The best way to resolve vulnerabilities in package-lock.json?












0















I am warned about vulnerabilities in the packages listed in the package-lock.json file of my Node.Js project.



I can follow the advice here and reinstall all the packages with npm install <package-name>, however, I also use other npm projects that use the older versions of those packages, which will not get reinstalled with a simple npm install.



Does it mean I have to go to package-lock.json and manually change all the dependencies to the latest version?



What if they break?



Isn't there a proper way of doing the updates that ensures you won't break the other packages dependent on the old versions?






javascript node.js security package-lock.json







share|improve this question























  • add package-lock.json in .gitignore

    – SAURABH RATHOD
    Jan 1 at 12:56











  • oh non, don't do what saurabh rathod says!!! Super bad idea, and it will not solve your issue anyway...

    – frsechet
    Jan 1 at 12:58
















0















I am warned about vulnerabilities in the packages listed in the package-lock.json file of my Node.Js project.



I can follow the advice here and reinstall all the packages with npm install <package-name>, however, I also use other npm projects that use the older versions of those packages, which will not get reinstalled with a simple npm install.



Does it mean I have to go to package-lock.json and manually change all the dependencies to the latest version?



What if they break?



Isn't there a proper way of doing the updates that ensures you won't break the other packages dependent on the old versions?






javascript node.js security package-lock.json







share|improve this question























  • add package-lock.json in .gitignore

    – SAURABH RATHOD
    Jan 1 at 12:56











  • oh non, don't do what saurabh rathod says!!! Super bad idea, and it will not solve your issue anyway...

    – frsechet
    Jan 1 at 12:58














0












0








0








I am warned about vulnerabilities in the packages listed in the package-lock.json file of my Node.Js project.



I can follow the advice here and reinstall all the packages with npm install <package-name>, however, I also use other npm projects that use the older versions of those packages, which will not get reinstalled with a simple npm install.



Does it mean I have to go to package-lock.json and manually change all the dependencies to the latest version?



What if they break?



Isn't there a proper way of doing the updates that ensures you won't break the other packages dependent on the old versions?






javascript node.js security package-lock.json







share|improve this question














I am warned about vulnerabilities in the packages listed in the package-lock.json file of my Node.Js project.



I can follow the advice here and reinstall all the packages with npm install <package-name>, however, I also use other npm projects that use the older versions of those packages, which will not get reinstalled with a simple npm install.



Does it mean I have to go to package-lock.json and manually change all the dependencies to the latest version?



What if they break?



Isn't there a proper way of doing the updates that ensures you won't break the other packages dependent on the old versions?






javascript node.js security package-lock.json




javascript node.js security package-lock.json






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 1 at 12:48









Dmitry ParanyushkinDmitry Paranyushkin

2,43333679




2,43333679













  • add package-lock.json in .gitignore

    – SAURABH RATHOD
    Jan 1 at 12:56











  • oh non, don't do what saurabh rathod says!!! Super bad idea, and it will not solve your issue anyway...

    – frsechet
    Jan 1 at 12:58



















  • add package-lock.json in .gitignore

    – SAURABH RATHOD
    Jan 1 at 12:56











  • oh non, don't do what saurabh rathod says!!! Super bad idea, and it will not solve your issue anyway...

    – frsechet
    Jan 1 at 12:58

















add package-lock.json in .gitignore

– SAURABH RATHOD
Jan 1 at 12:56





add package-lock.json in .gitignore

– SAURABH RATHOD
Jan 1 at 12:56













oh non, don't do what saurabh rathod says!!! Super bad idea, and it will not solve your issue anyway...

– frsechet
Jan 1 at 12:58





oh non, don't do what saurabh rathod says!!! Super bad idea, and it will not solve your issue anyway...

– frsechet
Jan 1 at 12:58












1 Answer
1






active

oldest

votes


















1














If the issue is on a package you directly depend upon, you should update it directly and save it to the package.json + lock its version in package-lock.json in the process by doing something like npm install your-dependency@latest --save[-dev]. But beware: there might be breaking changes that will break your code (for example in case the dependency had a major version update inbetween with some deprecations and breaking changes).



But if the issue is from a dependency of one of your dependencies, the very very best way to solve it is to raise an issue (potentially with a PR to help them) with the maintainer of the parent package, then when they provide an update, update the dependency itself in your project.



You can use npm audit to resolve some issues as well (probably not all, and if a sub-dependency version is specifically required by a dependency, it will not update it because it could break things), but the single best way to solve the issue for you and for everybody else is to get the maintainer of the module you want to update its dependencies, when/if they can.



Reinstalling everything will not solve the issue if the dependency is still vulnerable. Installing does not magically fix stuff, people do :-) However, what you may want to do is use npm outdated to list all the packages that have newer versions available and try to update them, one by one, and see if your vulnerabilities are resolved after that (npm audit).



One more thing: it's usually a bad practice to go and change stuff around manually in package-lock.json. This file should be only auto-generated by one of your npm install (or similar) scripts. This file is what is used by npm to resolve the list of exact dependency/subdependency versions on a fresh install, and it is really the single best way to ensure all the people who use or work on this project have the exact same version of all their dependencies, so it better be correct. Always commit your package-lock.json!






share|improve this answer





















  • 1





    Good answer, and I'll add that you should make sure your org understands fixing an audited vulnerability is not always something you can do immediately. Ticket and track all vulnerabilities, absolutely, but it can take days, weeks, or even months sometimes to track down the correct package maintainer, have them fix the vulnerability, update to the appropriate version, etc.

    – Elliot Nelson
    Jan 1 at 15:07











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53995567%2fthe-best-way-to-resolve-vulnerabilities-in-package-lock-json%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














If the issue is on a package you directly depend upon, you should update it directly and save it to the package.json + lock its version in package-lock.json in the process by doing something like npm install your-dependency@latest --save[-dev]. But beware: there might be breaking changes that will break your code (for example in case the dependency had a major version update inbetween with some deprecations and breaking changes).



But if the issue is from a dependency of one of your dependencies, the very very best way to solve it is to raise an issue (potentially with a PR to help them) with the maintainer of the parent package, then when they provide an update, update the dependency itself in your project.



You can use npm audit to resolve some issues as well (probably not all, and if a sub-dependency version is specifically required by a dependency, it will not update it because it could break things), but the single best way to solve the issue for you and for everybody else is to get the maintainer of the module you want to update its dependencies, when/if they can.



Reinstalling everything will not solve the issue if the dependency is still vulnerable. Installing does not magically fix stuff, people do :-) However, what you may want to do is use npm outdated to list all the packages that have newer versions available and try to update them, one by one, and see if your vulnerabilities are resolved after that (npm audit).



One more thing: it's usually a bad practice to go and change stuff around manually in package-lock.json. This file should be only auto-generated by one of your npm install (or similar) scripts. This file is what is used by npm to resolve the list of exact dependency/subdependency versions on a fresh install, and it is really the single best way to ensure all the people who use or work on this project have the exact same version of all their dependencies, so it better be correct. Always commit your package-lock.json!






share|improve this answer





















  • 1





    Good answer, and I'll add that you should make sure your org understands fixing an audited vulnerability is not always something you can do immediately. Ticket and track all vulnerabilities, absolutely, but it can take days, weeks, or even months sometimes to track down the correct package maintainer, have them fix the vulnerability, update to the appropriate version, etc.

    – Elliot Nelson
    Jan 1 at 15:07
















1














If the issue is on a package you directly depend upon, you should update it directly and save it to the package.json + lock its version in package-lock.json in the process by doing something like npm install your-dependency@latest --save[-dev]. But beware: there might be breaking changes that will break your code (for example in case the dependency had a major version update inbetween with some deprecations and breaking changes).



But if the issue is from a dependency of one of your dependencies, the very very best way to solve it is to raise an issue (potentially with a PR to help them) with the maintainer of the parent package, then when they provide an update, update the dependency itself in your project.



You can use npm audit to resolve some issues as well (probably not all, and if a sub-dependency version is specifically required by a dependency, it will not update it because it could break things), but the single best way to solve the issue for you and for everybody else is to get the maintainer of the module you want to update its dependencies, when/if they can.



Reinstalling everything will not solve the issue if the dependency is still vulnerable. Installing does not magically fix stuff, people do :-) However, what you may want to do is use npm outdated to list all the packages that have newer versions available and try to update them, one by one, and see if your vulnerabilities are resolved after that (npm audit).



One more thing: it's usually a bad practice to go and change stuff around manually in package-lock.json. This file should be only auto-generated by one of your npm install (or similar) scripts. This file is what is used by npm to resolve the list of exact dependency/subdependency versions on a fresh install, and it is really the single best way to ensure all the people who use or work on this project have the exact same version of all their dependencies, so it better be correct. Always commit your package-lock.json!






share|improve this answer





















  • 1





    Good answer, and I'll add that you should make sure your org understands fixing an audited vulnerability is not always something you can do immediately. Ticket and track all vulnerabilities, absolutely, but it can take days, weeks, or even months sometimes to track down the correct package maintainer, have them fix the vulnerability, update to the appropriate version, etc.

    – Elliot Nelson
    Jan 1 at 15:07














1












1








1







If the issue is on a package you directly depend upon, you should update it directly and save it to the package.json + lock its version in package-lock.json in the process by doing something like npm install your-dependency@latest --save[-dev]. But beware: there might be breaking changes that will break your code (for example in case the dependency had a major version update inbetween with some deprecations and breaking changes).



But if the issue is from a dependency of one of your dependencies, the very very best way to solve it is to raise an issue (potentially with a PR to help them) with the maintainer of the parent package, then when they provide an update, update the dependency itself in your project.



You can use npm audit to resolve some issues as well (probably not all, and if a sub-dependency version is specifically required by a dependency, it will not update it because it could break things), but the single best way to solve the issue for you and for everybody else is to get the maintainer of the module you want to update its dependencies, when/if they can.



Reinstalling everything will not solve the issue if the dependency is still vulnerable. Installing does not magically fix stuff, people do :-) However, what you may want to do is use npm outdated to list all the packages that have newer versions available and try to update them, one by one, and see if your vulnerabilities are resolved after that (npm audit).



One more thing: it's usually a bad practice to go and change stuff around manually in package-lock.json. This file should be only auto-generated by one of your npm install (or similar) scripts. This file is what is used by npm to resolve the list of exact dependency/subdependency versions on a fresh install, and it is really the single best way to ensure all the people who use or work on this project have the exact same version of all their dependencies, so it better be correct. Always commit your package-lock.json!






share|improve this answer















If the issue is on a package you directly depend upon, you should update it directly and save it to the package.json + lock its version in package-lock.json in the process by doing something like npm install your-dependency@latest --save[-dev]. But beware: there might be breaking changes that will break your code (for example in case the dependency had a major version update inbetween with some deprecations and breaking changes).



But if the issue is from a dependency of one of your dependencies, the very very best way to solve it is to raise an issue (potentially with a PR to help them) with the maintainer of the parent package, then when they provide an update, update the dependency itself in your project.



You can use npm audit to resolve some issues as well (probably not all, and if a sub-dependency version is specifically required by a dependency, it will not update it because it could break things), but the single best way to solve the issue for you and for everybody else is to get the maintainer of the module you want to update its dependencies, when/if they can.



Reinstalling everything will not solve the issue if the dependency is still vulnerable. Installing does not magically fix stuff, people do :-) However, what you may want to do is use npm outdated to list all the packages that have newer versions available and try to update them, one by one, and see if your vulnerabilities are resolved after that (npm audit).



One more thing: it's usually a bad practice to go and change stuff around manually in package-lock.json. This file should be only auto-generated by one of your npm install (or similar) scripts. This file is what is used by npm to resolve the list of exact dependency/subdependency versions on a fresh install, and it is really the single best way to ensure all the people who use or work on this project have the exact same version of all their dependencies, so it better be correct. Always commit your package-lock.json!







share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 1 at 13:08

























answered Jan 1 at 13:03









frsechetfrsechet

312312




312312








  • 1





    Good answer, and I'll add that you should make sure your org understands fixing an audited vulnerability is not always something you can do immediately. Ticket and track all vulnerabilities, absolutely, but it can take days, weeks, or even months sometimes to track down the correct package maintainer, have them fix the vulnerability, update to the appropriate version, etc.

    – Elliot Nelson
    Jan 1 at 15:07














  • 1





    Good answer, and I'll add that you should make sure your org understands fixing an audited vulnerability is not always something you can do immediately. Ticket and track all vulnerabilities, absolutely, but it can take days, weeks, or even months sometimes to track down the correct package maintainer, have them fix the vulnerability, update to the appropriate version, etc.

    – Elliot Nelson
    Jan 1 at 15:07








1




1





Good answer, and I'll add that you should make sure your org understands fixing an audited vulnerability is not always something you can do immediately. Ticket and track all vulnerabilities, absolutely, but it can take days, weeks, or even months sometimes to track down the correct package maintainer, have them fix the vulnerability, update to the appropriate version, etc.

– Elliot Nelson
Jan 1 at 15:07





Good answer, and I'll add that you should make sure your org understands fixing an audited vulnerability is not always something you can do immediately. Ticket and track all vulnerabilities, absolutely, but it can take days, weeks, or even months sometimes to track down the correct package maintainer, have them fix the vulnerability, update to the appropriate version, etc.

– Elliot Nelson
Jan 1 at 15:07




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53995567%2fthe-best-way-to-resolve-vulnerabilities-in-package-lock-json%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

MongoDB - Not Authorized To Execute Command

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I have successfully enabled authorization on MongoDB and I have created an account on the admin database and then I created an account for my database called test. The following connection string to connect to my test database works successfully: mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase test Only problem I have now is, I cannot execute commands such as: show dbs. I get the following error when I try to do so: "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID("a1d5bc0d-bc58-485e-b232-270758a89455") }, $db: "admin...
Read more

How to fix TextFormField cause rebuild widget in Flutter

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I've got the same issue at #9280. I tried all solutions from that topic with/without GlobalKey for Scaffold and Form but the problem wasn't fixed. I tried to build a authentication form with login and signup. But the keyboard doesn't show when I tap the TextFormField at the first time. Then I try to input some letter from physical keyboard, the widget is rebuilt. Like this: login screen Nothing to be log when I run flutter run --verbose, so I logged manually. Every tapping on field, the widget called dispose -> init -> build. [√] Flutter (Channel beta, v1.0.0, on Microsoft Windows [Version 10.0.17763.195], ...
Read more

in spring boot 2.1 many test slices are not allowed anymore due to multiple @BootstrapWith

Image
1 I tried to upgrade a yummy sandwich made of two test slices (@JsonTest and @JdbcTest in my case, crunchy test code in between) adding spring boot 2.1 flavour to it. But it seems it was not much of a success. I cannot annotate my tests with many @...Test since they are now each bringing their own XxxTestContextBootstrapper. It used to work when they all used same SpringBootTestContextBootstrapper. @RunWith(SpringRunner.class) @JdbcTest @JsonTest public class Test { @Test public void test() { System.out.printn("Hello, World !"); } } The error I get from BootstrapUtils is illegalStateException : Configuration error: found multiple declarations of @BootstrapWith for test class I understand I might be doing something wrong here but is there an easy way I could load both Json and Jdbc contex...
Read more