Github sends you regular alerts when security vulnerabilities are detected among your installed packages or its dependencies. I used to try to let the dependabot
fix them for me. However, half the time I was not able to merge the PR that had been generated for me. As a result, the violations were left unadressed, which is not good. In my case I use pnpm
, I guess it is the same with npm
.
I came across this article by Niraj Chauhan's today and it got me into how to solve them using the terminal.
Steps:
- You get the dependabot alert from Github:
- I know, the package name in the screenshot above doesn't match the rest of the article. But this is about the steps, you get the point.
- Navigate to the project in your machine and run
pnpm audit
. You should see details about the vulnerabilities:
In the path section you should see what is causing this. In my case, it seems to be "nested dependencies" (dependencies of dependencies).
You can run
pnpm why NAME_OF_THE_PACKAGE
to confirm the above. In my case, I get this when running it on my first vulnerability:pnpm why netmask
You can try running
pnpm audit fix
but it never works for me.Open your
package.json
and update the package version that is causing this - in my casemailgun-js
. You can runpnpm view NAME_OF_THE_PACKAGE versions
to see all the versions orpnpm info NAME_PACKAGE version
to know the latest stable version.
If it is different, edit your package.json file with the version you need and run pnpm i
again. After that you run pnpm audit
again to confirm that the vulnerability is gone. If it is still there, start again or continue reading.
In my case, the latest stable version is the one I have installed, so I need to take another approach.
We can force pnpm to install a certain version of a nested dependency. The pnpm docs are here and you do it like so in your package.json file:
- I got an error about the version I was trying to override, so I wrote the latest one in my package.json file:
- Run
pnpm i
and happy days, the vulnerability for that package is no longer there.
Edit 25/10: according to this Stackoverflow thread, both Github dependabot and pnpm audit
feed from the same database, so you are not missing on vulnerabilities byfixing things this way rather than the dependabot workflow. Also there is this blog post.