How do I manually `npm audit fix` a single security issue?

Question

I have a number of issues reported by npm audit, and by running npm audit fix it does fix several of them. However, doing so also breaks my build for some reason. I think I know which fix causes the issue, but I'd still like to fix the other issues.

Is there a way to have npm do whatever it does when I run npm audit fix, but only for a single issue/dependency?

---

I know I run npm i, but that also adds the updated dependency to package.json (even with --package-lock-only flag), which I don't want. I just want npm to update the package-lock.json, like it does when I run npm audit fix, but just for a select subset of issues.

Answer 1

You should be able to use npm update to achieve what you want here. What to do is slightly different depending on whether you are using npm 7.x or npm 6.x. I'm using 7.x, so that's what I show below.

Let's say npm audit produces output like this:

# npm audit report

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix`
node_modules/extract-zip/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/extract-zip/node_modules/mkdirp
    extract-zip  <=1.6.7
    Depends on vulnerable versions of mkdirp
    node_modules/extract-zip

3 low severity vulnerabilities

To address all issues, run:
  npm audit fix

This is indicating that we need to update minimist, mkdirp, and extract-zip.

Let's do npm ls to get an idea of what versions and dependencies we're dealing with.

$ npm ls minimist mkdirp extract-zip  
scrape-text@1.0.0 /Users/trott/ucsf-ckm/scrape-text
├─┬ puppeteer@2.1.1
│ └─┬ extract-zip@1.6.7
│   └─┬ mkdirp@0.5.1
│     └── minimist@0.0.8
└─┬ semistandard@14.2.0
  ├─┬ eslint@6.4.0
  │ ├─┬ file-entry-cache@5.0.1
  │ │ └─┬ flat-cache@2.0.1
  │ │   └─┬ write@1.0.3
  │ │     └── mkdirp@0.5.3 deduped
  │ └─┬ mkdirp@0.5.3
  │   └── minimist@1.2.5 deduped
  └─┬ standard-engine@12.0.0
    └── minimist@1.2.5

$ 

Because the colorizing is kind of important, here's a screenshot of that last one:

Let's see what happens if we run npm update minimist to just update that package. Let's use npm ls minimist to see if anything changed. (You can also see if your package-lock.json file changed and do a diff.)

$ npm ls minimist
scrape-text@1.0.0 /Users/trott/ucsf-ckm/scrape-text
├─┬ puppeteer@2.1.1
│ └─┬ extract-zip@1.6.7
│   └─┬ mkdirp@0.5.1
│     └── minimist@0.0.8
└─┬ semistandard@14.2.0
  ├─┬ eslint@6.4.0
  │ └─┬ mkdirp@0.5.3
  │   └── minimist@1.2.5 deduped
  └─┬ standard-engine@12.0.0
    └── minimist@1.2.5

$ 

Nope, no change. We still have the same versions we had before. OK, let's try the next one, which would be mkdirp.

$ npm update mkdirp

changed 1 package, and audited 244 packages in 1s

3 low severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
$

That changed 1 package seems promising. Let's see what that did:

$ npm ls mkdirp    
scrape-text@1.0.0 /Users/trott/ucsf-ckm/scrape-text
├─┬ puppeteer@2.1.1
│ └─┬ extract-zip@1.6.7
│   └── mkdirp@0.5.1
└─┬ semistandard@14.2.0
  └─┬ eslint@6.4.0
    ├─┬ file-entry-cache@5.0.1
    │ └─┬ flat-cache@2.0.1
    │   └─┬ write@1.0.3
    │     └── mkdirp@0.5.5 deduped
    └── mkdirp@0.5.5

That updated mkdirp to 0.5.5. You can test that out and see if things still work.

If you now do npm update extract-zip, that will result in a clean npm audit run.

Hopefully, this gives you an idea of how to update the packages one at a time without modifying package.json in the process. Good luck!