0

There is small React/Redux app I'd like to check against nsp check.
For instance, nsp complains that debug 2.6.8 package I use in app contains a vulnerability. So I need to bump version of debug: 

Regular Expression Denial of Service  
│ Name       │ debug  
│ CVSS       │ 3.7 (Low)  
│ Installed  │ 2.6.8  
│ Vulnerable │ <= 2.6.8 || >= 3.0.0 <= 3.0.1  
│ Patched    │ >= 2.6.9 < 3.0.0 || >= 3.1.0  
│ Path       │ sms-web@0.0.1 > webpack-dev-server@2.5.0 >  
 compression@1.7.0 >  
│            │ debug@2.6.8  
│ More Info  │ https://nodesecurity.io/advisories/534

I tried npm update --depth=7, but it didn't update debug package.
So how can I update deeply placed packages, e.g. debug?

Lesha Pipiev
  • 3,251
  • 4
  • 31
  • 65
  • Solution with shrinkwrap here : https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions – Gabriel Bleu Nov 27 '17 at 13:06

1 Answers1

0

According to the docs:

As of npm@2.6.1, the npm update will only inspect top-level packages. Prior versions of npm would also recursively inspect all dependencies. To get the old behavior, use npm --depth 9999 update. In order to update just the debug package you could do

npm --depth 9999 update debug

or else you could just uninstall and reinstall it like

npm uninstall -S debug 
npm install -S debug
Shubham Khatri
  • 270,417
  • 55
  • 406
  • 400