Reputation: 8350
How to properly update mem package within package-lock.json file
I'm running npm version 6.1.0 There is is a package called mem within my package-lock.json file, which is not a part of my package.json file. It is at version 1.1.0. Unfortunately GitHub does not like it. Github quotes:
In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.
From the terminal what is the proper way to update this specific mem package so that my package-lock.json reflects it correctly.
Upvotes: 2
Views: 1364
Answers (1)
Reputation: 2684
You have to be careful, some of your dependencies are using this package. If you update mem manually some of your dependencies could break. As you pointed out that GitHub found a vulnerability you could try to run npm audit fix (NPMs automatically vulnerability fixes).
GitHub also features automatic security patches
You can also find out which package is using mem by running npm ls mem.
Then update the top-level package by npm update <package>
If all of that doesn't help, I wouldn't recommend updating it manually. It could break more than it fixes.
Upvotes: 5
Related Questions
- Do I commit the package-lock.json file created by npm 5?
- change package-lock.json package back to original repo version
- Managing package.json & package-lock.json with Git
- npm force package-lock to update a sub-dependency package
- confusion about npm install and npm update
- How to update version of a package in package-lock.json and/or package.json using npm to latest version?
- How do I update a single dependency in package-lock.json, without any side effects?
- How do I apply changes in package-lock and package json?
- npm to create a package.json file out of the package-lock.json file?
- Update node modules when package-lock has changed