lodash-cli
in devDependencies
doesn't affect how browser-sync
works in your project, devDependencies
are ignored when a package is installed as a dependency.
What audit
report says is that it's easy-extender
that has lodash
dependency:
browser-sync > easy-extender > lodash
It depends on Lodash 3, while the problem was fixed in Lodash 4. The problem could be fixed by forking easy-extender
, updating it and installing it instead of the package from NPM public registry. But there is no real problem with this dependency.
audit
report importance should be evaluated manually. Even if nested dependency has security risk, this doesn't mean that a feature that introduces this risk was used. This also doesn't mean that even if it's used, it introduces real risk due to how it's used.
browser-sync
is development tool that isn't used in production, there are not so many scenarios where its vulnerabilities could be exploited. And Prototype Pollution isn't a vulnerability at all, just a notice that a package doesn't follow good practices, it can be ignored.
Generally, this is the way to fix reported vulnerabilities:
Most times it's expected that you won't advance beyond a sanity check, and the only problem is that a "vulnerability" clutters audit report and conceals real vulnerabilities.
patch-package
can help to patch nested dependencies in-place but this won't affect the report.
It's possible to force specific dependency version in nested dependency in Yarn 1 and 2 with resolutions
field, this will affect audit report. It may be possible to do this natively in NPM in future. Currently the alternative in NPM is third-party npm-force-resolutions
utility that gives less control, currently it forces a resolution for all dependencies, not a specific one.
Notice that by forcing a dependency to use nested dependencies it wasn't designed to work with, it can become broken at any moment. This especially applies to npm-force-resolutions
, which is a blunt tool and can affect many nested dependencies at once.
If you are absolutely certain you'd like to skip the audit, you can do so by appending --no-audit
npm install --no-audit
'npm audit fix' will increment the version of dependency in package.json which might lead to breaking of code. So better way is to open package-lock.json and updated the dependency/subdependency versions to required version. Maintain the package-lock.json in repository.
Sometimes vulnerabilities are from dev packages, In that case ignore those vulnerabilities as those are not getting picked up in the production.
use this
npm audit fix --force --production
may be solve your problem
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With