How to exclude dependencies or module which are available in package-lock.json in build.gradle to get rid of vulnerabilities
Here is some insight of the problem: When we do npm install on nodejs project,package-lock.json was generating and in package-lock.json all the dependencies are getting added for lodash,uglify-js etc...even though we have not declared lodash or uglify-js in package.json,these packages were adding to package-lock.json.
While we are doing white source scan or CVE remediation for the above project,we are getting vulnerabilities for lodash and uglify-js even though we have not used in nodejs code nor in package.json.
How to exclude the particular dependencies from package-lock.json?
... in package-lock.json all the dependencies are getting added for lodash,uglify-js etc...even though we have not declared lodash or uglify-js in package.json,these packages were adding to package-lock.json.
One of the modules you used in your project has used
lodash, uglify-js etc..
in their source(as dependencies when building the module). That's why they are available inpackage-lock.json
.You can use NPM's
ls
command to see which packages are using which dependencies.You can read more on npm Docs