Main page

How to fix security vulnerabilities in NPM/Yarn dependencies


javascript npm yarn security vulnerability english

Intro

Not so long ago Github introduced security alerts:

Github security alert

So lot of developers started to use in their applications to make them secure. However we still facing with issues that 3rd party packages from your package.json dependecies have vulnerabilities. So it that case it's not so obvious how to fix that issues.

But we have some options how to fix them.

NPM/Yarn update

npm update or yarn update

This is the simplest way to fix security issue, but sometimes it will doesn't work because it may cause updates to many packages and as result deep testing of your app.

NPM packages

If you are using npm greater than 6 version, so you can use pretty good intrument like:

Show only potential vulnerabilities in your dependecies:

npm audit

Execute vulnerabilities fix mechanism:

npm audit fix

Yarn packages

Yarn also has yarn audit mechanism, but it hasn't yarn audit fix mechanism. So in most cases you have to fix these issues manually. So how it works. As example will demonstrate it for minimist package:

  1. Add a resolutions key in your package.json file:

    • This resolution will override minimist entirely your project.
    {
      "resolutions": {
        "minimist": "^1.2.5"
      }
    }
    
    • But in most cases that changes could break your app, so I would suggest to use better case. Let's see how it works on example of package-merge-lodash-4 package. Audit says that [email protected] has vulnerabilities. NPM Lodash audit Also we can check them here https://snyk.io/test/npm/lodash/3.9.3. And this resource suggest us to upgrade [email protected] -> 4.17.12. So let's do it:
    {
      "resolutions": {
        "package-merge-lodash-4/*/lodash": "4.17.12"
      },
    }
    
  1. Use npm-force-resolutions (https://www.npmjs.com/package/npm-force-resolutions) by adding preinstall command under "script" category:
"scripts": {
  "preinstall": "npx npm-force-resolutions"
}
  1. Run npm install.

That’s it. It will update your package-lock.json/yarn.lock files accordingly. That solves the dependency issues which can not be updated using either npm update or by uninstalling and reinstalling a new dependency.

In case of overriding all version of minimist to v1.2.5 yarn.lock will look like:

[email protected], [email protected], [email protected]^1.1.0, [email protected]^1.1.1, [email protected]^1.1.3, [email protected]^1.2.0, [email protected]^1.2.5, [email protected]~0.0.1:
  version "1.2.5"
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==

In case of lodash our yarn.lock will contains following lines:

[email protected], [email protected]^3.9.3:
  version "4.17.12"
  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.12.tgz#a712c74fdc31f7ecb20fe44f157d802d208097ef"
  integrity sha512-+CiwtLnsJhX03p20mwXuvhoebatoh5B3tt+VvYlrPgZC1g36y+RRbkufX95Xa+X4I59aWEacDFYwnJZiyB

Please keep in mind if some packages are only compatible with an older version, then this change might break your app. So be careful while resolving to a particular version and test your app before releasing this change.

Useful links

Happy fix vulnerabilities and make your code safe! :y: