Github has flagged a dependency in my app lock file as vulnerable. To fix it I should updated that package to a newer version. How do I do that if I don't have any control on the vulnerable package, because is nested in the dependencies tree? Apologies if this is a very basic question but I don't seem to find anything useful regarding this.

You're correct - as the vulnerable package lies within one of your dependencies, like so: <pre class="prettyprint"><code>Your Package -> Dependency -> Vulnerable package </code></pre> You will be unable to update the dependencies' dependency in a way that would survive a future <code>npm install</code> or <code>yarn</code>. However, you could take the following approaches: <ul> <li> Bug the maintainer: Get them to update their dependencies and bump versions. This will fix the issue for you and your peers who are depending on this package.</li> <li> Are there alternative packages? Maybe you can use a different package instead of the vulnerable one. This will involve some updates to your code, but might be the best approach in the long run, especially if the original maintainer is unresponsive.</li> <li> Fix it yourself: Fork the repository and update the dependency in this copy. You can then refer to the package in your <code>package.json</code>.</li> </ul> See this answer for more information on installing directly from Github repos. This approach will fix the problem short term, but it is not advised as you won't benefit from any bug fixes the maintainer makes, and besides, by the time you've done this the dependency might have been updated anyway!

How to update npm nested (vulnerable) dependency?

1 Answers

You're correct - as the vulnerable package lies within one of your dependencies, like so:

Your Package -> Dependency -> Vulnerable package

You will be unable to update the dependencies' dependency in a way that would survive a future npm install or yarn.

However, you could take the following approaches:

Bug the maintainer: Get them to update their dependencies and bump versions. This will fix the issue for you and your peers who are depending on this package.
Are there alternative packages? Maybe you can use a different package instead of the vulnerable one. This will involve some updates to your code, but might be the best approach in the long run, especially if the original maintainer is unresponsive.
Fix it yourself: Fork the repository and update the dependency in this copy. You can then refer to the package in your package.json.

See this answer for more information on installing directly from Github repos.

This approach will fix the problem short term, but it is not advised as you won't benefit from any bug fixes the maintainer makes, and besides, by the time you've done this the dependency might have been updated anyway!

150

answered Sep 23 '22 23:09

Tom Hallam

Related questions
                            
                                nodemon app crashed - waiting for file changes before starting
                            
                                npm install: Failed at the [email protected] postinstall script
                            
                                Windows Azure Websites is overriding my 404 and 500 error pages in my node.js app
                            
                                Chai unittesting - expect(42).to.be.an('integer')
                            
                                How can I use a single mssql connection pool across several routes in an Express 4 web application?
                            
                                Nest.js - request entity too large PayloadTooLargeError: request entity too large
                            
                                const already declared in ES6 switch block [duplicate]
                            
                                express (using multer) Error: Multipart: Boundary not found, request sent by POSTMAN
                            
                                How to reload current page in Express.js?
                            
                                Global function in express.js?
                            
                                Creating instance with an association in Sequelize
                            
                                NodeJS: How to remove duplicates from Array [duplicate]
                            
                                async for loop in node.js
                            
                                Socket IO Rooms: Get list of clients in specific room
                            
                                Should js Cannot read property 'should' of null
                            
                                Mongoose autoReconnect option
                            
                                Mocha's describe "require() is missing" in WebStorm 11
                            
                                No response using express proxy route
                            
                                React Native on Android: Cannot run program "node": error=2, No such file or directory
                            
                                Creating a Celery worker using node.js

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

How to update npm nested (vulnerable) dependency?

Tags:

node.js

npm

U r s u s

People also ask

1 Answers

Tom Hallam

Recent Activity

Donate For Us