How to exclude dependencies or module which are available in package-lock.json in build.gradle to get rid of vulnerabilities

Question

How to exclude dependencies or module which are available in package-lock.json in build.gradle to get rid of vulnerabilities

Here is some insight of the problem: When we do npm install on nodejs project,package-lock.json was generating and in package-lock.json all the dependencies are getting added for lodash,uglify-js etc...even though we have not declared lodash or uglify-js in package.json,these packages were adding to package-lock.json.

While we are doing white source scan or CVE remediation for the above project,we are getting vulnerabilities for lodash and uglify-js even though we have not used in nodejs code nor in package.json.

How to exclude the particular dependencies from package-lock.json?

Answer 1

... in package-lock.json all the dependencies are getting added for lodash,uglify-js etc...even though we have not declared lodash or uglify-js in package.json,these packages were adding to package-lock.json.

One of the modules you used in your project has used lodash, uglify-js etc.. in their source(as dependencies when building the module). That's why they are available in package-lock.json.

You can use NPM's ls command to see which packages are using which dependencies.

npm ls lodash

You can read more on npm Docs

Answer 2

To exclude any of the vulnerable dependencies, try adding those dependencies to "exclusions". Then run "npx npm-dependency-exclusion". Example below:

"exclusions": {
    "postcss": "any"
 }