Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to fix npm vulnerabilities that require semver-major dependency updates?

Tags:

npm

I cloned ParaViewWeb from https://github.com/kitware/paraviewweb then did the following;-

$ npm install
$ npm audit fix

Leaving me with this:

found 42 vulnerabilities (9 low, 23 moderate, 10  high) in 41716 scanned packages
14 vulnerabilities require semver-major dependency updates.
28 vulnerabilities require manual review.

How do I fix the 14 vulnerabilities that require semver-major dependency updates?

like image 957
AHJss Avatar asked Dec 20 '19 03:12

AHJss


People also ask

How do I fix npm dependency vulnerabilities?

Try running npm update command. It will update all the package minor versions to the latest and may fix potential security issues. If you have a vulnerability that requires manual review, you will have to raise a request to the maintainers of the dependent package to get an update.

Why does npm install have so many vulnerabilities?

It's probably because package management for even a medium-sized project is a constant battle, as new vulnerabilities are being discovered every day. What if you run npm audit fix ?


2 Answers

If you are already sure that you need to run all that updates then use:

npm audit fix --force

From npm Docs

If the chain of metavulnerabilities extends all the way to the root project, and it cannot be updated without changing its dependency ranges, then npm audit fix will require the --force option to apply the remediation. If remediations do not require changes to the dependency ranges, then all vulnerable packages will be updated to a version that does not have an advisory or metavulnerability posted against it.

like image 153
Nahue Gonzalez Avatar answered Oct 18 '22 06:10

Nahue Gonzalez


When you run npm audit, there should be a line telling you how to update it, e.g.:

# Run  npm install --save-dev [email protected]  to resolve 1 vulnerability
# SEMVER WARNING: Recommended action is a potentially breaking change

Just execute that to fix it.

like image 7
vauhochzett Avatar answered Oct 18 '22 04:10

vauhochzett