NPM audit warnings
Question
What am I supposed to do with these warnings, given the libs in question belong to 3rd party libs?
> npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Denial of Service
Package node-fetch
Patched in >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9
Dependency of aspnet-prerendering
Path aspnet-prerendering > domain-task > isomorphic-fetch >
node-fetch
More info https://npmjs.com/advisories/1556
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > resolve-url-loader > postcss
More info https://npmjs.com/advisories/1693
found 2 vulnerabilities (1 low, 1 moderate) in 1514 scanned packages
2 vulnerabilities require manual review. See the full report for details.
I'm not impacted by this. I was just striving for zero warnings on all fronts.
I can't/don't want to fiddle with a dependency's dependency? Do I just need to upgrade my dependency?
3 answers
solution1
4 ACCPTED 2021-05-12 02:58:24
Technically, there is no silver bullet to solve the vulnerabilities report from npm audit . Here is the "Rule of Thumb" I am following:
Usually, I always do
npm audit fixafternpm audit. Note that: this one will not solve all reports.Update my dependencies to the latest stable. Be careful about the compatibility. (Hope you understand the SEMVER). The cost you spend to keep your system up to date and stable is always cheaper than the cost you need to spend to handle vulnerable issues.
Reduce the number of your dependencies. Note everything you need to use the library. You can build yourself a simpler version.
Learn to separate
dependenciesanddev dependencies. If the issue is reported for a dev tool, you can skip it. As I said above, there is no silver bullet so give yourself relaxation instead of fixing all of them. Just fix the necessary ones.Finally, follow this: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
solution2
2 2021-06-01 13:14:17
You can make your dependencies to use other (current / secure) version of their dependencies.
Let's say you have a warning about postcss package, which I solved a moment ago so I can describe the process and you can proceed analogically.
After npm audit I got a warning like:
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of laravel-mix [dev]
Path laravel-mix > cssnano > cssnano-preset-default >
postcss-svgo > postcss
More info https://npmjs.com/advisories/1693
Notice! You have to be aware that when you'll make your package to use a newer version of its dependency it can break things, but it's worth trying.
So you see that the laravel-mix package uses old version of the postcss and that the issue is fixed in version >=8.2.10 of postcss so you want to install a newer version of the postcss package which you can achieve by:
npm install postcss --save-dev
Then you need to add a new section to your package.json file instructing npm that you want dependencies to use your specific version of the library. It goes in my case like this:
{
"resolutions": {
"postcss": "^8.2.15",
}
}
Then you have to add a new script to force npm usage of this new "resolutions" section like this:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
Notice! You have to run this script every time before running your regular npm install . It goes like this:
npm run preinstall
npm install
More info can be found in the npm docs .
solution3
0 2021-05-12 02:48:35
You might just need to edit your package.json, update the version for the offending package to the latest stable version (in this case https://www.npmjs.com/package/node-fetch ), and then run "npm install" from the terminal.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.