I run npm install in the template Laravel project I see this: D:\Projects\metronic\metronic_v8.0.38\laravel (main -> origin) λ npm install npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x. npm WARN deprecated popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1
added 1227 packages, and audited 1485 packages in 5m
131 packages are looking for funding run `npm fund` for details
18 vulnerabilities (13 moderate, 5 high)
To address issues that do not require attention, run: npm audit fix
To address all issues possible (including breaking changes), run: npm audit fix --force
Some issues need review, and may require choosing a different dependency.
I`d like to connect to this thread vue version of metronic 8.x.38
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x. npm WARN deprecated core-js@2.6.12: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
added 1122 packages, and audited 1123 packages in 3m
140 packages are looking for funding run `npm fund` for details
21 vulnerabilities (12 moderate, 9 high)
To address issues that do not require attention, run: npm audit fix
To address all issues possible (including breaking changes), run: npm audit fix --force
Some issues need review, and may require choosing a different dependency.
npm WARN using --force Recommended protections disabled. npm WARN audit fix ansi-regex@5.0.0 node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex npm WARN audit fix ansi-regex@5.0.0 is a bundled dependency of npm WARN audit fix ansi-regex@5.0.0 npm@7.24.2 at node_modules/npm npm WARN audit fix ansi-regex@5.0.0 It cannot be fixed automatically. npm WARN audit fix ansi-regex@5.0.0 Check for updates to the npm package. npm WARN audit fix ansi-regex@3.0.0 node_modules/npm/node_modules/string-width/node_modules/ansi-regex npm WARN audit fix ansi-regex@3.0.0 is a bundled dependency of npm WARN audit fix ansi-regex@3.0.0 npm@7.24.2 at node_modules/npm npm WARN audit fix ansi-regex@3.0.0 It cannot be fixed automatically. npm WARN audit fix ansi-regex@3.0.0 Check for updates to the npm package. npm WARN audit fix json-schema@0.2.3 node_modules/npm/node_modules/json-schema npm WARN audit fix json-schema@0.2.3 is a bundled dependency of npm WARN audit fix json-schema@0.2.3 npm@7.24.2 at node_modules/npm npm WARN audit fix json-schema@0.2.3 It cannot be fixed automatically. npm WARN audit fix json-schema@0.2.3 Check for updates to the npm package. npm WARN audit fix jsprim@1.4.1 node_modules/npm/node_modules/jsprim npm WARN audit fix jsprim@1.4.1 is a bundled dependency of npm WARN audit fix jsprim@1.4.1 npm@7.24.2 at node_modules/npm npm WARN audit fix jsprim@1.4.1 It cannot be fixed automatically. npm WARN audit fix jsprim@1.4.1 Check for updates to the npm package. npm WARN audit No fix available for quill@<=1.3.7 npm WARN audit No fix available for webpack-rtl-plugin@*
up to date, audited 1486 packages in 11s
132 packages are looking for funding run `npm fund` for details
# npm audit report
ansi-regex 3.0.0 || 5.0.0 Severity: moderate Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw fix available via `npm audit fix` node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex node_modules/npm/node_modules/string-width/node_modules/ansi-regex
json-schema <0.4.0 Severity: moderate json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw fix available via `npm audit fix` node_modules/npm/node_modules/json-schema jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1 Depends on vulnerable versions of json-schema node_modules/npm/node_modules/jsprim
nth-check <2.0.1 Severity: moderate Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via `npm audit fix --force` Will install webpack-rtl-plugin@1.3.0, which is a breaking change node_modules/webpack-rtl-plugin/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/webpack-rtl-plugin/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/webpack-rtl-plugin/node_modules/svgo postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2 Depends on vulnerable versions of svgo node_modules/webpack-rtl-plugin/node_modules/postcss-svgo cssnano-preset-default <=4.0.8 Depends on vulnerable versions of postcss-svgo node_modules/webpack-rtl-plugin/node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/webpack-rtl-plugin/node_modules/cssnano webpack-rtl-plugin * Depends on vulnerable versions of @romainberger/css-diff Depends on vulnerable versions of cssnano Depends on vulnerable versions of rtlcss node_modules/webpack-rtl-plugin
postcss <7.0.36 Severity: moderate Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5 fix available via `npm audit fix --force` Will install webpack-rtl-plugin@1.3.0, which is a breaking change node_modules/@romainberger/css-diff/node_modules/postcss node_modules/webpack-rtl-plugin/node_modules/rtlcss/node_modules/postcss @romainberger/css-diff * Depends on vulnerable versions of postcss node_modules/@romainberger/css-diff rtlcss <=2.6.2 Depends on vulnerable versions of postcss node_modules/webpack-rtl-plugin/node_modules/rtlcss
quill <=1.3.7 Severity: moderate Cross-site Scripting in quill - https://github.com/advisories/GHSA-4943-9vgg-gr5r No fix available node_modules/quill
14 moderate severity vulnerabilities
To address issues that do not require attention, run: npm audit fix
To address all issues possible (including breaking changes), run: npm audit fix --force
Some issues need review, and may require choosing a different dependency.
The same result again. Please tell me how to fix the problem. If you cannot fix it, tell me to ask for a refund. I pay for one year of support and instead of easy integrating the theme into my existing project I am waiting to fix some vulnerabilities... And the worst is that you know about them and sell themes without any fix...
npm WARN audit No fix available for quill npm WARN audit No fix available for webpack-rtl-plugin@*
up to date, audited 1486 packages in 11s
132 packages are looking for funding run `npm fund` for details
# npm audit report
ansi-regex 3.0.0 || 5.0.0 Severity: moderate Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/a ries/GHSA-93q8-gq69-wqmw Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/a ries/GHSA-93q8-gq69-wqmw fix available via `npm audit fix` node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex node_modules/npm/node_modules/string-width/node_modules/ansi-regex
json-schema <0.4.0 Severity: moderate json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA -f27r-55mw fix available via `npm audit fix` node_modules/npm/node_modules/json-schema jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1 Depends on vulnerable versions of json-schema node_modules/npm/node_modules/jsprim
nth-check <2.0.1 Severity: moderate Inefficient Regular Expression Complexity in nth-check - https://github.com/advisorie A-rp65-9cf3-cjxr fix available via `npm audit fix --force` Will install webpack-rtl-plugin@1.3.0, which is a breaking change node_modules/webpack-rtl-plugin/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/webpack-rtl-plugin/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/webpack-rtl-plugin/node_modules/svgo postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2 Depends on vulnerable versions of svgo node_modules/webpack-rtl-plugin/node_modules/postcss-svgo cssnano-preset-default <=4.0.8 Depends on vulnerable versions of postcss-svgo node_modules/webpack-rtl-plugin/node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/webpack-rtl-plugin/node_modules/cssnano webpack-rtl-plugin * Depends on vulnerable versions of @romainberger/css-diff Depends on vulnerable versions of cssnano Depends on vulnerable versions of rtlcss node_modules/webpack-rtl-plugin
postcss <7.0.36 Severity: moderate Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA- qj78-rww5 fix available via `npm audit fix --force` Will install webpack-rtl-plugin@1.3.0, which is a breaking change node_modules/@romainberger/css-diff/node_modules/postcss node_modules/webpack-rtl-plugin/node_modules/rtlcss/node_modules/postcss @romainberger/css-diff * Depends on vulnerable versions of postcss node_modules/@romainberger/css-diff rtlcss <=2.6.2 Depends on vulnerable versions of postcss node_modules/webpack-rtl-plugin/node_modules/rtlcss
quill <=1.3.7 Severity: moderate Cross-site Scripting in quill - https://github.com/advisories/GHSA-4943-9vgg-gr5r No fix available node_modules/quill
14 moderate severity vulnerabilities
To address issues that do not require attention, run: npm audit fix
To address all issues possible (including breaking changes), run: npm audit fix --force
Some issues need review, and may require choosing a different dependency.
Severity: moderate Cross-site Scripting in quill - https://github.com/advisories/GHSA-4943-9vgg-gr5r No fix available node_modules/quill
14 moderate severity vulnerabilities
To address issues that do not require attention, run: npm audit fix
To address all issues possible (including breaking changes), run: npm audit fix --force
Some issues need review, and may require choosing a different dependency.
Please tell me how to fix it. If you cannot fix it, tell me to ask for a refund. I take the theme because I need to finish the project. You sell the theme with vulnerabilities, and you know about theme.... and thats the worst... sell theme without any fix about problems...
After you run the npm audit fix, there are only warnings on moderate severity vulnerabilities left. No critical issue. To fully fix this, we have to remove the dependencies plugins from package.json which cause the application unusable. For example, the quill plugin. You may remove it if you are not using it.
Not all functions in the plugin have issues. You can check the link and view the discussion. The plugin's author will release the fixes later and we can install the patch soon.
Warnings or not, it is a vulnerability. I pay for a theme without errors... I pay for everything in it. Please fix it I hope that you will fix everything by the end of the week
Hi I pay for the Laravel theme without vulnerabilities. Last night I stay and try to update all plugins... I pay for the theme to save time for the project and last 10 days I cant do anythig. What to say to the team? I don't want to try... I want to know how to fix it. Why are you selling the theme with vulnerabilities? Please give me a fix, step by step. I haven't time to stay without a theme. I need this to finish the project. If you cannot say. This day is Easter... I want to know the fix after it or what to tell about vulnerabilities. We want to use last technologies and plugins without any problem, if this theme is old and will not fix it we will prefer to take a refund and at the moment when you fix it, we will buy it again. Now I pay for one year of support and everything is terrible...
Sorry for the inconvenience. You could try to install npm plugins using "yarn" instead of "npm install". It seems there are no vulnerabilities noticed for yarn installation.
Install yarn in the global "npm install -g yarn", then run the "yarn" command inside laravel.
If you insist on the refund, please send a request email to support@keenthemes.com.
The "npm install" is the default installer. Yarn uses the same code... That means - if you have vulnerabilities in one of them, you have it in both. With yarn, you just hide it...
Please note that we can not control those warnings in the NPM packages. Nowadays yarn packages are actively maintained and have better support. However, your refund is approved as per your request.