TechQA.

How to update a package's dependency in Node.js?

1.4k views Asked by At

I can see that npm indicated that there is severe security vulnerability in my application. I tried to use npm audit fix but the issue persisted, I tried npm update to update the packages but the issue persisted.

I checked and I saw that the issue is coming from socks package which depends on another package that actually has the issue. When I checked socks package, I can see that they have a new update which is version 2.7.3 while the one on my node_module is version 2.7.1. I checked the package-lock.json file and searched for socks and I can see that mongodb is using socks version 2.7.1

My package-lock.json file for socks looks like this:

     "node_modules/npm/node_modules/socks": {
      "version": "2.7.1",
      "inBundle": true,
      "license": "MIT",
      "dependencies": {
        "ip": "^2.0.0",
        "smart-buffer": "^4.2.0"
      },

I would like to update this particular module to the latest version to see if that fixes the issue. I can also see that socks-proxy-agent is using older version of socks:

    "node_modules/npm/node_modules/socks-proxy-agent": {
      "version": "7.0.0",
      "inBundle": true,
      "license": "MIT",
      "dependencies": {
        "agent-base": "^6.0.2",
        "debug": "^4.3.3",
        "socks": "^2.6.2"
      },
      "engines": {
        "node": ">= 10"
      }
    },

And mongodb has these dependencies:

      "integrity": "sha512-NBGA8AfJxGPeB12F73xXwozt8ZpeIPmCUeWRwl9xejozTXFes/3zaep9zhzs1B/nKKsw4P3I4iPfXl3K7s6g+Q==",
      "dependencies": {
        "bson": "^5.5.0",
        "mongodb-connection-string-url": "^2.6.0",
        "socks": "^2.7.1"
      },

What is the best way to resolve this issue? I have deleted my package-lock.json file and node_module/ directory and did npm install, same issue persists. They are still using the older version of socks and socks it self has not updated on my application. I also did npm ls socks to see packages using socks and I saw:

├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]

After running npm audit fix, I still get same security vulnerability alert:

ip  *
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/ip
  socks  1.0.0 - 2.7.1
  Depends on vulnerable versions of ip
  node_modules/socks

2 high severity vulnerabilities

To address all issues, run:
  npm audit fix

I believe that the new update has the fix because the package that is causing the problem in socks package has a new update in socks package latest version.

javascript node.js npm socks
Original Q&A
0

There are 0 answers

Related Questions in JAVASCRIPT

Related Questions in NODE.JS

Related Questions in NPM

Related Questions in SOCKS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions