Fixing security vulnerabilities in npm

November 15, 2021

Problem

found 20 vulnerabilities (14 moderate, 5 high, 1 critical) run `npm audit fix` to fix them, or `npm audit` for details

Solution


1. npm update
  • Run npm update
  • Delete your package-lock.json file
  • run npm install again

This should upgrade your dependencies and hopefully libraries will have updated their transitive dependencies containing vulnerabilities

2. Resolutions

If you must update a nested dependency and updating the top-level dependency does not fix your issue, you can force the installation of a specific version of a transitive dependency. However, this should only be used as a last resort.

  • Run npm audit

npm audit

we can see that react-scripts has a dependency on react-dev-utils which has a dependency on immer which contains the vulnerability. Also, notice npm audit tells us which version this vulnerability was patched in Patched in >= 9.0.6

  • We then can either do npm install immer --save-dev or only install the patched version npm install immer@9.0.6 --save-dev

  • After that add a resolutions key to your package.json file

{
  "resolutions": {
    "immer":"^9.0.6"
  }
}
  • We then need to also install npm i npm-force-resolutions package and add the following to scripts in package.json
"scripts": {
  "preinstall": "npx npm-force-resolutions"

} 
  • Run npm install and that should do it. You can verify the version by running npm ls immer

emoji-warning You should test and verify these changes did not break your application

© 2022, Built by Ron Pruitt using Gatsby