“One of your dependencies may have a security vulnerability “— Github

Michael H. Tran
Sep 7, 2018 · 1 min read

Ugh. I have so many repositories because I did so many small tutorials when I was preparing for Hack Reactor. Now, I am paying the piper with all these emails.

Here is how I resolved these security holes in my old repositories:

  1. git clone <repo>; cd <repo>
  2. rm -rf node_modules && npm update — save-dev
    && npm update — save ; npm audit fix; npm i;
  3. npm audit **
  4. git commit -am “[Patch] — Fix security vulnerabilities”; git push origin <branch>
  • * There might be some breaking changes. Use — force if you are confident enough to deal with those library upgrades.

Step two is a lot. Here is a quick breakdown.

  • npm update: “This command will update all the packages listed to the latest version (specified by the tag config), respecting semver. It will also install missing packages. As with all commands that install packages, the — dev flag will cause devDependencies to be processed as well.” (https://docs.npmjs.com/cli/update)
  • npm audit fix: “Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies.” (https://docs.npmjs.com/cli/audit)
  • remove your node module and reinstall is just as a sanity check.
  • npm audit: shows the breakdown of any low, med or high issues left in your repo.

Hope that helps.

Michael H. Tran

Written by

Fullstack Software Engineer@WalmartLabs; https://github.com/Mike-Tran

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade