Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Alerts security Github - what is the correct way to fix vulnerability in yarn.lock/package-lock.json

Tags:

security

github

npm

yarnpkg

As you know, Dependabot give us potential security vulnerability in a dependency in yarn.lock or package-lock.json.

Actually the problem is, there is no good for learning how to fix this. If we search how, there is so many different way to do it, sometimes working, sometimes not. I'm find a lot of subject about this because a lot of people like me doesn't really understand how to fix vulnerability.

Did we have to replace by hand in all the file with correct version ? For example npm audit fix upgrade package, sometimes not. If we do npm install packageName the new package version appear but the old don't disappear, so the alert still here on gitHub.

And what about yarn?

In this Github project https://github.com/samuel3105/react-native-animated-tabBar, I have this:

enter image description here

Thanks for answers.

like image 555
samuel Avatar asked Jul 21 '20 08:07

samuel

People also ask

Should I commit package lock json and yarn lock?

It is highly recommended you commit the generated package lock to source control: this will allow anyone else on your team, your deployments, your CI/continuous integration, and anyone else who runs npm install in your package source to get the exact same dependency tree that you were developing on.

1 Answers

Dependabot opened a pull request Bump lodash from 4.17.15 to 4.17.19 #1

Normally upon a bug being discovered the package authors will fix it and release a new version. Dependabot is telling you bump your version to fix a potential vulnerability as the authors of lodash have released a fix. You can merge the pull request from dependabot and run npm install in all of your development environments.

Alternatively if a bleeding edge vulnerability is discovered, the maintainers of a package (lodash) have not yet released a patch (and you know a fix). You can use something like patch package.

"the new package version appear but the old don't disappear" was mentioned. If the version in the package.json corresponds to a patched working version and issues continue. Double check your node_modules folder it could still have the old version and not have updated. There may also be a *.lock file indicating a pinned version (we are using this version). Ensure that both of those resources are pointing to the up to date version of the package.

EDIT: I just peaked into the yarn.lock file of the linked repo and noticed the version lodash "^4.17.13"

like image 53
MaxGDN Avatar answered Sep 27 '22 20:09

MaxGDN
Sign in to Comment

Related questions

How to disable sslv3 for NSURLconnection or NSURLSession
Best practice to implement Web API authentication in a SPA web shop
JsonWebToken: activity-based expiration vs issuing time-based expiration
limit all users to 1 session
Generating random API key, 2 method provided, any difference?
Single Sign Out with Spring Security and CAS
Add extra headers to websocket connection from browser in Dart
AngularJS - Java EE REST security
When do we use denyAll in spring security
What happens while moving app to SD Card in Android
How can I pass secret data to a container
What are the security benefits of CORS preflight requests?
In Android, how to ensure that Private Key is stored inside secure hardware
Auto block/ban brute force scanners in Symfony
Disable DTD in javax XML Validator
login when pwdencrypt had been used where to start?
Is a security service a single point of failure in a microservice architecture?
Can content inside a sandboxed iframe be read/spied by browser extensions? if not should I use iframe to secure user credentials?
How to exclude a path from authentication in a spring based reactive application?
Sonatype scan shows Spring-Web is vulnerable

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!