How to handle outdated packages that are required by a dependency in package-lock.json?

Question

Let’s say I have a dependency some_dep that has a vulnerability. I’m told on GitHub “Upgrade some_dep to version 2.2.3 or later.”



However, things get complicated when I see some_dep is a required dependency of a required dependency etc.


run npm ls some_dep to see:


└─┬ really_popular@5.0.0
  └─┬ someotherlibrary@0.26.0
    └─┬ something_else@12.8.17
      └─┬ snazzypackage@1.2.7
        └── some_dep@1.4.3 



And the required version @1.4.3 is out of date with a vulnerability.



If I run npm install some_dep@2.2.3, this makes dependancies in my package.json update to include "some_dep": "^2.2.3". There was no some_dep before in my package.json since it was a dependency of really_popular package. It was only in package-lock.json. So do I want some_dep in my package.json when it isn't a direct dependency of my project? It doesn’t seem right to have it there.


 Also my package-lock.json will still have the old some_dep version in package-lock.json for the snazzypackage required dependency.


 So it seems I'll have both versions of some_dep now and the issue will still be there.



What’s the correct way to handle this situation?

Answer 1

I ended up updating the parent dependency, which I gave a pseudonym here of really_popular. I was putting it off because it was a big version change, and required other packages to be changed to a new version too, and it required a lot of updates to my code. But I felt, and got guidance, that updating to the new version was important if there are vulnerabilities.

But if this isn't an option, another suggestion I go was to go to the package of the parent dep, like node_modules/snazzypackage/package.json and change the version of some_dep there. I didn't try this.