How to update npm nested (vulnerable) dependency?

Question

Github has flagged a dependency in my app lock file as vulnerable.

To fix it I should updated that package to a newer version.

How do I do that if I don't have any control on the vulnerable package, because is nested in the dependencies tree?

Apologies if this is a very basic question but I don't seem to find anything useful regarding this.

Answer 1

You're correct - as the vulnerable package lies within one of your dependencies, like so:

Your Package -> Dependency -> Vulnerable package 

You will be unable to update the dependencies' dependency in a way that would survive a future npm install or yarn.

However, you could take the following approaches:

• Bug the maintainer: Get them to update their dependencies and bump versions. This will fix the issue for you and your peers who are depending on this package.
• Are there alternative packages? Maybe you can use a different package instead of the vulnerable one. This will involve some updates to your code, but might be the best approach in the long run, especially if the original maintainer is unresponsive.
• Fix it yourself: Fork the repository and update the dependency in this copy. You can then refer to the package in your package.json.

See this answer for more information on installing directly from Github repos.

This approach will fix the problem short term, but it is not advised as you won't benefit from any bug fixes the maintainer makes, and besides, by the time you've done this the dependency might have been updated anyway!