/node_modules/postcss
node_modules/webpack-rtl-plugin/node_modules/rtlcss/node_modules/postcss
@romainberger/css-diff *
Depends on vulnerable versions of postcss
node_modules/@romainberger/css-diff
rtlcss <=2.6.2
Depends on vulnerable versions of postcss
node_modules/webpack-rtl-plugin/node_modules/rtlcss
quill <=1.3.7
Severity: moderate
Cross-site Scripting in quill - https://github.com/advisories/GHSA-4943-9vgg-gr5r
No fix available
node_modules/quill
14 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
The same result again. Please tell me how to fix the problem. If you cannot fix it, tell me to ask for a refund. I pay for one year of support and instead of easy integrating the theme into my existing project I am waiting to fix some vulnerabilities... And the worst is that you know about them and sell themes without any fix...
npm WARN audit No fix available for quill
npm WARN audit No fix available for webpack-rtl-plugin@*
up to date, audited 1486 packages in 11s
132 packages are looking for funding
run `npm fund` for details
# npm audit report
ansi-regex 3.0.0 || 5.0.0
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/a
ries/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/a
ries/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
node_modules/npm/node_modules/string-width/node_modules/ansi-regex
json-schema <0.4.0
Severity: moderate
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA
-f27r-55mw
fix available via `npm audit fix`
node_modules/npm/node_modules/json-schema
jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
Depends on vulnerable versions of json-schema
node_modules/npm/node_modules/jsprim
nth-check <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisorie
A-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install webpack-rtl-plugin@1.3.0, which is a breaking change
node_modules/webpack-rtl-plugin/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/webpack-rtl-plugin/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/webpack-rtl-plugin/node_modules/svgo
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/webpack-rtl-plugin/node_modules/postcss-svgo
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-svgo
node_modules/webpack-rtl-plugin/node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/webpack-rtl-plugin/node_modules/cssnano
webpack-rtl-plugin *
Depends on vulnerable versions of @romainberger/css-diff
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of rtlcss
node_modules/webpack-rtl-plugin
postcss <7.0.36
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-
qj78-rww5
fix available via `npm audit fix --force`
Will install webpack-rtl-plugin@1.3.0, which is a breaking change
node_modules/@romainberger/css-diff/node_modules/postcss
node_modules/webpack-rtl-plugin/node_modules/rtlcss/node_modules/postcss
@romainberger/css-diff *
Depends on vulnerable versions of postcss
node_modules/@romainberger/css-diff
rtlcss <=2.6.2
Depends on vulnerable versions of postcss
node_modules/webpack-rtl-plugin/node_modules/rtlcss
quill <=1.3.7
Severity: moderate
Cross-site Scripting in quill - https://github.com/advisories/GHSA-4943-9vgg-gr5r
No fix available
node_modules/quill
14 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
The errors finish with
Severity: moderate
Cross-site Scripting in quill - https://github.com/advisories/GHSA-4943-9vgg-gr5r
No fix available
node_modules/quill
14 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Please tell me how to fix it. If you cannot fix it, tell me to ask for a refund. I take the theme because I need to finish the project. You sell the theme with vulnerabilities, and you know about theme.... and thats the worst... sell theme without any fix about problems...
Hi,
After you run the npm audit fix, there are only warnings on moderate severity vulnerabilities left. No critical issue. To fully fix this, we have to remove the dependencies plugins from package.json which cause the application unusable. For example, the quill plugin. You may remove it if you are not using it.
Not all functions in the plugin have issues. You can check the link and view the discussion. The plugin's author will release the fixes later and we can install the patch soon.
Thanks
Any progress with the problem?
Warnings or not, it is a vulnerability. I pay for a theme without errors... I pay for everything in it. Please fix it 
I hope that you will fix everything by the end of the week
Hi,
The warnings came from the 3rd party plugins. We cannot change it inside the plugin unless we remove the npm plugin.
You could try to install those npm plugins using"yarn".
Install yarn in the global "npm install -g yarn", then run the "yarn" command inside laravel.
Thanks
Hi
I pay for the Laravel theme without vulnerabilities.
Last night I stay and try to update all plugins...
I pay for the theme to save time for the project and last 10 days I cant do anythig. What to say to the team?
I don't want to try... I want to know how to fix it. Why are you selling the theme with vulnerabilities?
Please give me a fix, step by step.
I haven't time to stay without a theme. I need this to finish the project. If you cannot say. This day is Easter... I want to know the fix after it or what to tell about vulnerabilities. We want to use last technologies and plugins without any problem, if this theme is old and will not fix it we will prefer to take a refund and at the moment when you fix it, we will buy it again. Now I pay for one year of support and everything is terrible...
Hi,
Sorry for the inconvenience.
You could try to install npm plugins using "yarn" instead of "npm install". It seems there are no vulnerabilities noticed for yarn installation.
Install yarn in the global "npm install -g yarn", then run the "yarn" command inside laravel.
If you insist on the refund, please send a request email to support@keenthemes.com.
Thanks
The "npm install" is the default installer. Yarn uses the same code...
That means - if you have vulnerabilities in one of them, you have it in both. With yarn, you just hide it...
Hi,
Please note that we can not control those warnings in the NPM packages. Nowadays yarn packages are actively maintained and have better support. However, your refund is approved as per your request.
Regards.
