'How to exclude dependencies or module which are available in package-lock.json in build.gradle to get rid of vulnerabilities
How to exclude dependencies or module which are available in package-lock.json in build.gradle to get rid of vulnerabilities
Here is some insight of the problem: When we do npm install on nodejs project,package-lock.json was generating and in package-lock.json all the dependencies are getting added for lodash,uglify-js etc...even though we have not declared lodash or uglify-js in package.json,these packages were adding to package-lock.json.
While we are doing white source scan or CVE remediation for the above project,we are getting vulnerabilities for lodash and uglify-js even though we have not used in nodejs code nor in package.json.
How to exclude the particular dependencies from package-lock.json?
Solution 1:[1]
... in package-lock.json all the dependencies are getting added for lodash,uglify-js etc...even though we have not declared lodash or uglify-js in package.json,these packages were adding to package-lock.json.
One of the modules you used in your project has used lodash, uglify-js etc.. in their source(as dependencies when building the module). That's why they are available in package-lock.json.
You can use NPM's ls command to see which packages are using which dependencies.
npm ls lodash
You can read more on npm Docs
Solution 2:[2]
To exclude any of the vulnerable dependencies, try adding those dependencies to "exclusions". Then run "npx npm-dependency-exclusion". Example below:
"exclusions": {
"postcss": "any"
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | Jathin |