TechQA.

npm audit fix not updating package.json

1.5k views Asked by At

I want to fix one vulnerability and after lot of hit and trial, I want to use the fix given by npm audit fix. The npm audit says:

    # Run  npm update mkdirp --depth 8  to resolve 10 vulnerabilities

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Prototype Pollution in minimist                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ less                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ less > mkdirp > minimist                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-xvch-5gv4-984h            │
└──────────────

Now, I ran the above command and result is:

npm update mkdirp --depth 8
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN [email protected] requires a peer of webpack@^2.1.0-beta || ^2.2.0-rc || ^2.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of webpack@^1.1.0 || ^2 || ^2.1.0-beta.0 || ^2.2.0-rc.0 but none is installed. You must install peer dependencies yourself.
npm WARN The package style-loader is included as both a dev and production dependency.
npm WARN The package uuid is included as both a dev and production dependency.

+ [email protected]
added 4 packages from 1 contributor, updated 1 package and audited 1827 packages in 8.439s

4 packages are looking for funding
  run `npm fund` for details

found 528 vulnerabilities (31 low, 169 moderate, 228 high, 100 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

Now if I run npm audit , the vulnerability is not there, but I dont see any changes in package.json file. Only changes are done in package-lock.json which we are not suppose to checkin, How can I have npm audit to change package.json, so that it can be checked in?

node.js npm package.json package-lock.json npm-audit
Original Q&A
1

There are 1 answers

0
Daniel Douglas On

Only changes are done in package-lock.json which we are not suppose to checkin

This is wrong, you should check this in. It's the whole point of the file to make sure anyone else using the repo is running the same versions as you.

In answer to your question (a little late), the vulnerability is likely in one of the dependencies of your dependencies if that makes sense. Eg. You have installed package A which has a dependency on package B. Package A will be in your package.json but package B will only be in the lock file.

Related Questions in NODE.JS

Related Questions in NPM

Related Questions in PACKAGE.JSON

Related Questions in PACKAGE-LOCK.JSON

Related Questions in NPM-AUDIT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions