Direct dependencies
To fix a vulnerability in a direct dependency, use the npm audit fix
command:
npm audit fix
Or, if you have Dependabot enabled, it will automatically create a pull request to update the dependency.
Peer dependencies
To fix a vulnerability in a peer dependency, use the package.json overrides field to set the peer dependency to a version that does not have the vulnerability. For example, to fix a vulnerability in the nth-check
package, add the following to package.json:
"overrides": {
"nth-check": "^2.0.1"
}
// or to correct the version at any depth:
"overrides": {
"nth-check": {
".": "^2.0.1"
}
}
Inbox
- When updating a dependency is the solution:
- Enable dependabot security update PRs?
- Try updating the dependency to the latest version?
- https://medium.com/microsoftazure/how-to-fix-your-security-vulnerabilities-with-npm-override-c4b5be0ab4f6#:~:text=What%20is%20npm%20overrides%3F,json.&text=You%20can%20further%20specify%20if,be%20overridden%20at%20any%20depth.
- https://stackoverflow.com/questions/52416312/npm-equivalent-of-yarn-resolutions