1

I have this error whenever I install a package

found 14 vulnerabilities (1 low, 1 moderate, 12 high) run `npm audit fix` to fix them, or `npm audit` for details

So I have found out that some of my npm packages have a vulnerable version of a dependency called tar. So all I need to do now is update this package to a higher version >= 4.4.2.

I manually changed the versions of all the tar dependencies in my package-lock.json and have tried to run the following commands npm i npm audit fix npm audit fix --force but the package-lock.json updates itself back to it's previous tar dependencies. I even ran npm cache clean --force and repeated the above command but the same result.

Is there a way I can specifically update every tar dependency within my node_modules from the command line?

Ikechukwu
  • 1,135
  • 1
  • 13
  • 30

1 Answers1

1

npm audit fix changes package.json if needed by changing package versions to compatible ones, and package.json defines the possible versions that appear in package-lock.json.

So, you can't fix version-based vulnerabilities by rewriting package-lock.json because npm install rewrites package-lock.json anyway.

npm audit fix rewrites the versions in package.json to compatible versions that don't suffer from vulnerabilities. If running npm audit fix doesn't fix your version-based vulnerability issues, you have to refactor your code by using versions/libs that are not entirely compatible in the eyes of npm audit fix (in the real world, the changes are usually very minor). You can use the help of npm list to get the name of the dependency that requires an invalid version of tar, and change the version of this package.

Nino Filiu
  • 16,660
  • 11
  • 54
  • 84
  • i know the dependencies that are causing this and i have tried updating them, but it doesn't update their current ```tar``` dependency – Ikechukwu Jun 14 '19 at 13:12