Direct dependencies
To fix a vulnerability in a direct dependency, use the npm audit fix
command:
Or, if you have Dependabot enabled, it will automatically create a pull request to update the dependency.
Peer dependencies
To fix a vulnerability in a peer dependency, use the package.json overrides field to set the peer dependency to a version that does not have the vulnerability. For example, to fix a vulnerability in the nth-check
package, add the following to package.json:
Inbox
- When updating a dependency is the solution:
- Enable dependabot security update PRs?
- Try updating the dependency to the latest version?
- https://medium.com/microsoftazure/how-to-fix-your-security-vulnerabilities-with-npm-override-c4b5be0ab4f6#:~:text=What%20is%20npm%20overrides%3F,json.&text=You%20can%20further%20specify%20if,be%20overridden%20at%20any%20depth.
- https://stackoverflow.com/questions/52416312/npm-equivalent-of-yarn-resolutions