3

Hi got dependabot alert

react-bootstrap-table-next@4.0.3 requires underscore@1.9.1 The earliest fixed version is 1.12.1 - Dependabot alert

To fix this in package.json added underscore: 1.12.1, but the problem is not solved as in package.lock.json still showing

"react-bootstrap-table-next": {
        "version": "4.0.3",
        "resolved": "https://registry.npmjs.org/react-bootstrap-table-next/-/react-bootstrap-table-next-4.0.3.tgz",
        "integrity": "sha512-uKxC73qUdUfusRf2uzDfMiF9LvTG5vuhTZa0lbAgHWSLLLaKTsI0iHf1e4+c7gP71q8dFsp7StvkP65SxC1JRg==",
        "requires": {
            "classnames": "^2.2.5",
            "react-transition-group": "^4.2.0",
            "underscore": "1.9.1"
        }

How to fix this kind of dependabot alerts where we cannot update library ex underscore which is required by another library react-bootstrap-table-next and we cannot update react-bootstrap-table-next as react-bootstrap-table-next is already latest which we cannot update.

Or else shall we have to wait for next release of react-bootstrap-table-next

Vicky Kumar
  • 1,358
  • 1
  • 14
  • 26
  • Hey @vicky-kumar Getting same issue, have you found any solution to this ? – Kaleem Elahi May 12 '21 at 18:54
  • Hi @KaleemElahi there is no fix as such only thing we can do is to wait for parent library to fix on their side and than we can update the library, for details please go through this question - https://stackoverflow.com/questions/50328324/how-do-i-fix-a-vulnerable-npm-package-in-my-package-lock-json-that-isnt-listed – Vicky Kumar May 14 '21 at 04:43

2 Answers2

0

Here is generic solution how-do-i-fix-a-vulnerable-npm-package-in-my-package-lock-json-that-isnt-listed

In this case when dependent package needs to be updated we need to check if parent package has already fixed it and we can install new parent package.

For example in above case underscore is required by react-bootstrap-table-next so we can go ahead and check if react-bootstrap-table-next has already fixed the alert and update underscore package if they have update we can install latest react-bootstrap-table-next if not updated we can either wait for the next release of choose other alternative package

Vicky Kumar
  • 1,358
  • 1
  • 14
  • 26
0

I'm having the same issue along with other projects. It appears that they have not yet decided on updating their dependencies at this time. It is known that there's a vulnerability issue with their current 1.9.1 version. We need version 12 or better. Until then we just have to hold our breaths.

Follow updates here... https://github.com/react-bootstrap-table/react-bootstrap-table2/issues/1605

Jun Kim
  • 1
  • This is rather a comment. – gru Feb 28 '22 at 21:28
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/31180038) – Ervin Szilagyi Mar 05 '22 at 17:59