Problem
found 20 vulnerabilities (14 moderate, 5 high, 1 critical) run `npm audit fix` to fix them, or `npm audit` for details
Solution
1. npm update
- Run
npm update
- Delete your package-lock.json file
- run
npm install
again
This should upgrade your dependencies and hopefully libraries will have updated their transitive dependencies containing vulnerabilities
2. Resolutions
If you must update a nested dependency and updating the top-level dependency does not fix your issue, you can force the installation of a specific version of a transitive dependency. However, this should only be used as a last resort.
- Run
npm audit
we can see that react-scripts
has a dependency on react-dev-utils
which has a dependency on immer
which contains the vulnerability. Also, notice npm audit
tells us which version this vulnerability was patched in Patched in >= 9.0.6
-
We then can either do
npm install immer --save-dev
or only install the patched versionnpm install immer@9.0.6 --save-dev
-
After that add a resolutions key to your package.json file
{
"resolutions": {
"immer":"^9.0.6"
}
}
- We then need to also install
npm i npm-force-resolutions
package and add the following toscripts
in package.json
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
- Run
npm install
and that should do it. You can verify the version by runningnpm ls immer
You should test and verify these changes did not break your application