NPM-AUDIT find to high vulnerabilities. What am I supposed to do?

Question

npm audit run on my project and got me this

High Command Injection
Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > @ngtools/webpack > tree-kill

More info https://npmjs.com/advisories/1432

High Command Injection

Package tree-kill

Patched in >=1.2.2

Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > tree-kill

More info https://npmjs.com/advisories/1432

Tree-kill needs to be updated, but is a dep of angular, not mine. So what? Need to wait that angular-team update its own package.json to a newer version of tree-kill?

Answer 1

You can fix this without waiting for a new version of the package @angular-devkit/build-angular.

Just do the following steps:

1. Update your package.json file by adding resolutions section with proper version of package tree-kill:

"resolutions": {
  "tree-kill": "1.2.2"
}

2. Update your package-lock.json by running command:

npx npm-force-resolutions

3. Reinstall NPM packages in your project:

rm -r node_modules
npm install

Run npm audit to check that your project does not have anymore this problem. And don't forget to commit modified files package.json and package-lock.json.

More information about NPM Force Resolutions.

Answer 2

Add below code to package.json

"resolutions": {
"tree-kill":"1.2.2"
}

Remove all node modules:

rm -r node_modules

Update package-lock.json for new version 1.2.2 as :

npx npm-force-resolutions

Now install node modules:

npm install

This works for me.