GitHub sent me an email today warning me of a vulnerability in my package-lock.json file. However, as I understand it, this file is generated during npm install from package.json.
How can I find out which package (from package.json) is linked to the vulnerable one (in package-lock.json)?
Related questions:
How can I find out which package (from
package.json) is linked to the vulnerable one (inpackage-lock.json)?
(Answering my own question): The vulnerable package was named growl. So, the command npm ls growl shows the packages that depend on it:
$ npm ls growl
my-project@1.0.1 C:\some_project
`-- mocha@3.5.3
`-- growl@1.9.2
Then it's a question of finding a newer version of those packages (in this case mocha) that use a more modern version. At the time of this answer, the vulnerability was fixed in growl@1.10.0 (according to GitHub's vulnerability analysis). So, go through the release notes for mocha to see which version updated to growl 1.10. I spotted:
4.0.1 / 2017-10-05
Fixes
- #3051: Upgrade Growl to v1.10.3 to fix its peer dep problems (@dpogue)
Updating my package.json to show "mocha": ">=4.0.1", then re-running npm install followed by npm ls growl now shows a currently non-vulnerable version of growl:
my-project@1.0.1 C:\some_project
`-- mocha@5.2.0
`-- growl@1.10.5
