I want to fix one vulnerability and after lot of hit and trial, I want to use the fix given by npm audit fix. The npm audit says:
# Run npm update mkdirp --depth 8 to resolve 10 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Prototype Pollution in minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ less │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ less > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-xvch-5gv4-984h │
└──────────────
Now, I ran the above command and result is:
npm update mkdirp --depth 8
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN [email protected] requires a peer of webpack@^2.1.0-beta || ^2.2.0-rc || ^2.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of webpack@^1.1.0 || ^2 || ^2.1.0-beta.0 || ^2.2.0-rc.0 but none is installed. You must install peer dependencies yourself.
npm WARN The package style-loader is included as both a dev and production dependency.
npm WARN The package uuid is included as both a dev and production dependency.
+ [email protected]
added 4 packages from 1 contributor, updated 1 package and audited 1827 packages in 8.439s
4 packages are looking for funding
run `npm fund` for details
found 528 vulnerabilities (31 low, 169 moderate, 228 high, 100 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Now if I run npm audit
, the vulnerability is not there, but I dont see any changes in package.json file. Only changes are done in package-lock.json which we are not suppose to checkin, How can I have npm audit to change package.json, so that it can be checked in?
This is wrong, you should check this in. It's the whole point of the file to make sure anyone else using the repo is running the same versions as you.
In answer to your question (a little late), the vulnerability is likely in one of the dependencies of your dependencies if that makes sense. Eg. You have installed package A which has a dependency on package B. Package A will be in your package.json but package B will only be in the lock file.