Fixing dependency alerts for node
As discussed in the previous article, github will inform you of dependency alerts for your outdated or insecure dependencies. In the linked article, we discussed updating ruby gems with bundle update to fix this error. Now, we will cover the same steps for npm/node.
npm audit
The first command to use is
npm auditnpm audit is actually npm’s provided command and solution to update your dependencies and packages and update them. You would run npm audit to have a list of dependencies, and then run
npm audit fixin order to patch the security vulnerabilities.
npm install/npm update
However, sometimes npm audit doesn’t work. There are multiple reasons why this could happen, but the most common reason is that a parent package of a dependency has not officially updated. The easiest way to fix this is to update the packages manually, with the following commands:
npm install 'package-name'
or
npm update 'package-name'Updating the package with the security vulnerability manually will allow you to ensure that you are up to date on the package and no longer have the security vulnerability.
Conclusion
The above steps should generally help you get rid of the dependency alerts for node packages, in a way that is not just dismissing the notification on github, helping you keep up to date and secure.
Sources
https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
