How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?

node.jsNpmpackage.jsonPackage lock.json

node.js Problem Overview

Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update, neither of them update the dependency in the package-lock.json file.

I've done a lot of googling on this, as well as deleted the file and done npm install.

If anyone can help resolve this I'd hugely appreciate it. The package in question is Hoek, which I don't actually have in my package.json file.

Many thanks in advance.

node.js Solutions

Solution 1 - node.js

It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it's own package.json).

You've already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.

Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.

Edit: To help you identify which packages are using which dependencies, you can use NPM's ls command: https://docs.npmjs.com/cli/ls

For example, to see which packages are using Hoek: npm ls hoek

Edit 2: As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fix to ask NPM to attempt to fix the vulnerabilities for you.

Edit 3: Those reading this should also check out JBallin's answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP's question better. However - if you want a quick fix - this answer should suffice.

Solution 2 - node.js

TLDR: Update the parent package using npm i $PARENT_PKG_NAME.

Note

When updating dependencies, you should review the CHANGELOG for any breaking changes.

Diagnosis

npm audit will reveal both the vulnerable package (note that you'll need a package-lock.json file for this, so you'll need to run npm i), as well as the package that it is a dependency of (if applicable). Note that you can also use npm ls $CHILD_PKG_NAME to see its parent dependencies.

Quick Fix Attempt

npm audit fix and npm audit fix --force are worth a try, but sometimes the fix will need to be done manually (see below).

Manual Fix

Most likely the parent package will have already fixed their dependencies (you can verify this by going to their GitHub and reviewing the recent commits--or just seeing if this fixes it), so you can just run npm i $PARENT_PKG_NAME @$NEW_VERSION and it will update your package-lock.json.

If parent has not fixed the vulnerability

If the maintainer doesn't seem to be responsive, you may consider using an alternative package that accomplishes the same thing or forking the package and updating the vulnerability yourself.

Verify Fix

You can now verify that it worked by running npm audit and ensuring that no vulnerabilities are showing up. Commit your changes, push them to GitHub, refresh your notifications/alerts and they should be gone!

Solution 3 - node.js

If you have npm@6 or later, you can use npm audit fix for your security issues.

Solution 4 - node.js

Step 1: Install Peer Dependencies

npm i --legacy-peer-deps

Step 2: Change package manually

Edit package-lock.json manually and update the vulnerable package version to the fixed one.

npm ci

That will install the packages according to package-lock.json by ignoring package.json first.

Step 3: Control it again

Run

npm audit fix

to be sure if it's properly done. If it does not help so, then use other given solutions.

More Information here:

https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable

or here: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities

Solution 5 - node.js

Use:

> npm i hoek

npm will install the latest version of hoek and your package.lock.json become updated.

Solution 6 - node.js

To check vulnerable npm packages, just use following commands:

npm audit

To fix vulnerable npm packages, just use following commands which will fix package-lock.json too:

npm audit fix

Solution 7 - node.js

I had this issue and found that it was because the server on which I was running npm had an old version of npm on it- package-lock.json is only supported by newer versions.

Solution 8 - node.js

did you try this: go to your project root, delete the package-lock.json file, node_modules and .cache folders, and then npm install.

Solution 9 - node.js

After installing new dependencies run the following command to update the package-lock.json file:

npm update package-lock.json
Categories
Recommended node.js Solutions
Recommended Npm Solutions
Recommended package.json Solutions
Recommended Package lock.json Solutions

Previous Solution:

Jest: How to mock one specific method of a class

JavascriptJestjs

Next Solution:

installation app blocked by play protect

AndroidSignatureGoogle Play-Protect

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionRaph117View Question on Stackoverflow
Solution 1 - node.jsAlex MulchinockView Answer on Stackoverflow
Solution 2 - node.jsJBallinView Answer on Stackoverflow
Solution 3 - node.jsUlysse BNView Answer on Stackoverflow
Solution 4 - node.jsLonelyView Answer on Stackoverflow
Solution 5 - node.jsscorpionView Answer on Stackoverflow
Solution 6 - node.jsJerry ChongView Answer on Stackoverflow
Solution 7 - node.jsjvvwView Answer on Stackoverflow
Solution 8 - node.jsCakeLView Answer on Stackoverflow
Solution 9 - node.jsSA911View Answer on Stackoverflow