Skip to content
/ howto-npm-audit-vulnerabilities Public

How to fix vulnerabilities in npm packages when npm audit fix doesn't work

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

haugseth/howto-npm-audit-vulnerabilities

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

How to fix vulnerabilities in npm packages

Changelog

  • 20210901 - Updated with advice from Stack Overflow, first do a sanity check (source at end of document)

Description

After running npm install lite-server the installation reported 1 high severity vulnerability found in one or more of the dependencies.

Sanity check

  • Do a sanity check
  • In case it's a real problem, check the repository of vulnerable package for existing issues and PRs
  • In case there's none, submit an issue
  • Fork a repository or use use existing PR as git dependency until it's fixed in NPM release
  • In case of nested dependencies, do this at several levels of nesting
  • Most times it's expected that you won't advance beyond a sanity check.

Simple fix

$ npm audit fix

Manual fix

When running a simple npm audit fix doesn't work, and there are still vulnerabilites, add this to your package.json, where packagename is the package with the vulnerability, and ^0.0.0 is the version suggested by the npm audit tool.

  "resolutions": {
    "packagename": "^0.0.0"
  }

After this, run the following command to fix the dependency.

$ npx npm-force-resolutions

The vulnerability should be fixed!

Source

About

How to fix vulnerabilities in npm packages when npm audit fix doesn't work

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published