Failure to install npm package due to vulnerabilities #276

jsjoeio · 2021-05-18T16:47:15Z

jsjoeio
May 18, 2021

When I run my script, it tells me the npm package btoa is required. I click install. Then it fails due to vulnerability issues.

How can I fix this?

Video

Screen.Recording.2021-05-18.at.9.43.47.AM.mov

Logs

[2021-05-18 09:43:21.002] [info] > Opening /Users/jp/.kenv/scripts/start-toggl.js with code
[2021-05-18 09:43:57.181] [info] 
up to date, audited 19 packages in 2s

[2021-05-18 09:43:57.182] [info] 
1 package is looking for funding
  run `npm fund` for details

[2021-05-18 09:43:57.199] [info] 
3 vulnerabilities (2 low, 1 moderate)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

[2021-05-18 09:43:57.210] [warn] 
[2021-05-18 09:43:57.210] [warn] Error
    at kenvImport (file:///Users/jp/.kit/api/npm.js:15:15)
    at async file:///Users/jp/.kit/api/npm.js:29:16
    at async file:///Users/jp/.kenv/scripts/start-toggl.js:1:12
[2021-05-18 09:43:57.211] [info] {"errorFile":"/Users/jp/.kenv/scripts/start-toggl.js","line":0,"col":0}

Answered by johnlindquist

May 18, 2021

To clarify, the vulnerabilities aren't what cause the Error. The most recent build has the npm install process use setHint to show npm's progress while something is installing. So that's probably where the confusion came from.

What fails is when await npm attempts to import btoa.

btoa 's package.json's "main" is set to index (not index.js). So the await npm attempts to import ~/.kenv/node_modules/btoa/index which isn't a file.

node must fallback to importing index.js if the "main" is malformed. So I'll adjust the npm helper to do the same.

Related: Interesting twitter thread on node and btoa

I'll get a out a build in a couple hours to fix this. For now you can use:

let {default:btoa}  = a…

View full answer

johnlindquist · 2021-05-18T17:21:28Z

johnlindquist
May 18, 2021
Maintainer

To clarify, the vulnerabilities aren't what cause the Error. The most recent build has the npm install process use setHint to show npm's progress while something is installing. So that's probably where the confusion came from.

What fails is when await npm attempts to import btoa.

btoa 's package.json's "main" is set to index (not index.js). So the await npm attempts to import ~/.kenv/node_modules/btoa/index which isn't a file.

node must fallback to importing index.js if the "main" is malformed. So I'll adjust the npm helper to do the same.

Related: Interesting twitter thread on node and btoa

I'll get a out a build in a couple hours to fix this. For now you can use:

let {default:btoa}  = await import("btoa")

Note: You can always install/uninstall npm packages here to avoid the npm helper:

1 reply

jsjoeio May 18, 2021
Author

Oh! I see now. That makes more sense. Thanks for the temp workaround (and the interesting Twitter thread)! 👍🏼

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Failure to install npm package due to vulnerabilities #276

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Failure to install npm package due to vulnerabilities #276

Uh oh!

jsjoeio May 18, 2021

Video

Logs

Replies: 1 comment · 1 reply

Uh oh!

johnlindquist May 18, 2021 Maintainer

Uh oh!

jsjoeio May 18, 2021 Author

jsjoeio
May 18, 2021

Replies: 1 comment 1 reply

johnlindquist
May 18, 2021
Maintainer

jsjoeio May 18, 2021
Author