Reputation: 6862
How do I exclude insecure package.json transient dependencies?
I have a package.json that gives a load of security warnings. Looking at the first critical item I see its [email protected] which hasn't been updated for five years. Looking at npm ll it is included by [email protected] where I am using the latest that was updated about two weeks ago.
I would like to remove the insecure dependencies. In the Java world the maven package manager lets you put exclude certain transitive dependencies. Ideally, with npm or another node package manager, I should be able to exclude dependencies with vulnerabilities. Then I can retest that my app works and not see any security errors. Is there a way to quickly exclude anything that has a security vulnerability from my package.json? If there isn't a way to do this what approaches can a take to ensure that no insecure packages are used by my application?
Update: Although "npm": "^6.5.0" is specified in the package.json I was building it with an older npm which was picking up the critical issue mentioned above. I fixed all the issues with ./node_modules/.bin/npm audit fix --force
Upvotes: 8
Views: 17840
Answers (3)
Reputation: 25148
Tarn package manager has feature resulution by which you can set fixed libraries to insecure thirdparties.
See How do I override nested dependencies with `yarn`?
NPM has something similar.
Upvotes: 0
Reputation: 1
This specific warning is targeting at your lockfile, and can be easily fixed by removing the yarn.lock or package-lock.json and reinstall dependencies.
Upvotes: 0
Reputation: 11557
By definition, you can't exclude a package that a dependency you are using relies on. In other words, if you require package A, and package A claims it is dependent on package B, then removing package B will cause A to either stop working altogether or begin behaving erratically.
Unfortunately this does happen, and your options include:
- Ignoring the security warning.
- Replacing package
Awith something else (applies in some cases and not others). - Asking the maintainer of package
Ato upgrade the version of packageBthey rely on, possibly opening a pull request yourself.
In your case, though, I'm not sure if your investigation is complete yet - I don't see open in npm's dependency list. Might be worth scrapping your node_modules and re-running npm install, then check again to see who is using open.
Upvotes: 2
Related Questions
- How do you prevent install of "devDependencies" NPM modules for Node.js (package.json)?
- How to npm install to only save dependency to package.json?
- NodeJs: How do I fix package vulnerabilities dependent on another npm package?
- Configuring package-lock.json to be source of dependency truth
- How to handle outdated packages that are required by a dependency in package-lock.json?
- Proper way to fix potential security vulnerability in a dependency defined in package-lock.json
- npm - Don't Want To List Package On devDependencies Inside package.json
- NPM Lock down dependency versions in our dependencies package.json
- npm install: Is there a way to ignore a particular dependency in package.json
- Specify that a package should be installed without optional dependencies within package.json