How to fix manual npm audit packages that require manual review

Question

I recently pushed an update on our site to our server which somehow caused it to become infected and a bunch of our files to get corrupted, users to start getting redirected to random sites, etc. Apparently this was caused by one of our dependencies. I am using npm to manage our site's dependencies and have recently learned about npm audit. Whenever I run npm audit there are 15 vulnerabilities that require manual review and I have tried fixing them by updating to the versions suggested on the more info section of each on the report but the vulnerability still persists when I run npm audit. I tried updating the version in the relevant packages in the path section of the report and it still persists when I run npm audit. I obviously don't want to upload files with vulnerabilities again and ruin all of the sites on our server, I am just very unsure how to fix these security vulnerabilities that come up with npm audit.

For example, here is the only high risk showing up on the report:

High │ Regular Expression Denial of Service
Package │ tough-cookie
Patched in │ >=2.3.3
Dependency of │ gulp-uncss [dev]
Path │ gulp-uncss > uncss > request > tough-cookie
More info │ https://nodesecurity.io/advisories/525

When I update the package to >= 2.3.3 in my package.json as well as in request then run npm audit the vulnerability still persists. Any idea how to fix this/fix the vulnerability?

Answer 1

Its may be late but better than never. I'm just a novice with > 2 years in nodejs field and have meet lots of audit warning too and here is how I handle those vulnerability that require manual review.

First, you must understand that those vulnerability require manual review is not the version of the packages you install and call directly in your code. They come from the calling of dependency of those package. In your situation, you use package "gulp-uncss" and inside the code of "gulp-uncss", it call another dependency of itself name "tough-cookie". The package you install is managing itself dependency, which is not affected by you update a newer or older version of dependency. You may update package "tough-cookie" to >= 2.3.3 but the "gulp-uncss" will always call to "tough-cookie" with version < 2.3.3

So you have two options with what you can do:

• Dump that package and use another one with similar task and no vulnerability.
• Fork to the repo of that package, make change and create a pull request, wait for pull request accepted and you will be able to use that package without vulnerability after update new version that have adapted with pull request you make