Menu
Github has given me this error on one of my repositories.
We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated. The dependency is not defined in our package.json file. To my understanding it isn't good practice to delete the package-lock.json file and regenerate it. However, I cannot see any other way to fix this issue. If I dismiss this security vulnerability it will appear again a couple of days later. Any ideas? Thanks!
434
To fix the third-party software vulnerabilities, start the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task. If you have created the Fix vulnerabilities task, you must manually specify the software updates to fix the software vulnerabilities listed in the task settings.
New: now, with npm@6 you can directly run
npm audit fix Old answer:
You should try to identify the problematic package's name, and then run
npm install package-name replacing package-name, obviously.
This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:
npm install package-name@^1.2 and the latest patched version will be installed
142
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
