Steps to fix package security vulnerabilities in your JS project

Pere Sola - Oct 25 - - Dev Community

Github sends you regular alerts when security vulnerabilities are detected among your installed packages or its dependencies. I used to try to let the dependabot fix them for me. However, half the time I was not able to merge the PR that had been generated for me. As a result, the violations were left unadressed, which is not good. In my case I use pnpm, I guess it is the same with npm.

I came across this article by Niraj Chauhan's today and it got me into how to solve them using the terminal.

Steps:

  • You get the dependabot alert from Github:

Dependabot alert from Github

  • I know, the package name in the screenshot above doesn't match the rest of the article. But this is about the steps, you get the point.
  • Navigate to the project in your machine and run pnpm audit. You should see details about the vulnerabilities:

Details about the vulnerability in the terminal

  • In the path section you should see what is causing this. In my case, it seems to be "nested dependencies" (dependencies of dependencies).

  • You can run pnpm why NAME_OF_THE_PACKAGE to confirm the above. In my case, I get this when running it on my first vulnerability: pnpm why netmask

Result of

  • You can try running pnpm audit fix but it never works for me.

  • Open your package.json and update the package version that is causing this - in my case mailgun-js. You can run pnpm view NAME_OF_THE_PACKAGE versions to see all the versions or pnpm info NAME_PACKAGE version to know the latest stable version.

If it is different, edit your package.json file with the version you need and run pnpm i again. After that you run pnpm audit again to confirm that the vulnerability is gone. If it is still there, start again or continue reading.

  • In my case, the latest stable version is the one I have installed, so I need to take another approach.

  • We can force pnpm to install a certain version of a nested dependency. The pnpm docs are here and you do it like so in your package.json file:

Example of pnpm overrides code in package.json file

  • I got an error about the version I was trying to override, so I wrote the latest one in my package.json file:

Latest version of the package file

Image description

  • Run pnpm i and happy days, the vulnerability for that package is no longer there.

Edit 25/10: according to this Stackoverflow thread, both Github dependabot and pnpm audit feed from the same database, so you are not missing on vulnerabilities byfixing things this way rather than the dependabot workflow. Also there is this blog post.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .