Running suggested command doesn't fix NPM Vuln

After each installation of a new NPM module in my project I get the following error :

[!] 40 vulnerabilities found - Packages audited: 5840 (0 dev, 299 optional)
    Severity: 8 Low | 24 Moderate | 8 High

So then I run npm audit and I get the details for each of the 40 vulnerabilities such as :

# Run  npm install npm@6.0.1  to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libcipm > npm-lifecycle > node-gyp > request > hawk >  │
│               │ boom > hoek                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

or this :

# Run  npm update fsevents --depth 2  to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ chokidar > fsevents > node-pre-gyp > tar-pack > debug        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

So I run npm install npm@6.0.1 (even though I already had 6.0.1) then npm update fsevents --depth 2 But after that I re-run npm audit and nothing has changed, I still have the same 40 vulnerabilities and some of them are really scary. What should I do ?

回答1:

This worked for me on MacOS:

Update NPM to the new 6.1.0. It introduces a 'npm audit fix' command, more info here.
Run 'npm audit fix'.

When you run 'npm audit' again, the only vulnerabilities left should be "Manual Review" issues.

回答2:

This seems to be a bug in npm 6.0.1 related to handling of optional dependencies: https://github.com/npm/npm/issues/20577

回答3:

This worked for me:

Do the npm audit suggestions that aren't npm updates
Delete package-lock.json
Delete the node_modules folder
Run npm install again

https://github.com/npm/npm/issues/20684

回答4:

Source: https://github.com/npm/npm/issues/20675. One fsevents issue may do with the fact that

fsevents can't be installed on windows, so you will have to update it on a macOS machine.

That's a bit strange, since looking at exhnozoaa's solution, as of this date seems to imply otherwise:

I was able to work around this on Windows with the following steps.

Open package-lock.json in an editor.

Search for "fsevents". Find the one that is an object directly under "dependencies".

Delete "fsevents" (the key and the whole object).

From the terminal, run npm install.

This should regenerate that section with the latest version that is compatible with the other packages. I don't really think this is a good way to fix it, but it is one that worked for me.