One of the many tasks developers have to do is to fix security vulnerabilities in JavaScript packages. This may prove to be an onerous task, especially when doing this for projects that haven’t been updated in a long time.
Helpful Steps
npm installNPM will let you know if there are medium or high vulnerabilities in your project’s dependencies that you should fix.
Let NPM automatically fix security vulnerabilities for you:
npm audit fixNPM will try to fix the vulnerabilities by upgrading to the latest version possible according to your specifications in package.json. Sometimes, this will not be enough and you will have to manually update packages to a version that may introduce breaking changes. NPM will not do this for you by default since this requires manual intervention by a developer. Let’s take a look at how this can be done:
First list out all of the remaining security vulnerabilities and their offending packages:
npm auditFind all outdated dependencies:
npm outdatedFind a package that you want to fix and run the following to view the latest version of the package:
npm list <package name>Generally, this would not be enough to determine which version you should upgrade a package to. To get more information, find your package on GitHub. Read the change logs and also look in the project’s package.json to determine which the latest version you can upgrade to.
Once you know which version that is, run the following to install the specific version:
npm install <package name>@<version> --saveRun your build again and test your code to ensure that nothing is broken. Repeat the previous steps for all of the offending packages that are flagged by NPM.
I hope this will clarify the process for how to handle these pesky security package vulnerabilities!