I'm working on a react project where I'm getting 101 vulnerabilities (Severity: 95 Moderate | 6 High). Npm/yarn audit fix does not work because all of these have transitive dependencies. I cannot fix them directly cause they give me breaking changes. I'm new to react and npm so I'm not sure how to do this.
Asked
Active
Viewed 894 times
1
-
You need to upgrade the libraries manually. `npm audit` should tell you what packages are including the vulnerable packages and usually these root packages have an upgrade guide if there are breaking changes. Securing your application always requires work but is the responsible thing to do. This being said, if the packages are dev dependencies (meaning you only use them to package your app but are not released with your app) you can probably ignore the audits on them – apokryfos Jun 28 '21 at 05:33
-
hey, @apokryfos thanks for answering. Actually, some of those are dependencies so will be released with the application. I did the manual upgrades but it gave me an error. this is exactly what I am facing - [link] (https://stackoverflow.com/questions/67556739/application-doesnt-run-after-updating-postcss-to-version-8-react) – Jun 29 '21 at 08:15
1 Answers
0
In my experience so far, the vulnerabilities have not caused problems during development. If you encounter any situation where your development is hindered by any obsolete npm package, I would suggest you downgrade/upgrade that particular package.
You can read this article to understand how the dependencies work in npm and it might help you to understand how to resolve them.
Harsh Gaur
- 39
- 2