Home>

Currently, we are creating a clone application for the Amazon site using Node.js and vue.js.
When npm i mongoose was implemented, the following error message was displayed.

Error message
+ [email protected]
removed 36 packages, updated 1 package and audited 924897 packages in 25.49s
10 packages are looking for funding
  run `npm fund` for details
found 1 low severity vulnerability
  run `npm audit fix` to fix them, or` npm audit` for details
Applicable source code
=== npm audit security report ===
┌────────────────────────────────────────────────── ─────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└────────────────────────────────────────────────── ─────────────────────────────┘
┌───────────────┬────────────────────────────────── ─────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼────────────────────────────────── ─────────────────────────────┤
│ Package │ mem │
├───────────────┼────────────────────────────────── ─────────────────────────────┤
│ Patched in │>= 4.0.0 │
├───────────────┼────────────────────────────────── ─────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼────────────────────────────────── ─────────────────────────────┤
│ Path │ npm>libnpx>yargs>os-locale>mem │
├───────────────┼────────────────────────────────── ─────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1084 │
└───────────────┴────────────────────────────────── ─────────────────────────────┘
found 1 low severity vulnerability in 924897 scanned packages
  1 vulnerability requires manual review.See the full report for details.

The above information was obtained by entering the command npm audit, npm audit fix. And since denial of service was displayed, it was judged that the service was stopped, and the user entered npm uninstall mem or entered ncu, ncu-u to try to solve the problem, but the problem was not solved.
I also referred to here , but it has not been resolved did. .

Supplemental information (FW/tool version etc.)

npm -v->6.13.1

  • Answer # 1

      

    Denial of service is displayed and it is determined that the service has been stopped

    This judgment is wrong.npm auditis a tool for determiningvulnerabilities, so there are also vulnerabilities that are difficult to cause.

    Andnpm updatemay fix a new version, but it may not be resolved if you lock into the old version in the library.

    In the first place,npmis not normally executed from outside, so even if there is a DoS vulnerability, the risk of actually affecting it is low. Ifnpm updatedoes not solve it, you can leave it alone.