Proper way to fix potential security vulnerability in a dependency defined in package-lock.json

Question

Github has given me this error on one of my repositories.

We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security vulnerabilities 
and should be updated.

The dependency is not defined in our package.json file. To my understanding it isn't good practice to delete the package-lock.json file and regenerate it. However, I cannot see any other way to fix this issue. If I dismiss this security vulnerability it will appear again a couple of days later. Any ideas? Thanks!

Answer 1

New: now, with npm@6 you can directly run

npm audit fix

---

Old answer:

You should try to identify the problematic package's name, and then run

npm install package-name

replacing package-name, obviously.

This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:

npm install package-name@^1.2

and the latest patched version will be installed

Answer 2

To resolve this:

Solution1: First find the vulnerability:Using your terminal: cd into your project, then run "npm ls hoek"

And finally: npm install bcrypt@latest

Then push the updated project to git.(i.e perform a fresh commit).

Solution 2:

if the first option/solution does not resolve the issue.Change the version manually in your package-lock.json. Change your version manually from 2.16.3 to 4.2.1

"hoek": {
      "version":  "4.2.1",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
      "dev": true

Then update your project on GitHub(commit/push) Just make sure every hoek version occurrence in your package-lock.json version is changed to 4.2.1

Alternatively if you can figure out a way to change the hoek version/update hoek using npm,will make things much simpler.(something like : npm update @hoek..version)..or uninstall the specific dependency then reinstall it using bower or npm.

Answer 3

I was having the same issue with a lodash security vulnerability, in a project I was building with yarn. Github flagged these as security concerns.

I tried the answer from @rileymanda above, using a terminal: cd into project, then run npm ls lodash.

This uncovered that in my case, the error was in react-scripts. Quick Google for issues with react-scripts and lodash uncovered that this was a known issue.

I tried various things to fix via yarn - all with no success. npm ls lodash still showed the vulnerable version of lodash in use.

Having read Matt Turnbull's blog about improvements to npm I switched from yarn back to npm. (Delete yarn.lock, delete ./node_modules. Run npm install). npm ls lodash now showed the latest dependency versions being used - hurrah! Committed to github, and it was now happy that the vulnerability had gone.

It looks like yarn may be struggling to unpick such issues (or isn't intended to).

If you're getting this issue when building with yarn, then try switching [back] to npm!

Answer 4

To my understanding it isn't good practice to delete the package-lock.json file and regenerate it.

Yet, this is what is usually done in this instance.
See for example angular/angular-cli issue 8534, which is resolved by PR 8535.
That leads a dependent project like frees-io/freestyle-opscenter-webclient to update its package-lock.json: PR 31.

Answer 5

The simplest/easiest way to fix this is:

1. npm install <dep>
2. npm uninstall <dep>
3. npm update
4. npm install

From: https://github.com/Microsoft/vscode/issues/48783#issuecomment-384873041

Answer 6

known security vulnerabilities and should be updated.

Since May 23rd, 2019, you now have "Dependabot: Automated security fixes"

Through the integration of Dependabot, we’ve released automated security fixes as a public beta.

Automated security fixes are pull requests generated by GitHub to fix security vulnerabilities.
They automate a tedious part of the workflow and make it easy for developers to keep their dependencies up to date.

See more at "Configuring automated security fixes"

Note: Automatic security fixes are available in beta and are subject to change.

You can enable automatic security fixes for any repository that uses security alerts and the dependency graph.
We'll automatically enable automatic security fixes in every repository that uses security alerts and the dependency graph over the next few months, starting in May 2019.

Answer 7

This works for me. uninstall all of your dependencies and install it again

For example

from package.json see list of your dependencies

{
"name": "ebook-saler",
  "version": "1.0.0",
  "description": "App for selling ebooks",
  "main": "app.js",
  "scripts": {
    "start": "node app.js"
  },
  "author": "Md Shayon",
  "license": "ISC",
  "dependencies": {
    "body-parser": "^1.19.0",
    "express": "^4.17.1",
    "express-handlebars": "^3.1.0",
    "hoek": "^6.1.3",
    "stripe": "^7.5.0"
  }
}

Follow the command for this

npm uninstall body-parser express express-handlebars hoek stripe
npm install body-parser express express-handlebars hoek stripe
git commit -m "updated"
git push

Answer 8

try npm audit fix, it will solve many warnings

then npm i [package.name]@xxx

for example:

"dependencies": {
  "lodash": ">=4.17.13"
}

npm i lodash@4.17.13

Answer 9

1. On GitHub, navigate to the main page of the repository.
2. Under your repository name, click Security.
3. Click the alert you'd like to view.
4. Review the details of the vulnerability and, if available, the pull request containing the automated security fix.
5. Optionally, if there isn't already an automated security fix for the alert, to create a pull request to resolve the vulnerability, click Create automated security fix.
6. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.

See details