What am I supposed to do with these warnings, given the libs in question belong to 3rd party libs?
> npm audit === npm audit security report === Manual Review Some vulnerabilities require your attention to resolve Visit for additional guidance Low Denial of Service Package node-fetch Patched in >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9 Dependency of aspnet-prerendering Path aspnet-prerendering > domain-task > isomorphic-fetch > node-fetch More info Moderate Regular Expression Denial of Service Package postcss Patched in >=8.2.10 Dependency of @angular-devkit/build-angular [dev] Path @angular-devkit/build-angular > resolve-url-loader > postcss More info found 2 vulnerabilities (1 low, 1 moderate) in 1514 scanned packages 2 vulnerabilities require manual review. See the full report for details. I'm not impacted by this. I was just striving for zero warnings on all fronts.
I can't/don't want to fiddle with a dependency's dependency! Do I just need to upgrade my dependency?
33 Answers
Technically, there is no silver bullet to solve the vulnerabilities report from npm audit. Here is the "Rule of Thumb" I am following:
Usually, I always do
npm audit fixafternpm audit. Note that: this one will not solve all reports.Update my dependencies to the latest stable. Be careful about the compatibility. (Hope you understand the SEMVER). The cost you spend to keep your system up to date and stable is always cheaper than the cost you need to spend to handle vulnerable issues.
Reduce the number of your dependencies. Note everything you need to use the library. You can build yourself a simpler version.
Learn to separate
dependenciesanddev dependencies. If the issue is reported for a dev tool, you can skip it. As I said above, there is no silver bullet so give yourself relaxation instead of fixing all of them. Just fix the necessary ones.
You can make your dependencies to use other (current / secure) version of their dependencies.
Let's say you have a warning about postcss package, which I solved a moment ago so I can describe the process and you can proceed analogically.
After npm audit I got a warning like:
Moderate Regular Expression Denial of Service Package postcss Patched in >=8.2.10 Dependency of laravel-mix [dev] Path laravel-mix > cssnano > cssnano-preset-default > postcss-svgo > postcss More info Notice! You have to be aware that when you'll make your package to use a newer version of its dependency it can break things, but it's worth trying.
So you see that the laravel-mix package uses old version of the postcss and that the issue is fixed in version >=8.2.10 of postcss so you want to install a newer version of the postcss package which you can achieve by:
npm install postcss --save-dev Then you need to add a new section to your package.json file instructing npm that you want dependencies to use your specific version of the library. It goes in my case like this:
{ "resolutions": { "postcss": "^8.2.15", } } Then you have to add a new script to force npm usage of this new "resolutions" section like this:
"scripts": { "preinstall": "npx npm-force-resolutions" } Notice! You have to run this script every time before running your regular npm install. It goes like this:
npm run preinstall npm install More info can be found in the npm docs.
2You might just need to edit your package.json, update the version for the offending package to the latest stable version (in this case ), and then run "npm install" from the terminal.