How to override a nested npm sub-dependency with a different package altogether (not just different package version number)?

Overview

I am having trouble resolving a ReDoS vulnerability identified by npm audit. My application has a nested sub-dependency ansi-html that is vulnerable to attack, but unfortunately, it seems that the maintainers have gone AWOL. As you can see in the comments section of that Github issue, to get around this problem, the community has made a fork of the repo called ansi-html-community located here, which addresses this vulnerability.

Thus, I would like to replace all nested references of ansi-html with ansi-html-community.

Problem

My normal strategy of using npm-force-resolutions does not seem to be able to override nested sub-dependencies with a different package altogether but rather only the same packages that are a different version number. I have researched this for several hours, but unfortunately, the only way I have found to fix this would appear to be with yarn, which I am now seriously considering using instead of npm. However, this is not ideal as our entire CI/CD pipeline is configured to use npm.

Does anyone know of any other way to accomplish nested sub-dependency package substitution/resolution without having to switch over to using yarn?

Related Questions

These are questions of interest that I was able to find, but unfortunately, they tend to only discuss methods to override package version number, not the package itself.

Discusses how to override version number:

How do I override nested NPM dependency versions?

Has a comment discussion about npm shrinkwrap (not ideal):

npm - how to override a dependent package's dependencies?

Other related StackOverflow questions:

CSE Index of related questions


Solution 1:

I figured it out. As of October 2021, the solution using npm-force-resolutions is actually very similar to how you would specify it using yarn. You just need to provide a link to the tarball where you would normally specify the overriding version number. Your resolutions section of package.json should look like this:

"resolutions": {
    "ansi-html": "https://registry.npmjs.org/ansi-html-community/-/ansi-html-community-0.0.8.tgz"
}

To find the link to the tarball, use the following command, modifying your registry as necessary:

npm view ansi-html-community dist.tarball --registry=https://registry.npmjs.org/

Also, note that for npm-force-resolutions to work when you run npm install, you will need a preinstall entry under the scripts section of package.json:

  "scripts": {
    "preinstall": "npx npm-force-resolutions"
  }

Solution 2:

For those, who needs the same solution with yarn, just add this to your package.json

 "resolutions": {
    "ansi-html": "https://registry.npmjs.org/ansi-html-community/-/ansi-html-community-0.0.8.tgz"
  }

and then run yarn install

you might also do after this, if it won't work immediately

rm yarn.lock

yarn import