diff --git a/work/ctm-399.md b/work/ctm-399.md index 34fb5936..a631e588 100644 --- a/work/ctm-399.md +++ b/work/ctm-399.md @@ -61,7 +61,7 @@ You will receive the following output: This utility will walk you through creating a package.json file. It only covers the most common items, and tries to guess sensible defaults. -See `npm help json` for definitive documentation on these fields +See `npm help init` for definitive documentation on these fields and exactly what they do. Use `npm install ` afterwards to install a package and @@ -79,11 +79,11 @@ The next value to enter is `version`. Along with the `name`, this field is requi **Note:** Node.js packages are expected to follow the [Semantic Versioning](https://semver.org/) (semver) guide. Therefore, the first number will be the `MAJOR` version number that only changes when the API changes. The second number will be the `MINOR` version that changes when features are added. The last number will be the `PATCH` version that changes when bugs are fixed. <$> -Press `ENTER` so the default version is accepted. +Press `ENTER` so the default version of `1.0.0` is accepted. The next field is `description`—a useful string to explain what your Node.js module does. Our fictional `locator` project would get the user's IP address and return the country of origin. A fitting `description` would be `Finds the country of origin of the incoming request`, so type in something like this and press `ENTER`. The `description` is very useful when people are searching for your module. -The following prompt will ask you for the `entry point`. If someone installs and `requires` your module, what you set in the `entry point` will be the first part of your program that is loaded. The value needs to be the relative location of a JavaScript file, and will be added to the `main` property of the `package.json`. Press `ENTER` to keep the default value. +The following prompt will ask you for the `entry point`. If someone installs and `requires` your module, what you set in the `entry point` will be the first part of your program that is loaded. The value needs to be the relative location of a JavaScript file, and will be added to the `main` property of the `package.json`. Press `ENTER` to keep the default value of `index.js`. <$>[note] **Note**: Most modules have an `index.js` file as the main point of entry. This is the default value for a `package.json`'s `main` property, which is the point of entry for npm modules. If there is no `package.json`, Node.js will try to load `index.js` by default. @@ -91,7 +91,7 @@ The following prompt will ask you for the `entry point`. If someone installs and Next, you'll be asked for a `test command`, an executable script or command to run your project tests. In many popular Node.js modules, tests are written and executed with [Mocha](https://mochajs.org/), [Jest](https://jestjs.io/), [Jasmine](https://jasmine.github.io/), or other test frameworks. Since testing is beyond the scope of this article, leave this option empty for now, and press `ENTER` to move on. -The `init` command will then ask for the project's [GitHub Repository](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-repositories). You won't use this in this example, so leave it empty as well. +The `init` command will then ask for the project's git repository, which may live on a service such as GitHub (for more information, see [GitHub's Repository documentation](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-repositories)). You won't use this in this example, so leave it empty as well. After the repository prompt, the command asks for `keywords`. This property is an array of strings with useful terms that people can use to find your repository. It's best to have a small set of words that are really relevant to your project, so that searching can be more targeted. List these keywords as a string with commas separating each value. For this sample project, type `ip,geo,country` at the prompt. The finished `package.json` will have three items in the array for `keywords`. @@ -134,7 +134,7 @@ Now that you have your `package.json` file, you can test out installing modules ## Step 2 — Installing Modules -It is common in software development to use external libraries to perform ancillary tasks in projects. This allows the developer to focus on the business logic and create the application more quickly and efficiently. +It is common in software development to use external libraries to perform ancillary tasks in projects. This allows the developer to focus on the business logic and create the application more quickly and efficiently by utilizing tools and code that others have written that accomplish tasks one needs. For example, if our sample `locator` module has to make an external API request to get geographical data, we could use an HTTP library to make that task easier. Since our main goal is to return pertinent geographical data to the user, we could install a package that makes HTTP requests easier for us instead of rewriting this code for ourselves, a task that is beyond the scope of our project. @@ -144,14 +144,14 @@ Let's run through this example. In your `locator` application, you will use the npm install axios --save ``` -You begin this command with `npm install`, which will install the package (for brevity you can use `npm i`). You then list the packages that you want installed, separated by a space. In this case, this is `axios`. Finally, you end the command with the optional `--save` parameter, which specifies that `axios` will be saved as a project dependency. +You begin this command with `npm install`, which will install the package (for brevity you can also use `npm i`). You then list the packages that you want installed, separated by a space. In this case, this is `axios`. Finally, you end the command with the optional `--save` parameter, which specifies that `axios` will be saved as a project dependency. When the library is installed, you will see output similar to the following: ``` [secondary_label Output] ... -+ axios@0.19.0 ++ axios@0.27.2 added 5 packages from 8 contributors and audited 5 packages in 0.764s found 0 vulnerabilities ``` @@ -182,18 +182,18 @@ You'll see a new property, as highlighted in the following: "author": "Sammy sammy@your_domain (https://your_domain)", "license": "ISC", <^>"dependencies": {<^> - <^>"axios": "^0.19.0"<^> + <^>"axios": "^0.27.2"<^> <^>}<^> } ``` -The `--save` option told npm to update the `package.json` with the module and version that was just installed. This is great, as other developers working on your projects can easily see what external dependencies are needed. +The `--save` option told `npm` to update the `package.json` with the module and version that was just installed. This is great, as other developers working on your projects can easily see what external dependencies are needed. <$>[note] **Note**: You may have noticed the `^` before the version number for the `axios` dependency. Recall that semantic versioning consists of three digits: **MAJOR**, **MINOR**, and **PATCH**. The `^` symbol signifies that any higher MINOR or PATCH version would satisfy this version constraint. If you see `~` at the beginning of a version number, then only higher PATCH versions satisfy the constraint. <$> -When you are finished reviewing `package.json`, exit the file. +When you are finished reviewing `package.json`, close the file. If you used nano to edit the file, you can do so by pressing `CTRL + X` and then `ENTER`. ### Development Dependencies @@ -204,10 +204,10 @@ For example, it's common for developers to use [*code linters*](https://en.wikip Install a linter as a development dependency for your project. Try this out in your shell: ```command -npm i eslint@6.0.0 --save-dev +npm i eslint@8.0.0 --save-dev ``` -In this command, you used the `--save-dev` flag. This will save `eslint` as a dependency that is only needed for development. Notice also that you added `@6.0.0` to your dependency name. When modules are updated, they are tagged with a version. The `@` tells npm to look for a specific tag of the module you are installing. Without a specified tag, npm installs the latest tagged version. Open `package.json` again: +In this command, you used the `--save-dev` flag. This will save `eslint` as a dependency that is only needed for development. Notice also that you added `@8.0.0` to your dependency name. When modules are updated, they are tagged with a version. The `@` tells npm to look for a specific tag of the module you are installing. Without a specified tag, npm installs the latest tagged version. Open `package.json` again: ```command nano package.json @@ -236,7 +236,7 @@ This will show the following: "axios": "^0.19.0" }, <^>"devDependencies": {<^> - <^>"eslint": "^6.0.0"<^> + <^>"eslint": "^8.0.0"<^> <^>}<^> } ``` @@ -245,7 +245,7 @@ This will show the following: ### Automatically Generated Files: `node_modules` and `package-lock.json` -When you first install a package to a Node.js project, npm automatically creates the `node_modules` folder to store the modules needed for your project and the `package-lock.json` file that you examined earlier. +When you first install a package to a Node.js project, `npm` automatically creates the `node_modules` folder to store the modules needed for your project and the `package-lock.json` file that you examined earlier. Confirm these are in your working directory. In your shell, type `ls` and press `ENTER`. You will observe the following output: @@ -287,7 +287,7 @@ npm i npm will check for a `package-lock.json` file to install the modules. If no lock file is available, it would read from the `package.json` file to determine the installations. It is usually quicker to install from `package-lock.json`, since the lock file contains the exact version of modules and their dependencies, meaning npm does not have to spend time figuring out a suitable version to install. -When deploying to production, you may want to skip the development dependencies. Recall that development dependencies are stored in the `devDependencies` section of `package.json`, and have no impact on the running of your app. When installing modules as part of the CI/CD process to deploy your application, omit the dev dependencies by running: +When deploying to production, you may want to skip the development dependencies. Recall that development dependencies are stored in the `devDependencies` section of `package.json`, and have no impact on the running of your app. When installing modules as part of the deployment process to deploy your application, omit the dev dependencies by running: ```command npm i --production @@ -327,24 +327,25 @@ You will see output similar to: ``` [secondary_label Output] -hexo-cli: 2.0.0 -os: Linux 4.15.0-64-generic linux x64 -http_parser: 2.7.1 -node: 10.14.0 -v8: 7.6.303.29-node.16 -uv: 1.31.0 +hexo-cli: 4.3.0 +os: linux 5.15.0-35-generic Ubuntu 22.04 LTS 22.04 LTS (Jammy Jellyfish) +node: 18.3.0 +v8: 10.2.154.4-node.8 +uv: 1.43.0 zlib: 1.2.11 -ares: 1.15.0 -modules: 72 -nghttp2: 1.39.2 -openssl: 1.1.1c -brotli: 1.0.7 -napi: 4 -llhttp: 1.1.4 -icu: 64.2 -unicode: 12.1 -cldr: 35.1 -tz: 2019a +brotli: 1.0.9 +ares: 1.18.1 +modules: 108 +nghttp2: 1.47.0 +napi: 8 +llhttp: 6.0.6 +openssl: 3.0.3+quic +cldr: 41.0 +icu: 71.1 +tz: 2022a +unicode: 14.0 +ngtcp2: 0.1.0-DEV +nghttp3: 0.1.0-DEV ``` So far, you have learned how to install modules with npm. You can install packages to a project locally, either as a production or development dependency. You can also install packages based on pre-existing `package.json` or `package-lock.json` files, allowing you to develop with the same dependencies as your peers. Finally, you can use the `-g` flag to install packages globally, so you can access them regardless of whether you're in a Node.js project or not. @@ -374,42 +375,42 @@ You will see output like this: ``` [secondary_label Output] -├─┬ axios@0.19.0 -│ ├─┬ follow-redirects@1.5.10 -│ │ └─┬ debug@3.1.0 -│ │ └── ms@2.0.0 -│ └── is-buffer@2.0.3 -└─┬ eslint@6.0.0 - ├─┬ @babel/code-frame@7.5.5 - │ └─┬ @babel/highlight@7.5.0 - │ ├── chalk@2.4.2 deduped - │ ├── esutils@2.0.3 deduped - │ └── js-tokens@4.0.0 - ├─┬ ajv@6.10.2 - │ ├── fast-deep-equal@2.0.1 - │ ├── fast-json-stable-stringify@2.0.0 - │ ├── json-schema-traverse@0.4.1 - │ └─┬ uri-js@4.2.2 -... +├── axios@0.27.2 +└── eslint@8.0.0 ``` -By default, `ls` shows the entire dependency tree—the modules your project depends on and the modules that your dependencies depend on. This can be a bit unwieldy if you want a high-level overview of what's installed. - -To only print the modules you installed without their dependencies, enter the following in your shell: +The `--depth` option allows you to specify what level of the dependency tree you want to see. When it's `0`, you only see your top level dependencies. If you want to see the entire dependency tree, use the `--all` argument: ```command -npm ls --depth 0 +npm ls --all ``` -Your output will be: +You will see output like the following: ``` [secondary_label Output] -├── axios@0.19.0 -└── eslint@6.0.0 -``` +├─┬ axios@0.27.2 +│ ├── follow-redirects@1.15.1 +│ └─┬ form-data@4.0.0 +│ ├── asynckit@0.4.0 +│ ├─┬ combined-stream@1.0.8 +│ │ └── delayed-stream@1.0.0 +│ └─┬ mime-types@2.1.35 +│ └── mime-db@1.52.0 +└─┬ eslint@8.0.0 + ├─┬ @eslint/eslintrc@1.3.0 + │ ├── ajv@6.12.6 deduped + │ ├── debug@4.3.4 deduped + │ ├── espree@9.3.2 deduped + │ ├── globals@13.15.0 deduped + │ ├── ignore@5.2.0 + │ ├── import-fresh@3.3.0 deduped + │ ├── js-yaml@4.1.0 deduped + │ ├── minimatch@3.1.2 deduped + │ └── strip-json-comments@3.1.1 deduped -The `--depth` option allows you to specify what level of the dependency tree you want to see. When it's `0`, you only see your top level dependencies. +. . . +``` ### Updating Modules @@ -423,8 +424,8 @@ You will get output like the following: ``` [secondary_label Output] -Package Current Wanted Latest Location -eslint 6.0.0 <^>6.7.1<^> <^>6.7.1<^> locator +Package Current Wanted Latest Location Depended by +eslint 8.0.0 8.17.0 8.17.0 node_modules/eslint locator ``` This command first lists the `Package` that's installed and the `Current` version. The `Wanted` column shows which version satisfies your version requirement in `package.json`. The `Latest` column shows the most recent version of the module that was published. @@ -441,13 +442,30 @@ The output of the command will contain the version installed: ``` [secondary_label Output] -npm WARN locator@1.0.0 No repository field. -+ eslint@<^>6.7.1<^> -added 7 packages from 3 contributors, removed 5 packages, updated 19 packages, moved 1 package and audited 184 packages in 5.818s +removed 7 packages, changed 4 packages, and audited 91 packages in 1s + +14 packages are looking for funding + run `npm fund` for details + found 0 vulnerabilities ``` +To see which version of `eslint` that you are using now, you can use `npm ls` using the package name as an argument: + +```command +npm ls eslint +``` + +The output will resemble the `npm ls` command you used before, but include only the `eslint` package's versions: + +``` +[secondary_label Output] +└─┬ eslint@8.17.0 + └─┬ eslint-utils@3.0.0 + └── eslint@8.17.0 deduped +``` + If you wanted to update all modules at once, then you would enter: ```command @@ -470,23 +488,26 @@ Your output will be similar to: ``` [secondary_label Output] -npm WARN locator@1.0.0 No repository field. +removed 8 packages, and audited 83 packages in 542ms + +13 packages are looking for funding + run `npm fund` for details -removed 5 packages and audited 176 packages in 1.488s found 0 vulnerabilities ``` It doesn't explicitly say that `axios` was removed. To verify that it was uninstalled, list the dependencies once again: ```command -npm ls --depth 0 +npm ls ``` Now, we only see that `eslint` is installed: ``` [secondary_label Output] -└── eslint@<^>6.7.1<^> +locator@1.0.0 /home/ubuntu/locator +└── eslint@8.17.0 ``` This shows that you have successfully uninstalled the `axios` package. @@ -503,13 +524,29 @@ When you install this outdated version of `request`, you'll notice output simila ``` [secondary_label Output] -+ request@2.60.0 -added 54 packages from 49 contributors and audited 243 packages in 7.26s -found 6 moderate severity vulnerabilities - run `npm audit fix` to fix them, or `npm audit` for details +npm WARN deprecated cryptiles@2.0.5: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). +npm WARN deprecated sntp@1.0.9: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues. +npm WARN deprecated boom@2.10.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). +npm WARN deprecated node-uuid@1.4.8: Use uuid module instead +npm WARN deprecated har-validator@1.8.0: this library is no longer supported +npm WARN deprecated hoek@2.16.3: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). +npm WARN deprecated request@2.60.0: request has been deprecated, see https://github.com/request/request/issues/3142 +npm WARN deprecated hawk@3.1.3: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues. + +added 56 packages, and audited 139 packages in 4s + +13 packages are looking for funding + run `npm fund` for details + +9 vulnerabilities (5 moderate, 2 high, 2 critical) + +To address all issues, run: + npm audit fix --force + +Run `npm audit` for details. ``` -npm is telling you that you have vulnerabilities in your dependencies. To get more details, audit your entire project with: +npm is telling you that you have deprecations and vulnerabilities in your dependencies. To get more details, audit your entire project with: ```command npm audit @@ -519,34 +556,39 @@ The `audit` command shows tables of output highlighting security flaws: ``` [secondary_label Output] - === npm audit security report === +# npm audit report -# Run npm install request@2.88.0 to resolve 1 vulnerability -┌───────────────┬──────────────────────────────────────────────────────────────┐ -│ Moderate │ Memory Exposure │ -├───────────────┼──────────────────────────────────────────────────────────────┤ -│ Package │ tunnel-agent │ -├───────────────┼──────────────────────────────────────────────────────────────┤ -│ Dependency of │ request │ -├───────────────┼──────────────────────────────────────────────────────────────┤ -│ Path │ request > tunnel-agent │ -├───────────────┼──────────────────────────────────────────────────────────────┤ -│ More info │ https://npmjs.com/advisories/598 │ -└───────────────┴──────────────────────────────────────────────────────────────┘ +bl <1.2.3 +Severity: moderate +Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r +fix available via `npm audit fix` +node_modules/bl + request 2.16.0 - 2.86.0 + Depends on vulnerable versions of bl + Depends on vulnerable versions of hawk + Depends on vulnerable versions of qs + Depends on vulnerable versions of tunnel-agent + node_modules/request -# Run npm update request --depth 1 to resolve 1 vulnerability -┌───────────────┬──────────────────────────────────────────────────────────────┐ -│ Moderate │ Remote Memory Exposure │ -├───────────────┼──────────────────────────────────────────────────────────────┤ -│ Package │ request │ -├───────────────┼──────────────────────────────────────────────────────────────┤ -│ Dependency of │ request │ -├───────────────┼──────────────────────────────────────────────────────────────┤ -│ Path │ request │ -├───────────────┼──────────────────────────────────────────────────────────────┤ -│ More info │ https://npmjs.com/advisories/309 │ -└───────────────┴──────────────────────────────────────────────────────────────┘ -... +cryptiles <=4.1.1 +Severity: critical +Insufficient Entropy in cryptiles - https://github.com/advisories/GHSA-rq8g-5pc5-wrhr +Depends on vulnerable versions of boom +fix available via `npm audit fix` +node_modules/cryptiles + hawk <=9.0.0 + Depends on vulnerable versions of boom + Depends on vulnerable versions of cryptiles + Depends on vulnerable versions of hoek + Depends on vulnerable versions of sntp + node_modules/hawk + +. . . + +9 vulnerabilities (5 moderate, 2 high, 2 critical) + +To address all issues, run: + npm audit fix ``` You can see the path of the vulnerability, and sometimes npm offers ways for you to fix it. You can run the update command as suggested, or you can run the `fix` subcommand of `audit`. In your shell, enter: @@ -559,13 +601,19 @@ You will see similar output to: ``` [secondary_label Output] -+ request@2.88.0 -added 19 packages from 24 contributors, removed 32 packages and updated 12 packages in 6.223s -fixed 2 of 6 vulnerabilities in 243 scanned packages - 4 vulnerabilities required manual review and could not be updated +npm WARN deprecated har-validator@5.1.5: this library is no longer supported +npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. +npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 + +added 19 packages, removed 34 packages, changed 13 packages, and audited 124 packages in 3s + +14 packages are looking for funding + run `npm fund` for details + +found 0 vulnerabilities ``` -npm was able to safely update two of the packages, decreasing your vulnerabilities by the same amount. However, you still have four vulnerabilities in your dependencies. The `audit fix` command does not always fix every problem. Although a version of a module may have a security vulnerability, if you update it to a version with a different API then it could break code higher up in the dependency tree. +npm was able to safely update two of the packages, decreasing your vulnerabilities by the same amount. However, you still have three deprecations in your dependencies. The `audit fix` command does not always fix every problem. Although a version of a module may have a security vulnerability, if you update it to a version with a different API then it could break code higher up in the dependency tree. You can use the `--force` parameter to ensure the vulnerabilities are gone, like this: