user1941537
Reputation: 6695
How can I fix this GitHub security alert?
After pushing a new repo to GitHub I got this security alert from GitHub:
According to GitHub, the effected file is package-lock.json.
To fix the issue, I did this:
- Deleted the package-lock.json from remote repo on GitHub.
- Found and replace tar versions inside my local package-lock.json to >=4.4.2.
- Deleted node_modules folder from my local repo.
- Ran npm install
- Pushed package-lock.json to remote.
But it didn't help and I still get the same security alert from GitHub.
How can I fix this?
Upvotes: 7
Views: 6704
Answers (1)
Ben Blank
Reputation: 56624
You should never need to delete or edit your package-lock.json manually. In this case, the file you want to edit is package.json (no -lock). Specifically:
- Open
package.jsonin your favorite editor. - Find the line for
"tar": "…". - Replace whatever is in the right-hand string with
">=4.4.2". - Save the file and run
npm install. - Check in the changes to
package.jsonandpackage-lock.json. - Push to Github.
Upvotes: 2
Related Questions
- GitHub Action incapable of pushing due to "unsafe repository" error
- Github action is showing error when there is a private repository in the package json
- GitHub security issue in a repository
- Alerts security Github - what is the correct way to fix vulnerability in yarn.lock/package-lock.json
- Github potential security vulnerability error for hoek node module
- Github warns security problem about Omniauth gem
- Why does Angular app built with Angular CLI give security warning on github, how do I resolve?
- curl api.github.com publish release JSON issue
- How to fix "load unsafe scripts"?
- Confusing error message from git