Proper way to fix potential security vulnerability in a dependency defined in package-lock.json
Github has given me this error on one of my repositories.
We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security vulnerabilities
and should be updated.
The dependency is not defined in our package.json
file. To my understanding it isn't good practice to delete the package-lock.json
file and regenerate it. However, I cannot see any other way to fix this issue. If I dismiss this security vulnerability it will appear again a couple of days later. Any ideas? Thanks!
New: now, with npm@6 you can directly run
npm audit fix
Old answer:
You should try to identify the problematic package's name, and then run
npm install package-name
replacing package-name, obviously.
This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:
npm install package-name@^1.2
and the latest patched version will be installed
To resolve this:
Solution1: First find the vulnerability:Using your terminal: cd into your project, then run "npm ls hoek"
And finally: npm install bcrypt@latest
Then push the updated project to git.(i.e perform a fresh commit).
Solution 2:
if the first option/solution does not resolve the issue.Change the version manually in your package-lock.json. Change your version manually from 2.16.3 to 4.2.1
"hoek": {
"version": "4.2.1",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz",
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
"dev": true
Then update your project on GitHub(commit/push) Just make sure every hoek version occurrence in your package-lock.json version is changed to 4.2.1
Alternatively if you can figure out a way to change the hoek version/update hoek using npm,will make things much simpler.(something like : npm update @hoek..version)..or uninstall the specific dependency then reinstall it using bower or npm.
I was having the same issue with a lodash security vulnerability, in a project I was building with yarn. Github flagged these as security concerns.
I tried the answer from @rileymanda above, using a terminal: cd into project, then run npm ls lodash
.
This uncovered that in my case, the error was in react-scripts. Quick Google for issues with react-scripts and lodash uncovered that this was a known issue.
I tried various things to fix via yarn - all with no success. npm ls lodash
still showed the vulnerable version of lodash in use.
Having read Matt Turnbull's blog about improvements to npm I switched from yarn back to npm. (Delete yarn.lock
, delete ./node_modules
. Run npm install
). npm ls lodash
now showed the latest dependency versions being used - hurrah! Committed to github, and it was now happy that the vulnerability had gone.
It looks like yarn may be struggling to unpick such issues (or isn't intended to).
If you're getting this issue when building with yarn, then try switching [back] to npm!