Reputation: 9546
GitHub detected vulnerability in dependency, but I ran npm update and the dependency didn't update?
On a push to GitHub, I got this message:
GitHub found 1 vulnerability on username/projectname's default branch (1 moderate).
I checked the project on Github and discovered that I need to update Sequelize to 5.3.0. Locally, I ran npm update and another one of my packages updated, but Sequelize didn't update.
I committed, then pushed to Github again, and got the same vulnerability warning. I checked package.json and it shows the following under dependencies:
"sequelize": "^4.43.1"
Is there something different I need to do to update Sequelize? Or at least to resolve this warning?
Upvotes: 2
Views: 95
Answers (1)
Reputation: 137058
npm update respects caret dependency restrictions in package.json. You are asking for version "^4.43.1", meaning the latest version available without updating the leftmost nonzero digit. The latest 4.x.y version of sequelize is 4.43.1.
Update its major version in package.json, e.g. to ^5.3.0 since that's what you know you need, then run npm update again. This should give you the latest release with major version 5 (5.3.5 at the time of writing). It will also update both your package.json and your package-lock.json.
Upvotes: 2
Related Questions
- How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?
- How to update npm nested (vulnerable) dependency?
- NodeJs: How do I fix package vulnerabilities dependent on another npm package?
- How to fix vulnerability in npm dependencies?
- Update dependencies in NPM to resolve vulnerability
- Github references reported as outdated by NPM
- npm update dependency issue
- NPM update error
- Update "npm" package and GitHub
- npm reports an incorrect version for my module