Package.json issue?

htorbov · October 18, 2019, 7:04pm

I’ve saved my package.json and src from my old app on a flash drive before a few months.

Now I created a blank app with the latest ionic version, but I got some issues with the packages.

npm install:

audited 16914 packages in 9.918s
found 6 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

npm audit:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular/cli [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular/cli > @schematics/update > pacote >                 │
│               │ make-fetch-happen > https-proxy-agent                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular/cli [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular/cli > pacote > make-fetch-happen >                  │
│               │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular/cli [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular/cli > @schematics/update > pacote >                 │
│               │ npm-registry-fetch > make-fetch-happen > https-proxy-agent   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular/cli [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular/cli > pacote > npm-registry-fetch >                 │
│               │ make-fetch-happen > https-proxy-agent                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ protractor [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ protractor > browserstack > https-proxy-agent                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Machine-In-The-Middle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ https-proxy-agent                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ protractor [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ protractor > saucelabs > https-proxy-agent                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1184                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 6 high severity vulnerabilities in 16914 scanned packages
  6 vulnerabilities require manual review. See the full report for details.

package.json:

{
  "name": "FoodPrep",
  "version": "0.0.1",
  "author": "Ionic Framework",
  "homepage": "https://ionicframework.com/",
  "scripts": {
    "ng": "ng",
    "start": "ng serve",
    "build": "ng build",
    "test": "ng test",
    "lint": "ng lint",
    "e2e": "ng e2e"
  },
  "private": true,
  "dependencies": {
    "@angular/common": "^8.2.11",
    "@angular/core": "^8.2.11",
    "@angular/forms": "^8.2.11",
    "@angular/platform-browser": "^8.2.11",
    "@angular/platform-browser-dynamic": "^8.2.11",
    "@angular/router": "^8.2.11",
    "@ionic-native/camera": "^5.15.1",
    "@ionic-native/core": "^5.15.1",
    "@ionic-native/facebook": "^5.15.1",
    "@ionic-native/in-app-browser": "^5.15.1",
    "@ionic-native/photo-viewer": "^5.15.1",
    "@ionic-native/splash-screen": "^5.15.1",
    "@ionic-native/status-bar": "^5.15.1",
    "@ionic/angular": "^4.11.1",
    "@ionic/storage": "^2.2.0",
    "@ngx-translate/core": "^11.0.1",
    "@ngx-translate/http-loader": "^4.0.0",
    "com-sarriaroman-photoviewer": "1.2.4",
    "cordova-android": "8.1.0",
    "cordova-ios": "5.0.1",
    "cordova-plugin-camera": "4.1.0",
    "cordova-plugin-device": "^2.0.3",
    "cordova-plugin-facebook4": "6.2.0",
    "cordova-plugin-inappbrowser": "3.1.0",
    "cordova-plugin-ionic-keyboard": "^2.2.0",
    "cordova-plugin-ionic-webview": "^4.1.2",
    "cordova-plugin-splashscreen": "^5.0.3",
    "cordova-plugin-statusbar": "^2.4.3",
    "cordova-plugin-whitelist": "^1.3.4",
    "core-js": "^3.3.2",
    "rxjs": "~6.5.3",
    "tslib": "^1.10.0",
    "zone.js": "~0.9.1"
  },
  "devDependencies": {
    "@angular-devkit/architect": "~0.803.12",
    "@angular-devkit/build-angular": "~0.803.12",
    "@angular-devkit/core": "~8.3.12",
    "@angular-devkit/schematics": "~8.3.12",
    "@angular/cli": "~8.3.12",
    "@angular/compiler": "~8.2.11",
    "@angular/compiler-cli": "~8.2.11",
    "@angular/language-service": "~8.2.11",
    "@ionic/angular-toolkit": "~2.0.0",
    "@types/node": "~12.11.1",
    "@types/jasmine": "~3.4.4",
    "@types/jasminewd2": "~2.0.8",
    "codelyzer": "~5.1.2",
    "jasmine-core": "~3.5.0",
    "jasmine-spec-reporter": "~4.2.1",
    "karma": "~4.4.0",
    "karma-chrome-launcher": "~3.1.0",
    "karma-coverage-istanbul-reporter": "~2.1.0",
    "karma-jasmine": "~2.0.1",
    "karma-jasmine-html-reporter": "^1.4.2",
    "protractor": "~5.4.2",
    "ts-node": "~8.4.1",
    "tslint": "~5.20.0",
    "typescript": "~3.4.0"
  },
  "description": "An Ionic project",
  "cordova": {
    "plugins": {
      "cordova-plugin-whitelist": {},
      "cordova-plugin-statusbar": {},
      "cordova-plugin-device": {},
      "cordova-plugin-splashscreen": {},
      "cordova-plugin-ionic-webview": {},
      "cordova-plugin-ionic-keyboard": {},
      "cordova-plugin-facebook4": {
        "APP_ID": "745280435898161",
        "APP_NAME": "FoodPrep",
        "FACEBOOK_HYBRID_APP_EVENTS": "false",
        "FACEBOOK_ANDROID_SDK_VERSION": "4.40.0"
      },
      "com-sarriaroman-photoviewer": {},
      "cordova-plugin-inappbrowser": {},
      "cordova-plugin-camera": {}
    },
    "platforms": [
      "ios",
      "android"
    ]
  }
}

Can someone help me?

Thanks!

rapropos · October 18, 2019, 7:17pm

This might be an iterative process, but at least:

@angular/http needs to be at the same major version as the rest of @angular/*
typescript needs to come back to 3.5.3 at the highest

htorbov · October 18, 2019, 8:05pm

Thanks, I’ve updated the versions and the warnings has dissapeared!

rapropos · October 18, 2019, 8:39pm

Incidentally, it might be worthwhile ditching @angular/http entirely. It’s obsolete and doing so might find places in your code that are still using it (if any).

htorbov · October 19, 2019, 8:15pm

That’s exactly what I did, including one more which I forgot what was it. Also, updating some module versions. Now it works perfectly Thanks!

TrW · October 21, 2019, 4:12pm

I have the same issue:

I updated Node, NPM, and Angular, and installed ionic ($ npm install -g ionic). And then created a blank project.

And I get: “found 6 high severity vulnerabilities”.

$ npm audit fix does not fix any.

My package.json is similar to the OP’s, except a few things have not been added yet and a few items, like @ionic-native/core are at 5.0.0, not 5.15.1.

I do not see reference to @angular/http anywhere, and my typescript loaded at 3.4.3 (if I go above 3.5, I get notie saying angular cli requires typescript to be between 3.4 and 3.5).

Any ideas why this might happen having just downloaded ionic and started a blank project?

Here’s the package.json:

{
  "name": "myProject",
  "version": "0.0.1",
  "author": "Ionic Framework",
  "homepage": "https://ionicframework.com/",
  "scripts": {
    "ng": "ng",
    "start": "ng serve",
    "build": "ng build",
    "test": "ng test",
    "lint": "ng lint",
    "e2e": "ng e2e"
  },
  "private": true,
  "dependencies": {
    "@angular/common": "~8.1.2",
    "@angular/compiler": "~8.1.2",
    "@angular/core": "~8.1.2",
    "@angular/forms": "~8.1.2",
    "@angular/platform-browser": "~8.1.2",
    "@angular/platform-browser-dynamic": "~8.1.2",
    "@angular/router": "~8.1.2",
    "@ionic-native/core": "^5.0.0",
    "@ionic-native/splash-screen": "^5.0.0",
    "@ionic-native/status-bar": "^5.0.0",
    "@ionic/angular": "^4.7.1",
    "core-js": "^2.5.4",
    "rxjs": "~6.5.1",
    "tslib": "^1.9.0",
    "zone.js": "~0.9.1"
  },
  "devDependencies": {
    "@angular-devkit/architect": "~0.801.2",
    "@angular-devkit/build-angular": "~0.801.2",
    "@angular-devkit/core": "~8.1.2",
    "@angular-devkit/schematics": "~8.1.2",
    "@angular/cli": "~8.1.2",
    "@angular/compiler": "~8.1.2",
    "@angular/compiler-cli": "~8.1.2",
    "@angular/language-service": "~8.1.2",
    "@ionic/angular-toolkit": "~2.0.0",
    "@types/jasmine": "~3.3.8",
    "@types/jasminewd2": "~2.0.3",
    "@types/node": "~8.9.4",
    "codelyzer": "^5.0.0",
    "jasmine-core": "~3.4.0",
    "jasmine-spec-reporter": "~4.2.1",
    "karma": "~4.1.0",
    "karma-chrome-launcher": "~2.2.0",
    "karma-coverage-istanbul-reporter": "~2.0.1",
    "karma-jasmine": "~2.0.1",
    "karma-jasmine-html-reporter": "^1.4.0",
    "protractor": "~5.4.0",
    "ts-node": "~7.0.0",
    "tslint": "~5.15.0",
    "typescript": "~3.4.3"
  },
  "description": "An Ionic project"
}

rapropos · October 21, 2019, 5:55pm

The short answer is that you shouldn’t stress about it, given what you’ve said about having recently updated node.js. The longer answer is here.

TrW · October 21, 2019, 6:09pm

Yes, my node version is 12.12.0, and npm version is 6.11.3.

Still seems odd that there would be several high severity vulnerabilities on a fresh install. Is that expected in any ionic install?

And btw did you mean that the security vulnerabilities are not a concern, or did you mean I should follow the force-resolutions approach in the link you provided?

rapropos · October 21, 2019, 6:14pm

As I understand it, the issue goes beyond Ionic to all @angular/cli projects. The vulnerability alert just went out a few days ago, and various packages depending on https-proxy-agent haven’t reacted yet.

It happens from time to time in any sufficiently large distributed repository app, which includes anything using the node package universe. Not particularly frequent in my experience.

As I read it, the security vulnerabilities are only a concern if you are running very old node.js versions, and you aren’t, so I wouldn’t worry about it at all and just wait for upstream to patch things.

TrW · October 21, 2019, 6:15pm

That’s very helpful info. Thank you, @rapropos.

Topic		Replies	Views
Packages update Ionic Framework	1	1656	July 24, 2020
Could anyone double-check my package.json? ionic-v3	29	4900	July 12, 2017
I can't run my ionic-angular app: 3.6.0. can anybody help me? ionic-v3	5	2992	July 3, 2020
Help please ....What should i do ionic-v3	3	286	July 19, 2021
My package.json file is changed how can i creat it again ionic-v3	0	315	September 18, 2017

Package.json issue?

Related topics