What am I supposed to do with these warnings, given the libs in question belong to 3rd party libs?

> npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit  for additional guidance


  Low             Denial of Service

  Package         node-fetch

  Patched in      >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9

  Dependency of   aspnet-prerendering

  Path            aspnet-prerendering > domain-task > isomorphic-fetch >
                  node-fetch

  More info       


  Moderate        Regular Expression Denial of Service

  Package         postcss

  Patched in      >=8.2.10

  Dependency of   @angular-devkit/build-angular [dev]

  Path            @angular-devkit/build-angular > resolve-url-loader > postcss

  More info       

found 2 vulnerabilities (1 low, 1 moderate) in 1514 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

I'm not impacted by this. I was just striving for zero warnings on all fronts.

I can't/don't want to fiddle with a dependency's dependency! Do I just need to upgrade my dependency?

What am I supposed to do with these warnings, given the libs in question belong to 3rd party libs?

> npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Low             Denial of Service

  Package         node-fetch

  Patched in      >=2.6.1 <3.0.0-beta.1|| >= 3.0.0-beta.9

  Dependency of   aspnet-prerendering

  Path            aspnet-prerendering > domain-task > isomorphic-fetch >
                  node-fetch

  More info       https://npmjs./advisories/1556


  Moderate        Regular Expression Denial of Service

  Package         postcss

  Patched in      >=8.2.10

  Dependency of   @angular-devkit/build-angular [dev]

  Path            @angular-devkit/build-angular > resolve-url-loader > postcss

  More info       https://npmjs./advisories/1693

found 2 vulnerabilities (1 low, 1 moderate) in 1514 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

I'm not impacted by this. I was just striving for zero warnings on all fronts.

I can't/don't want to fiddle with a dependency's dependency! Do I just need to upgrade my dependency?

• javascript
• node.js

• Not much you can do. You could make a PR on that repo to fix the dependency. How much of an issue is this for you? – DogEatDog Commented May 12, 2021 at 2:45
• Not impacted. Just striving for zero warnings on all fronts. – Jevon Kendon Commented May 12, 2021 at 2:47
• 1 That may never be achievable in the JS world. Try to eliminate offending packages if you can or switch to more mainstream/stable ones if possible. There is some acceptable risk to have for certain flavors vulnerabilities. It seems like you're on the right path. – DogEatDog Commented May 12, 2021 at 2:51

3 Answers 3

Technically, there is no silver bullet to solve the vulnerabilities report from npm audit. Here is the "Rule of Thumb" I am following:

• Usually, I always do npm audit fix after npm audit. Note that: this one will not solve all reports.

• Update my dependencies to the latest stable. Be careful about the patibility. (Hope you understand the SEMVER). The cost you spend to keep your system up to date and stable is always cheaper than the cost you need to spend to handle vulnerable issues.

• Reduce the number of your dependencies. Note everything you need to use the library. You can build yourself a simpler version.

• Learn to separate dependencies and dev dependencies. If the issue is reported for a dev tool, you can skip it. As I said above, there is no silver bullet so give yourself relaxation instead of fixing all of them. Just fix the necessary ones.

• Finally, follow this: https://docs.npmjs./auditing-package-dependencies-for-security-vulnerabilities

You can make your dependencies to use other (current / secure) version of their dependencies.

Let's say you have a warning about postcss package, which I solved a moment ago so I can describe the process and you can proceed analogically.

After npm audit I got a warning like:

  Moderate        Regular Expression Denial of Service                          
  Package         postcss                                                       
  Patched in      >=8.2.10                                                      
  Dependency of   laravel-mix [dev]                                             
  Path            laravel-mix > cssnano > cssnano-preset-default >              
                  postcss-svgo > postcss                                        
  More info       https://npmjs./advisories/1693  

Notice! You have to be aware that when you'll make your package to use a newer version of its dependency it can break things, but it's worth trying.

So you see that the laravel-mix package uses old version of the postcss and that the issue is fixed in version >=8.2.10 of postcss so you want to install a newer version of the postcss package which you can achieve by:

npm install postcss --save-dev

Then you need to add a new section to your package.json file instructing npm that you want dependencies to use your specific version of the library. It goes in my case like this:

{
  "resolutions": {
    "postcss": "^8.2.15",
  }
}

Then you have to add a new script to force npm usage of this new "resolutions" section like this:

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

Notice! You have to run this script every time before running your regular npm install. It goes like this:

npm run preinstall
npm install

More info can be found in the npm docs.

You might just need to edit your package.json, update the version for the offending package to the latest stable version (in this case https://www.npmjs./package/node-fetch), and then run "npm install" from the terminal.