What am I supposed to do with these warnings, given the libs in question belong to 3rd party libs?
> npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit for additional guidance
Low Denial of Service
Package node-fetch
Patched in >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9
Dependency of aspnet-prerendering
Path aspnet-prerendering > domain-task > isomorphic-fetch >
node-fetch
More info
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > resolve-url-loader > postcss
More info
found 2 vulnerabilities (1 low, 1 moderate) in 1514 scanned packages
2 vulnerabilities require manual review. See the full report for details.
I'm not impacted by this. I was just striving for zero warnings on all fronts.
I can't/don't want to fiddle with a dependency's dependency! Do I just need to upgrade my dependency?
What am I supposed to do with these warnings, given the libs in question belong to 3rd party libs?
> npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Denial of Service
Package node-fetch
Patched in >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9
Dependency of aspnet-prerendering
Path aspnet-prerendering > domain-task > isomorphic-fetch >
node-fetch
More info https://npmjs./advisories/1556
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > resolve-url-loader > postcss
More info https://npmjs./advisories/1693
found 2 vulnerabilities (1 low, 1 moderate) in 1514 scanned packages
2 vulnerabilities require manual review. See the full report for details.
I'm not impacted by this. I was just striving for zero warnings on all fronts.
I can't/don't want to fiddle with a dependency's dependency! Do I just need to upgrade my dependency?
Share Improve this question edited May 12, 2021 at 2:48 Jevon Kendon asked May 12, 2021 at 2:43 Jevon KendonJevon Kendon 6865 silver badges13 bronze badges 3- Not much you can do. You could make a PR on that repo to fix the dependency. How much of an issue is this for you? – DogEatDog Commented May 12, 2021 at 2:45
- Not impacted. Just striving for zero warnings on all fronts. – Jevon Kendon Commented May 12, 2021 at 2:47
- 1 That may never be achievable in the JS world. Try to eliminate offending packages if you can or switch to more mainstream/stable ones if possible. There is some acceptable risk to have for certain flavors vulnerabilities. It seems like you're on the right path. – DogEatDog Commented May 12, 2021 at 2:51
3 Answers
Reset to default 4Technically, there is no silver bullet to solve the vulnerabilities report from npm audit
. Here is the "Rule of Thumb" I am following:
Usually, I always do
npm audit fix
afternpm audit
. Note that: this one will not solve all reports.Update my dependencies to the latest stable. Be careful about the patibility. (Hope you understand the SEMVER). The cost you spend to keep your system up to date and stable is always cheaper than the cost you need to spend to handle vulnerable issues.
Reduce the number of your dependencies. Note everything you need to use the library. You can build yourself a simpler version.
Learn to separate
dependencies
anddev dependencies
. If the issue is reported for a dev tool, you can skip it. As I said above, there is no silver bullet so give yourself relaxation instead of fixing all of them. Just fix the necessary ones.Finally, follow this: https://docs.npmjs./auditing-package-dependencies-for-security-vulnerabilities
You can make your dependencies to use other (current / secure) version of their dependencies.
Let's say you have a warning about postcss
package, which I solved a moment ago so I can describe the process and you can proceed analogically.
After npm audit
I got a warning like:
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of laravel-mix [dev]
Path laravel-mix > cssnano > cssnano-preset-default >
postcss-svgo > postcss
More info https://npmjs./advisories/1693
Notice! You have to be aware that when you'll make your package to use a newer version of its dependency it can break things, but it's worth trying.
So you see that the laravel-mix
package uses old version of the postcss
and that the issue is fixed in version >=8.2.10
of postcss
so you want to install a newer version of the postcss
package which you can achieve by:
npm install postcss --save-dev
Then you need to add a new section to your package.json
file instructing npm that you want dependencies to use your specific version of the library. It goes in my case like this:
{
"resolutions": {
"postcss": "^8.2.15",
}
}
Then you have to add a new script to force npm usage of this new "resolutions" section like this:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
Notice! You have to run this script every time before running your regular npm install
. It goes like this:
npm run preinstall
npm install
More info can be found in the npm docs.
You might just need to edit your package.json, update the version for the offending package to the latest stable version (in this case https://www.npmjs./package/node-fetch), and then run "npm install" from the terminal.