How do I exclude insecure package.json transient dependencies?

Question

I have a package.json that gives a load of security warnings. Looking at the first critical item I see its [email protected] which hasn't been updated for five years. Looking at npm ll it is included by [email protected] where I am using the latest that was updated about two weeks ago.

I would like to remove the insecure dependencies. In the Java world the maven package manager lets you put exclude certain transitive dependencies. Ideally, with npm or another node package manager, I should be able to exclude dependencies with vulnerabilities. Then I can retest that my app works and not see any security errors. Is there a way to quickly exclude anything that has a security vulnerability from my package.json? If there isn't a way to do this what approaches can a take to ensure that no insecure packages are used by my application?

Update: Although "npm": "^6.5.0" is specified in the package.json I was building it with an older npm which was picking up the critical issue mentioned above. I fixed all the issues with ./node_modules/.bin/npm audit fix --force

Answer 1

By definition, you can't exclude a package that a dependency you are using relies on. In other words, if you require package A, and package A claims it is dependent on package B, then removing package B will cause A to either stop working altogether or begin behaving erratically.

Unfortunately this does happen, and your options include:

1. Ignoring the security warning.
2. Replacing package A with something else (applies in some cases and not others).
3. Asking the maintainer of package A to upgrade the version of package B they rely on, possibly opening a pull request yourself.

In your case, though, I'm not sure if your investigation is complete yet - I don't see open in npm's dependency list. Might be worth scrapping your node_modules and re-running npm install, then check again to see who is using open.