Metronic8 npm install vulnerabilities

Hi,

I run npm install in the template Laravel project I see this:
D:\Projects\metronic\metronic_v8.0.38\laravel (main -> origin)
λ npm install
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1

added 1227 packages, and audited 1485 packages in 5m

131 packages are looking for funding
run `npm fund` for details

18 vulnerabilities (13 moderate, 5 high)

To address issues that do not require attention, run:
npm audit fix

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

How do fix these vulnerabilities?

Text formatting options
Submit
Here's a how to add some HTML formatting to your comment:
  • <pre></pre> for JS codes block
  • <pre lang="html"></pre> for HTML code block
  • <pre lang="scss"></pre> for SCSS code block
  • <pre lang="php"></pre> for PHP code block
  • <code></code> for single line of code
  • <strong></strong> to make things bold
  • <em></em> to emphasize
  • <ul><li></li></ul>  to make list
  • <ol><li></li></ol>  to make ordered list
  • <h3></h3> to make headings
  • <a></a> for links
  • <img> to paste in an image
  • <blockquote></blockquote> to quote somebody
  • happy  :)
  • shocked  :|
  • sad  :(

Replies (16)

I`d like to connect to this thread
vue version of metronic 8.x.38

npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@2.6.12: core-js@

I install

npm install svgo and core-js. I have vulnerabilities again...

up to date, audited 1486 packages in 8s

132 packages are looking for funding
run `npm fund` for details

14 moderate severity vulnerabilities

To address issues that do not require attention, run:
npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

I forgot to say that these errors happen with the fresh downloaded package v.38

How to fix them?

Hi,

Could you please try to run this command?

npm audit fix --force

Thanks

npm WARN using --force Recommended protections disabled.
npm WARN audit fix ansi-regex@5.0.0 node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
npm WARN audit fix ansi-regex@5.0.0 is a bundled dependency of
npm WARN audit fix ansi-regex@5.0.0 npm@7.24.2 at node_modules/npm
npm WARN audit fix ansi-regex@5.0.0 It cannot be fixed automatically.
npm WARN audit fix ansi-regex@5.0.0 Check for updates to the npm package.
npm WARN audit fix ansi-regex@3.0.0 node_modules/npm/node_modules/string-width/node_modules/ansi-regex
npm WARN audit fix ansi-regex@3.0.0 is a bundled dependency of
npm WARN audit fix ansi-regex@3.0.0 npm@7.24.2 at node_modules/npm
npm WARN audit fix ansi-regex@3.0.0 It cannot be fixed automatically.
npm WARN audit fix ansi-regex@3.0.0 Check for updates to the npm package.
npm WARN audit fix json-schema@0.2.3 node_modules/npm/node_modules/json-schema
npm WARN audit fix json-schema@0.2.3 is a bundled dependency of
npm WARN audit fix json-schema@0.2.3 npm@7.24.2 at node_modules/npm
npm WARN audit fix json-schema@0.2.3 It cannot be fixed automatically.
npm WARN audit fix json-schema@0.2.3 Check for updates to the npm package.
npm WARN audit fix jsprim@1.4.1 node_modules/npm/node_modules/jsprim
npm WARN audit fix jsprim@1.4.1 is a bundled dependency of
npm WARN audit fix jsprim@1.4.1 npm@7.24.2 at node_modules/npm
npm WARN audit fix jsprim@1.4.1 It cannot be fixed automatically.
npm WARN audit fix jsprim@1.4.1 Check for updates to the npm package.
npm WARN audit No fix available for quill@

Deleted comment

npm WARN audit No fix available for quill
npm WARN audit No fix available for webpack-rtl-plugin@*

up to date, audited 1486 packages in 11s

132 packages are looking for funding
run `npm fund` for details

# npm audit report

ansi-regex 3.0.0 || 5.0.0
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/a
ries/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/a
ries/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
node_modules/npm/node_modules/string-width/node_modules/ansi-regex

json-schema

The errors finish with

Severity: moderate
Cross-site Scripting in quill - https://github.com/advisories/GHSA-4943-9vgg-gr5r
No fix available
node_modules/quill

14 moderate severity vulnerabilities

To address issues that do not require attention, run:
npm audit fix

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Please tell me how to fix it. If you cannot fix it, tell me to ask for a refund. I take the theme because I need to finish the project. You sell the theme with vulnerabilities, and you know about theme.... and thats the worst... sell theme without any fix about problems...

Hi,

After you run the npm audit fix, there are only warnings on moderate severity vulnerabilities left. No critical issue. To fully fix this, we have to remove the dependencies plugins from package.json which cause the application unusable. For example, the quill plugin. You may remove it if you are not using it.

Not all functions in the plugin have issues. You can check the link and view the discussion. The plugin's author will release the fixes later and we can install the patch soon.

Thanks

Any progress with the problem?

Warnings or not, it is a vulnerability. I pay for a theme without errors... I pay for everything in it. Please fix it happy I hope that you will fix everything by the end of the week happy

Hi,

The warnings came from the 3rd party plugins. We cannot change it inside the plugin unless we remove the npm plugin.

You could try to install those npm plugins using"yarn".

Install yarn in the global "npm install -g yarn", then run the "yarn" command inside laravel.

Thanks

Hi happy
I pay for the Laravel theme without vulnerabilities.
Last night I stay and try to update all plugins...
I pay for the theme to save time for the project and last 10 days I cant do anythig. What to say to the team?
I don't want to try... I want to know how to fix it. Why are you selling the theme with vulnerabilities?
Please give me a fix, step by step.
I haven't time to stay without a theme. I need this to finish the project. If you cannot say. This day is Easter... I want to know the fix after it or what to tell about vulnerabilities. We want to use last technologies and plugins without any problem, if this theme is old and will not fix it we will prefer to take a refund and at the moment when you fix it, we will buy it again. Now I pay for one year of support and everything is terrible...

Hi,

Sorry for the inconvenience.
You could try to install npm plugins using "yarn" instead of "npm install". It seems there are no vulnerabilities noticed for yarn installation.

Install yarn in the global "npm install -g yarn", then run the "yarn" command inside laravel.

If you insist on the refund, please send a request email to support@keenthemes.com.

Thanks

The "npm install" is the default installer. Yarn uses the same code...
That means - if you have vulnerabilities in one of them, you have it in both. With yarn, you just hide it...

Hi,

Please note that we can not control those warnings in the NPM packages. Nowadays yarn packages are actively maintained and have better support. However, your refund is approved as per your request.


Regards.

Text formatting options
Submit
Here's a how to add some HTML formatting to your comment:
  • <pre></pre> for JS codes block
  • <pre lang="html"></pre> for HTML code block
  • <pre lang="scss"></pre> for SCSS code block
  • <pre lang="php"></pre> for PHP code block
  • <code></code> for single line of code
  • <strong></strong> to make things bold
  • <em></em> to emphasize
  • <ul><li></li></ul>  to make list
  • <ol><li></li></ol>  to make ordered list
  • <h3></h3> to make headings
  • <a></a> for links
  • <img> to paste in an image
  • <blockquote></blockquote> to quote somebody
  • happy  :)
  • shocked  :|
  • sad  :(
Text formatting options
Submit
Here's a how to add some HTML formatting to your comment:
  • <pre></pre> for JS codes block
  • <pre lang="html"></pre> for HTML code block
  • <pre lang="scss"></pre> for SCSS code block
  • <pre lang="php"></pre> for PHP code block
  • <code></code> for single line of code
  • <strong></strong> to make things bold
  • <em></em> to emphasize
  • <ul><li></li></ul>  to make list
  • <ol><li></li></ol>  to make ordered list
  • <h3></h3> to make headings
  • <a></a> for links
  • <img> to paste in an image
  • <blockquote></blockquote> to quote somebody
  • happy  :)
  • shocked  :|
  • sad  :(