Reputation: 8413
The best way to resolve vulnerabilities in package-lock.json?
I am warned about vulnerabilities in the packages listed in the package-lock.json file of my Node.Js project.
I can follow the advice here and reinstall all the packages with npm install <package-name>, however, I also use other npm projects that use the older versions of those packages, which will not get reinstalled with a simple npm install.
Does it mean I have to go to package-lock.json and manually change all the dependencies to the latest version?
What if they break?
Isn't there a proper way of doing the updates that ensures you won't break the other packages dependent on the old versions?
Upvotes: 1
Views: 5156
Answers (1)
Reputation: 790
If the issue is on a package you directly depend upon, you should update it directly and save it to the package.json + lock its version in package-lock.json in the process by doing something like npm install your-dependency@latest --save[-dev]. But beware: there might be breaking changes that will break your code (for example in case the dependency had a major version update inbetween with some deprecations and breaking changes).
But if the issue is from a dependency of one of your dependencies, the very very best way to solve it is to raise an issue (potentially with a PR to help them) with the maintainer of the parent package, then when they provide an update, update the dependency itself in your project.
You can use npm audit to resolve some issues as well (probably not all, and if a sub-dependency version is specifically required by a dependency, it will not update it because it could break things), but the single best way to solve the issue for you and for everybody else is to get the maintainer of the module you want to update its dependencies, when/if they can.
Reinstalling everything will not solve the issue if the dependency is still vulnerable. Installing does not magically fix stuff, people do :-) However, what you may want to do is use npm outdated to list all the packages that have newer versions available and try to update them, one by one, and see if your vulnerabilities are resolved after that (npm audit).
One more thing: it's usually a bad practice to go and change stuff around manually in package-lock.json. This file should be only auto-generated by one of your npm install (or similar) scripts. This file is what is used by npm to resolve the list of exact dependency/subdependency versions on a fresh install, and it is really the single best way to ensure all the people who use or work on this project have the exact same version of all their dependencies, so it better be correct. Always commit your package-lock.json!
Upvotes: 4
Related Questions
- package-lock.json file - how to clean it up?
- Deleting `package-lock.json` to Resolve Conflicts quickly
- How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?
- NodeJs: How do I fix package vulnerabilities dependent on another npm package?
- How to handle outdated packages that are required by a dependency in package-lock.json?
- Alerts security Github - what is the correct way to fix vulnerability in yarn.lock/package-lock.json
- Proper way to fix potential security vulnerability in a dependency defined in package-lock.json
- Github says I have a Node security vulnerability in package-lock (cryptiles) but it's not installed in package.json and I'm not using it, solutions?
- Get Libraries from package-lock.json
- Find source (in package.json) of vulnerability (in package-lock.json)