Proper way to fix potential security vulnerability in a dependency defined in package-lock.json
GithubNpmPackage lock.jsonGithub Problem Overview
Github has given me this error on one of my repositories.
We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security vulnerabilities
and should be updated.
The dependency is not defined in our package.json
file. To my understanding it isn't good practice to delete the package-lock.json
file and regenerate it. However, I cannot see any other way to fix this issue. If I dismiss this security vulnerability it will appear again a couple of days later. Any ideas? Thanks!
Github Solutions
Solution 1 - Github
New: now, with npm@6 you can directly run
npm audit fix
Old answer:
You should try to identify the problematic package's name, and then run
npm install package-name
replacing package-name, obviously.
This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:
npm install package-name@^1.2
and the latest patched version will be installed
Solution 2 - Github
To resolve this:
Solution1: First find the vulnerability:Using your terminal: cd into your project, then run "npm ls hoek"
And finally: npm install bcrypt@latest
Then push the updated project to git.(i.e perform a fresh commit).
Solution 2:
if the first option/solution does not resolve the issue.Change the version manually in your package-lock.json. Change your version manually from 2.16.3 to 4.2.1
"hoek": {
"version": "4.2.1",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz",
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
"dev": true
Then update your project on GitHub(commit/push) Just make sure every hoek version occurrence in your package-lock.json version is changed to 4.2.1
Alternatively if you can figure out a way to change the hoek version/update hoek using npm,will make things much simpler.(something like : npm update @hoek..version)..or uninstall the specific dependency then reinstall it using bower or npm.
Solution 3 - Github
I was having the same issue with a lodash security vulnerability, in a project I was building with yarn. Github flagged these as security concerns.
I tried the answer from @rileymanda above, using a terminal: cd into project, then run npm ls lodash
.
This uncovered that in my case, the error was in react-scripts. Quick Google for issues with react-scripts and lodash uncovered that this was a known issue.
I tried various things to fix via yarn - all with no success. npm ls lodash
still showed the vulnerable version of lodash in use.
Having read Matt Turnbull's blog about improvements to npm I switched from yarn back to npm. (Delete yarn.lock
, delete ./node_modules
. Run npm install
). npm ls lodash
now showed the latest dependency versions being used - hurrah! Committed to github, and it was now happy that the vulnerability had gone.
It looks like yarn may be struggling to unpick such issues (or isn't intended to).
If you're getting this issue when building with yarn, then try switching [back] to npm!
Solution 4 - Github
> To my understanding it isn't good practice to delete the package-lock.json file and regenerate it.
Yet, this is what is usually done in this instance.
See for example angular/angular-cli issue 8534, which is resolved by PR 8535.
That leads a dependent project like frees-io/freestyle-opscenter-webclient
to update its package-lock.json
: PR 31.
Solution 5 - Github
The simplest/easiest way to fix this is:
npm install <dep>
npm uninstall <dep>
npm update
npm install
From: https://github.com/Microsoft/vscode/issues/48783#issuecomment-384873041
Solution 6 - Github
> known security vulnerabilities and should be updated.
Since May 23rd, 2019, you now have "Dependabot: Automated security fixes"
> Through the integration of Dependabot, we’ve released automated security fixes as a public beta.
>
> Automated security fixes are pull requests generated by GitHub to fix security vulnerabilities.
They automate a tedious part of the workflow and make it easy for developers to keep their dependencies up to date.
See more at "Configuring automated security fixes"
> Note: Automatic security fixes are available in beta and are subject to change.
>
> You can enable automatic security fixes for any repository that uses security alerts and the dependency graph.
We'll automatically enable automatic security fixes in every repository that uses security alerts and the dependency graph over the next few months, starting in May 2019.
Solution 7 - Github
This works for me. uninstall all of your dependencies and install it again
For example
from package.json see list of your dependencies
{
"name": "ebook-saler",
"version": "1.0.0",
"description": "App for selling ebooks",
"main": "app.js",
"scripts": {
"start": "node app.js"
},
"author": "Md Shayon",
"license": "ISC",
"dependencies": {
"body-parser": "^1.19.0",
"express": "^4.17.1",
"express-handlebars": "^3.1.0",
"hoek": "^6.1.3",
"stripe": "^7.5.0"
}
}
Follow the command for this
npm uninstall body-parser express express-handlebars hoek stripe
npm install body-parser express express-handlebars hoek stripe
git commit -m "updated"
git push
Solution 8 - Github
try npm audit fix
, it will solve many warnings
then npm i [package.name]@xxx
for example:
"dependencies": {
"lodash": ">=4.17.13"
}
npm i [email protected]
Solution 9 - Github
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click Security.
- Click the alert you'd like to view.
- Review the details of the vulnerability and, if available, the pull request containing the automated security fix.
- Optionally, if there isn't already an automated security fix for the alert, to create a pull request to resolve the vulnerability, click Create automated security fix.
- When you're ready to update your dependency and resolve the vulnerability, merge the pull request.