TechQA.

Expo npm packages vulnerabilities not fixable

1k views Asked by At

I've been trying to fix the vulnerabilities of a few packages in my React Native Expo project for a few hours now , but nothing seems to work.

I've tried npm update, npm audit fix --force, npm update dep@latest, changing the version of dep with vulnerabilities to the version and running npm i, removing package-lock, etc. But nothing works. My npm audit report looks like this:

# npm audit report

qs  6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/qs
  body-parser  1.19.0
  Depends on vulnerable versions of qs
  node_modules/body-parser
    @expo/dev-server  *
    Depends on vulnerable versions of body-parser
    node_modules/@expo/dev-server
      @expo/cli  >=0.1.0
      Depends on vulnerable versions of @expo/dev-server
      node_modules/expo/node_modules/@expo/cli
        expo  >=45.0.0-beta.1
        Depends on vulnerable versions of @expo/cli
        node_modules/expo

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

After I run npm audit fix --force again it looks like this:

# npm audit report

node-fetch  <=2.6.6
Severity: high
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/isomorphic-fetch/node_modules/node-fetch
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/isomorphic-fetch
    fbjs  0.7.0 - 1.0.0
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/fbemitter/node_modules/fbjs
      fbemitter  2.0.3 - 3.0.0-alpha.1
      Depends on vulnerable versions of fbjs
      node_modules/fbemitter
        expo  14.0.0 - 44.0.6
        Depends on vulnerable versions of fbemitter
        node_modules/expo

5 vulnerabilities (4 low, 1 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Which seems weird to me because it shows different dependencies. And when I run it again it shows the first dependencies again.

react-native npm package expo npm-vulnerabilities
Original Q&A
1

There are 1 answers

1
Gentrit On

Hello im having the same issue the only way i fixed it was by forcing update of the the qs in the node_modulus .So i updated it with another library https://www.npmjs.com/package/npm-force-resolutions , but its not recommended to do it this way, if you found another way plz tell.

Related Questions in REACT-NATIVE

Related Questions in NPM

Related Questions in PACKAGE

Related Questions in EXPO

Related Questions in NPM-VULNERABILITIES

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions