NPM warnings in NodeJS projects

Wappler General
1

Hello,

I’ve noticed these warnings popping up when I’m installing or updating node packages for a while now. How can these be addressed?

Screenshot 2026-06-29 at 6.54.28 pm
Screenshot 2026-06-29 at 6.54.28 pm1161×242 27.6 KB

2

These warnings will vary depending on which dependencies your project is using. Most of the usual vulnerabilities can be cleared by running:

npm audit fix

or, if needed:

npm audit fix --force

You may also see allow-scripts warnings. For example, Sharp 0.32.6 uses native install scripts that aren’t approved yet, which is why it shows up. There is a way to approve those scripts, but I don’t have the exact reference handy right now.

The main issue is the dependency:

jsonpath": "^1.1.1

This package pulls in:

underscore <=1.13.7

Unfortunately, underscore has a known DoS vulnerability, and there’s no fix available. The jsonpath package itself is basically abandoned, so npm can’t resolve this automatically.

There are modern alternatives that don’t have this problem:

  • jsonpath-plus
  • jsonpath-faster
  • jsonpath-next

Switching to one of these would remove the vulnerability entirely, but that change would need to be made in Wappler’s internal scripts.

4

New npm doesn't execute post install scripts automatically anymore. Sharp requires an extra build step that now has to be approved first.

npm approve-scripts sharp

Normally it is safe to do a npm audit fix, with the --force it also does major updates that could break some code.

You can uninstall jsonpath, not sure why it was already bundled since it is only used in a single module which isn't currently available in Wappler.

I will evaluate the current dependencies and see that we clean them up and update them to the latest versions where possible.

1 Like
5

If you want to force the jsonpath module to use underscore 1.13.8 instead of version 1.13.7, you can easily fix this using the "overrides" section in the package.json file.

Procedure:

Add the following code to your package.json, immediately after the dependencies section:

"overrides": {
  "jsonpath": {
    "underscore": "1.13.8"
  }
}

Reinstall all modules with the command:

npm install

This method forces npm to install the specific version of underscore for the jsonpath module, overwriting the default version (1.13.7)

1 Like