I have npm vulnerabilities when i cloned my project again
How can i get ride of those vulnerabilities? npm audit doesn't work
5 Replies
Hi @pipas. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
It's common to encounter npm vulnerabilities when working with Wasp projects. Based on the knowledge sources, there are a few things to note about npm vulnerabilities in Wasp projects:
1. These vulnerabilities are often coming from dependencies that Wasp uses internally. In several examples from the knowledge sources, npm audit reports vulnerabilities after installation of packages.
2. The Wasp framework dictates exact versions of certain packages, and you're not allowed to modify these versions yourself. As mentioned in the documentation: "if Wasp is already internally using a certain dependency (e.g. React) with a certain version specified, you are not allowed to define that same npm dependency yourself while specifying a different version." Project Dependencies
3. Some of these vulnerabilities might be coming from packages that Wasp depends on, such as those from Create React App (CRA), as noted in one of the issues where deprecation warnings were traced back to react-scripts.
Unfortunately, the knowledge sources don't provide a specific solution for resolving these vulnerabilities in Wasp projects. The npm audit fix command is mentioned in some of the logs, but there's no confirmation that it's safe to use in Wasp projects given the version constraints.
The Wasp team is aware of dependency issues and is working on restructuring to solve some of these quirks, as mentioned in the documentation: "We are currently working on a restructuring that will solve this and some other quirks: check issue #734 to follow our progress."
If you're concerned about these vulnerabilities, you might want to:
1. Check if there's a newer version of Wasp available that might have updated dependencies
2. Reach out to the Wasp community or create an issue on their GitHub repository for specific guidance on your particular vulnerabilities
Since Wasp controls many of the dependencies, resolving these vulnerabilities might not be fully in your control as a user of the framework.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @pipas, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?
Hey @pipas did the bot answer your question?
no
@martinsos can you provide some context here?
@pipas if these are coming from deps that Wasp pins down, because they are deps of these deps, then you can't super easily improve that at the moment. We will be upgrading them in future versions, but Wasp is still in Beta so this is not the biggest priority at the moment. But I believe none of these vulnerabilities are critical, right? Can you share here the warning messages?