2

My repo in github show the following alert :

Dependabot cannot update ssri to a non-vulnerable version. The latest possible version that can be installed is 6.0.1 because of the following conflicting dependencies:

terser-webpack-plugin@2.3.8 requires ssri@^7.0.0 via cacache@13.0.1

webpack@4.46.0 requires ssri@^6.0.1 via a transitive dependency on cacache@12.0.4

The earliest fixed version is 8.0.1.

As far as I known, I should update the root package (which is terser-webpack-plugin) in package.json to a newer version, but how to determine the minimum version that can support the non-vulnerable version of the dependency (in this case ssri 8.0.1) since I don't want to update to a too high version and risk breaking things. I am thinking of manually checking through all the release version of terser-webpack-plugin, but it's very tedious and seem wrong to check like that. Any suggestions ?

thienDX
  • 284
  • 2
  • 12

1 Answers1

5

To speed up the process and save installing each version and its associated dependency tree, we can use npm-remote-ls (https://stackoverflow.com/a/26005786/2815338)

Firstly get the list of available versions:

> npm view terser-webpack-plugin versions
[
  '1.0.0', '1.0.1', '1.0.2', '1.1.0', '1.2.0',
  ...

Then run npm-remote-ls for each version after your current one and filter on the relevant dependency, e.g.

> npm-remote-ls terser-webpack-plugin@3.0.0 | grep ' ssri@'
   ???  ?????? ssri@8.0.1
   ???  ???  ???  ?????? ssri@6.0.2

In this case terser-webpack-plugin@5.0.0 is the first with only fixed versions of ssri (8.0.1), and 5.1.0 appears to not include ssri at all, presumably due to webpack no longer depending on cacache.

N.B. the question marks appear to be due to encoding of characters that npm-remote-ls uses to display a tree structure. You could also use Select-String in PowerShell, but this appears to show different (incorrect) characters instead.

Tomglomerate
  • 68
  • 1
  • 5