Resolving NPM security vulernabilities
Table of Contents
# NPM audit
# NPM outdated
https://docs.npmjs.com/cli/v8/commands/npm-outdated This will list which packages are outdated and the versions wanted to keep them updated. Note the version wanted respects the dependency version notation specified in the package.json. See dependency docs for more on this notation.
npm outdated some-package
# NPM ls
npm ls some-pacakge see where a package sits in the dependency tree
(ie, at what depth)
# NPM update
# NPM view
npm view some-package dist-tags
You can use
dist-tags to install certain versions:
npm install some-package@some-dist-tag
see also https://stackoverflow.com/a/40643555
# The process step-by-step
Make sure the test suite output doesn’t belch a bunch of noise like warnings, unhandled exceptions and console logs, etc. Clean these up first so its obvious there is an issue has occurred due to a package update.
NOTE: run the JS unit tests after each package update
- You may want to let npm update the dependencies that don’t require manual
npm audit fix
- Manually update the top level packages one-by-one. The vulnerability is
with one of their dependencies and could be resolved with a newer version.
npm outdated some-package.
- Find the “Wanted” version
- Change the version in the
package.jsonto the “Wanted” version.
npm installto update that package.
That may not work to resolve a dependency of a dependency at whatever depth it is. Try to update that dependency manually with:
npm update some-dependency-of-a-dependency --depth 5(npm v6)
This probably won’t work. If it did, it would have been updated as part of
npm audit fix. So, instead dig into the
package-lock.jsonand see if there is any dependency that might prevent the update. If it looks OK, delete all instances of the package where it is listed under
npm install. See this SO post for a nice explanation.
- If the vulnerability still exists after step 4…
- Once you’ve gone as far as you can go, build the app and run all the tests.
- Then smoke test in a staging environment