“One of your dependencies may have a security vulnerability “— Github
Sep 7, 2018 · 1 min read
Ugh. I have so many repositories because I did so many small tutorials when I was preparing for Hack Reactor. Now, I am paying the piper with all these emails.
Here is how I resolved these security holes in my old repositories:
- git clone <repo>; cd <repo>
- rm -rf node_modules && npm update — save-dev
&& npm update — save ; npm audit fix; npm i; - npm audit **
- git commit -am “[Patch] — Fix security vulnerabilities”; git push origin <branch>
- * There might be some breaking changes. Use — force if you are confident enough to deal with those library upgrades.
Step two is a lot. Here is a quick breakdown.
- npm update: “This command will update all the packages listed to the latest version (specified by the tag config), respecting semver. It will also install missing packages. As with all commands that install packages, the — dev flag will cause devDependencies to be processed as well.” (https://docs.npmjs.com/cli/update)
- npm audit fix: “Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies.” (https://docs.npmjs.com/cli/audit)
- remove your node module and reinstall is just as a sanity check.
- npm audit: shows the breakdown of any low, med or high issues left in your repo.
Hope that helps.
