npm audit fix
Audit
Run
auditto check the packages status.1
npm audit
Take note of the issues report, so you know in which package meeds to be fixed.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary Code Execution
Package underscore
Patched in >=1.12.1
Dependency of serverless-plugin-resource-tagging
Path serverless-plugin-resource-tagging > underscore
More info https://npmjs.com/advisories/1674
found 1 vulnerabilitys (1 high) in 985 scanned packages
1 vulnerability require manual review. See the full report for details.
Fix
Automated fix
- Run
audit fix, for easy issues.1
npm audit fix
Manual fix for “dependency depth > 1” case
- You can use the package npm-force-resolutions, but consider using the
next-updatebefore this one, as it it involves less risk. - This will only require some minor changes on your
package.jsonfile. - Bear in mind that this may introduce breaking changes, you should have proper tests to check they won’t be broken.
How to use npm-force-resolutions
- After the
dependenciesanddevDependenciessection, you must add the packages you want to patch.1
2
3"resolutions": {
"underscore": "^1.12.1"
} - You can automate its use with a generic preinstall script.
1
2
3scripts": {
"preinstall": "npm install --package-lock-only --ignore-scripts && npx npm-force-resolutions"
}
So, this will make package-lock.json gets get all dependencies pointing to the patched versions. However, this may introduce breaking changes, so be very careful using it.