Installing chai: 1 vulnerability required manual review

zak100 · January 21, 2021, 12:47am

Hi,

I am trying to install Chai on my Ubuntu 18.04 system. I did the following:

:~$ npm install --save-dev chai>

npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I’ll try to do my best with it!
npm WARN zulfi No description
npm WARN zulfi No repository field.
npm WARN zulfi No license field.

chai@4.2.0
added 7 packages from 20 contributors and audited 359 packages in 2.933s

41 packages are looking for funding
run npm fund for details

found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details
zulfi@lc2530hz:~$ npm audit fix
npm WARN zulfi No description
npm WARN zulfi No repository field.
npm WARN zulfi No license field.

up to date in 0.99s

41 packages are looking for funding
run npm fund for details

fixed 0 of 1 vulnerability in 359 scanned packages
1 vulnerability required manual review and could not be updated

I getting the error “1 vulnerability required manual review and could not be updated”

Somebody please guide me how to solve this problem.

Zulfi.

abcoathup · January 21, 2021, 5:46am

Hi @zak100,

I didn’t get any vulnerabilities installing chai.

$ npm install --save-dev chai
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN zak@1.0.0 No description
npm WARN zak@1.0.0 No repository field.

+ chai@4.2.0
added 7 packages from 20 contributors and audited 7 packages in 1.275s
found 0 vulnerabilities

$ node --version
v10.22.1

What version of node are you using?

You may want to try installing in a new project to see if it is chai or another package reporting the vulnerability. You can then check the package’s GitHub repository to see if there is already an issue for this vulnerability telling you the impact.

zak100 · January 25, 2021, 6:09pm

Hi @abcoathup -Thaks for your reply. My version is:

$ node --version
v10.22.0
Sorry, I can’t understand what you mean by:

You may want to try installing in a new project to see if it is chai or another package reporting the vulnerability

Zulfi.

.

martriay · January 25, 2021, 6:15pm

He suggested you to try installing chai in a new “clean” project, to check whether the problem is with chai itself or a conflict with other installed package in your current project.

zak100 · January 25, 2021, 6:31pm

Hi,
I have tried even with v10.22.1

~$ npm install --save-dev chai
npm WARN zulfi No description
npm WARN zulfi No repository field.
npm WARN zulfi No license field.

chai@4.2.0
updated 1 package and audited 359 packages in 2.313s

41 packages are looking for funding
run npm fund for details

found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details
@lc2530hz:~ node --version v10.22.1 @lc2530hz:~

Hi @martriay ,

He suggested you to try installing chai in a new “clean” project, to check whether the problem is with chai itself or a conflict with other installed package in your current project.

I don’t know how to that, please guide me.

Zulfi.

zak100 · January 25, 2021, 6:33pm

Hi,
I tried audit fix but getting the same output as previously.

$ npm audit fix
npm WARN zulfi No description
npm WARN zulfi No repository field.
npm WARN zulfi No license field.

up to date in 1.008s

41 packages are looking for funding
run npm fund for details

fixed 0 of 1 vulnerability in 359 scanned packages
1 vulnerability required manual review and could not be updated

Zulfi.

martriay · January 26, 2021, 12:47am

@zak100 I suggest you seek help in a broader development community like Stack Overflow, OpenZeppelin’s community is about ethereum smart contract development.

zak100 · January 26, 2021, 2:06am

Hi,
Thanks a lot.

Zulfi.