Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

npm audit tells me to install version 3.0.0 while the latest version is 1.1.7

See original GitHub issue

Description

When I run npm audit it tells me to install version 3.0.0 (Run npm install --save-dev @frctl/fractal@3.0.0 to resolve 8 vulnerabilities), but that is actually a very old release (published on npm 3 years ago) with a faulty version number.

Steps to Reproduce

npm audit

Expected behavior (upgrade to latest version 1.1.7):

=== npm audit security report ===                        
                                                                                
# Run  npm install --save-dev @frctl/fractal@1.1.7  to resolve 8 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

Actual behavior:

=== npm audit security report ===                        
                                                                                
# Run  npm install --save-dev @frctl/fractal@3.0.0  to resolve 8 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

Reproduces how often:

Always

Versions

What version of Fractal are you running? @frctl/fractal @1.1.7
What version of Node.js are you running? (run node -v) v11.11.0

Additional Information

Version 3.0.0 was published between 0.2.2 and 0.3.0, so it obviously was a typo in the version number.

Issue Analytics

State:
Created 5 years ago
Reactions:4
Comments:7 (3 by maintainers)

Top GitHub Comments

2reactions

timseveriencommented, Apr 1, 2019

Note that unpublishing packages on npm isn’t easy. Considering 3.0.0 was published a long time ago, it can’t be unpublished:

[U]npublish is only allowed with versions published in the last 72 hours.

https://docs.npmjs.com/cli/unpublish#description

It gets worse: according to the docs, version 3.0.0 can’t be reused ever again:

Even if a package version is unpublished, that specific name and version combination can never be reused.

https://docs.npmjs.com/cli/unpublish#description

Considering the popularity of @frcl/fractal, the npm staff might just make an exception and completely delete the version. Either way, I suppose an owner should get in touch with npm support and ask for help.

If, for whatever reason, npm support refuses to unpublish the package, the package owner could deprecate the package so hopefully it won’t show up in an npm audit.

1reaction

Chapabucommented, Jun 25, 2019

Version 3.0.0 has been deprecated. NPM won’t remove released packages 😦

Top Results From Across the Web

Npm audit fix --force react script downgrade automatically

I'm trying to update the libraries on my project but seems something wrong happens. This is the package.json { "name": "server", "version": "1.1 ......

npm-audit

The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of...

npm-audit-resolver/README.md - UNPKG

The CDN for npm-audit-resolver. ... 17, npm install -g npm-audit-resolver ... of it in version control and have a log of who decided...

chokidar 2 does not receive security updates since 2019 ...

Just use the following command to update the version of your npm: ... I'm trying to run npm install - g expo-cli on...

Error while updating the instance - Google Groups

npm WARN read-shrinkwrap This version of npm is compatible with ... 1.12.2 requires a peer of webpack@^1.0.0 || ^2.0.0 || ^3.0.0 but none...