0

I am currently having problem a updating NPM package tree-kill which is a dependency of @angular-devkit/build-angular. tree-kill 1.2.1 has a security advisory issued https://nodesecurity.io/advisories/1432 which is currently failing builds in my CI pipeline includes as the pipeline includes 'npm audit --audit-level high'.

I need to update tree-kill to 1.2.2 to address the security advisory but I am already on the latest version of @angular-devkit/build-angular and my package-lock.json has tree-kill 1.2.1 as requires for @angular-devkit/build-angular.

I have tried uninstalling and installing @angular-devkit/build-angular to see if the tree-kill 1.2.2 patch would install. I have also tried this Npm update a dependency of a dependency in Node.js which resulted in package.json had a dependency on tree-kill 1.2.2 and package-lock.json still had 1.2.1 for @angular-devkit/build-angular.

How do I update package-lock.json so that @angular-devkit/build-angular requires tree-kill 1.2.2 instead of 1.2.1?

ChrisMB
  • 113
  • 1
  • 5
  • Does this answer your question? [How do I override nested NPM dependency versions?](https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions) – josemigallas Jul 23 '20 at 09:43

1 Answers1

0

https://github.com/angular/angular-cli/issues/16629#issuecomment-573837093 is a comment posted in the Angular git repo that outlines temporary workaround for updating dependencies until the package maintainer releases a new version. Note: this is only a temporary workaround and will revert if a newer version of the angular is released that doesn't require tree-kill 1.2.2

ChrisMB
  • 113
  • 1
  • 5