Main page

How to fix security vulnerabilities in NPM/Yarn dependencies


javascript npm yarn security vulnerability english

Intro

Not so long ago Github introduced security alerts:

Github security alert

So lot of developers started to use in their applications to make them secure. However we still facing with issues that 3rd party packages from your package.json dependecies have vulnerabilities. So it that case it's not so obvious how to fix that issues.

But we have some options how to fix them.

NPM/Yarn update

npm update or yarn update

This is the simplest way to fix security issue, but sometimes it will doesn't work because it may cause updates to many packages and as result deep testing of your app.

NPM packages

If you are using npm greater than 6 version, so you can use pretty good intrument like:

Show only potential vulnerabilities in your dependecies:

npm audit

Execute vulnerabilities fix mechanism:

npm audit fix

Yarn packages

Yarn also has yarn audit mechanism, but it hasn't yarn audit fix mechanism. So in most cases you have to fix these issues manually. So how it works. As example will demonstrate it for minimist package:

  1. Add a resolutions key in your package.json file:
{
  "resolutions": {
    "minimist": "^1.2.5"
  }
}
  1. Use npm-force-resolutions (https://www.npmjs.com/package/npm-force-resolutions) by adding preinstall command under "script" category:
"scripts": {
  "preinstall": "npx npm-force-resolutions"
}
  1. Run npm install.

That’s it. It will update your package-lock.json/yarn.lock files accordingly. That solves the dependency issues which can not be updated using either npm update or by uninstalling and reinstalling a new dependency. So minimist versions into your yarn.lock file will look like:

[email protected], [email protected], [email protected]^1.1.0, [email protected]^1.1.1, [email protected]^1.1.3, [email protected]^1.2.0, [email protected]^1.2.5, [email protected]~0.0.1:
  version "1.2.5"
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==

Please keep in mind if some packages are only compatible with an older version, then this change might break your app. So be careful while resolving to a particular version and test your app before releasing this change.

Useful links

Happy fix vulnerabilities and make your code safe! :y: