Basically, I have a node project and recently github has flagged a potential security vulnerability in one of my dependencies.
It's with cryptiles being version 3.1.2 and recommends I go to version 4.1.2.
Cryptiles is in my package-lock.json
but I don't currently have it installed in my package.json
nor is it being used anywhere in my project.
I've never worked just with package-lock.json, I tried to change the version in there, but when I run npm install, it changes it back. Solutions?
Would upgrading Node solve it? One of my npm modules? Should I just dismiss this since it's not being used in my project? Want to make sure i'm being safe though.
Here is the two sections in my package-lock.json
with cryptiles
, neither that nor hawk
are installed in my package.json
},
"cryptiles": {
"version": "3.1.2",
"resolved": "https://registry.npmjs.org/cryptiles/-/cryptiles-3.1.2.tgz",
"integrity": "sha1-qJ+7Ig9c4l7FboxKqKT9e1sNKf4=",
"requires": {
"boom": "5.2.0"
},
And here:
},
"hawk": {
"version": "6.0.2",
"resolved": "https://registry.npmjs.org/hawk/-/hawk-6.0.2.tgz",
"integrity": "sha512-miowhl2+U7Qle4vdLqDdPt9m09K6yZhkLDTWGoUiUzrQCn+mHHSmfJgAyGaLRZbPmTqfFFjRV1QWCW0VWUJBbQ==",
"requires": {
"boom": "4.3.1",
"cryptiles": "3.1.2",
"hoek": "4.2.1",
"sntp": "2.1.0"
},
Would appreciate any help and anyone who can help me understand the situation so this doesn't happen again.
Found moderate severity vulnerabilities
run npm audit fix
to fix them, or npm audit
for details
npm ls {module name} will allow you to see the dependency tree. Updating the parent dependency usually fixes the transitive dependency (dependency of dependency). This article can be helpful if you need to force a dependency version. https://www.npmjs.com/package/npm-force-resolutions
Following some suggestions above, I followed the depedencies to see which npm module I installed used it. I upgraded the module and it removed the dependency and issue
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.