Menu
As you know, Dependabot give us potential security vulnerability in a dependency in yarn.lock or package-lock.json.
Actually the problem is, there is no good for learning how to fix this. If we search how, there is so many different way to do it, sometimes working, sometimes not. I'm find a lot of subject about this because a lot of people like me doesn't really understand how to fix vulnerability.
Did we have to replace by hand in all the file with correct version ?
For example npm audit fix upgrade package, sometimes not.
If we do npm install packageName the new package version appear but the old don't disappear, so the alert still here on gitHub.
And what about yarn?
In this Github project https://github.com/samuel3105/react-native-animated-tabBar, I have this:
Thanks for answers.
555
It is highly recommended you commit the generated package lock to source control: this will allow anyone else on your team, your deployments, your CI/continuous integration, and anyone else who runs npm install in your package source to get the exact same dependency tree that you were developing on.
Dependabot opened a pull request Bump lodash from 4.17.15 to 4.17.19 #1
Normally upon a bug being discovered the package authors will fix it and release a new version. Dependabot is telling you bump your version to fix a potential vulnerability as the authors of lodash have released a fix. You can merge the pull request from dependabot and run npm install in all of your development environments.
Alternatively if a bleeding edge vulnerability is discovered, the maintainers of a package (lodash) have not yet released a patch (and you know a fix). You can use something like patch package.
"the new package version appear but the old don't disappear" was mentioned. If the version in the package.json corresponds to a patched working version and issues continue. Double check your node_modules folder it could still have the old version and not have updated. There may also be a *.lock file indicating a pinned version (we are using this version). Ensure that both of those resources are pointing to the up to date version of the package.
EDIT: I just peaked into the yarn.lock file of the linked repo and noticed the version lodash "^4.17.13"
53
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
