Proper way to fix potential security vulnerability in a dependency defined in package-lock.json

Question 1

Proper way to fix potential security vulnerability in a dependency defined in package-lock.json

github npm package-lock.json

Kaito · Mar 31, 2018 · Viewed 31.2k times · Source

Answer

Answer

New: now, with npm@6 you can directly run

npm audit fix

Old answer:

You should try to identify the problematic package's name, and then run

npm install package-name

replacing package-name, obviously.

This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:

npm install package-name@^1.2

and the latest patched version will be installed

Question 2

Github has given me this error on one of my repositories.

We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security vulnerabilities 
and should be updated.

The dependency is not defined in our package.json file. To my understanding it isn't good practice to delete the package-lock.json file and regenerate it. However, I cannot see any other way to fix this issue. If I dismiss this security vulnerability it will appear again a couple of days later. Any ideas? Thanks!

Proper way to fix potential security vulnerability in a dependency defined in package-lock.json

Answer

Related questions