0

I have a nextjs app which has "next": "^10.2.0". It in turn has shell-quote as a transitive dependency and the version installed in 1.7.2 which has some critical security vulnerabilities. I have to fix this for now, and shell-quote version 1.7.3 does not have these vulnerabilities. So I added this

"preinstall": "npx npm-force-resolutions"

and

 "resolutions": {
        "shell-quote": ">=1.7.3"
}

in package.json.

But it still gives me the error and when I check npm ls shell-quote, I see that

├─┬ @storybook/react@6.4.9
│ └─┬ react-dev-utils@11.0.4
│   └── shell-quote@1.7.2

└─┬ next@10.2.3
  └─┬ @next/react-dev-overlay@10.2.3
    └── shell-quote@1.7.2 deduped

Does this mean, next@10.2.3 cannot have shell quote of 1.7.2? Can this issue be fixed for now without a nextjs upgrade?

keerti
  • 245
  • 5
  • 19

1 Answers1

0

You don't need to use resolutions as you are not changing the package but only the version of it. Override is fine here. So, add following code block to the package.json

  "overrides": {
     "react-dev-utils@11.0.4": {
       "shell-quote": "1.7.3"
     },
     "@next/react-dev-overlay@10.2.3": {
       "shell-quote": "1.7.3"
     }
  },

Now remove node_modules with rm -rf node_modules. Then, you have two options:

  • Remove package-lock.json completely. This way, you'll lose locked versions for your other packages too.
  • Or, open package-lock.json and remove all entries with react-dev-utils, node_modules/react-dev-utils, @next/react-dev-overlay, node_modules/react-dev-overlay, shell-quote and node_modules/shell-quote. This way, you'll keep locked versions for other packages.

And run npm install, when you run npm list shell-quote, you'll see all packages uses it with v1.7.3.

Since npm install will edit your package-lock.json for this change, you will have complete packge-lock.json and won't have to edit it next time you run npm install.

I've been editing our repository to get rid of vulnerabilities in this way and it works fine. I've used this answer from another SO question.

Of course, you have to make sure that these versions are compatible with each other. Because with overrides, npm does not do any checking for the versions, you force it. For example, you have to make sure that react-dev-utils@11.0.4 can work with shell-quote@1.7.3. In minor version upgrades, libraries generally work as the same before but it doesn't always have to be this way.

M.Yilmaz
  • 25
  • 9