Let’s say I have a dependency some_dep that has a vulnerability. I’m told on GitHub “Upgrade some_dep to version 2.2.3 or later.”
However, things get complicated when I see some_dep is a required dependency of a required dependency etc.
run npm ls some_dep to see:
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
And the required version @1.4.3 is out of date with a vulnerability.
If I run npm install [email protected], this makes dependancies in my package.json update to include "some_dep": "^2.2.3". There was no some_dep before in my package.json since it was a dependency of really_popular package. It was only in package-lock.json. So do I want some_dep in my package.json when it isn't a direct dependency of my project? It doesn’t seem right to have it there.
Also my package-lock.json will still have the old some_dep version in package-lock.json for the snazzypackage required dependency.
So it seems I'll have both versions of some_dep now and the issue will still be there.
What’s the correct way to handle this situation?
I ended up updating the parent dependency, which I gave a pseudonym here of
really_popular. I was putting it off because it was a big version change, and required other packages to be changed to a new version too, and it required a lot of updates to my code. But I felt, and got guidance, that updating to the new version was important if there are vulnerabilities.But if this isn't an option, another suggestion I go was to go to the package of the parent dep, like
node_modules/snazzypackage/package.jsonand change the version ofsome_depthere. I didn't try this.