'How to update npm nested dependency in node_modules due to vulnerability

I'm using React (v17.0.2), with NodeJs (v16.14.0) and NPM (v8.5.1) and I've been using [email protected] in my project (it is listed as a dependency in package.json). The antd package has it's own dependencies as described in package-lock.json. One of these dependencies is [email protected].

An AWS vulnerability scan marked some issues with our project. Running an "npm audit" in our project resulted in 0 vulnerabilities listed. However after cloning the [email protected] project and running an "npm audit" from there the result was: 16 vulnerabilities (1 low, 4 moderate, 6 high, 5 critical)

It turns out that [email protected] has dependencies and/or sub dependencies that have vulnerabilities associated to it. Mostly or possibly all to do with outdated versions of packages used. However [email protected] is the latest version and the project doesn't appear to be particularly active (latest version was produced well over a year ago).

Solutions I thought to try were to use the "override" flag in package.json or npm-force-resolutions or "npm shrinkwrap". The problem is that the dependencies of copy-to-clipboard do not have their versions specified in package-lock.json. Instead these dependencies are defined in their own "lock" file located in node_modules/copy-to-clipboard/yarn.lock. These are not "lock" files that I have control over (i.e. they will be overwritten). Therefore I can't use any of those solutions.

I've created an issue with the copy-to-clipboard project to update their dependencies although it doesn't appear to be a particularly active project. So I don't know when that will happen if ever.

Swapping out antd for something else isn't really an option either.

What are my other options for trying to address this? Fork copy-to-clipboard to try and update the dependencies myself and hope I know what I'm doing? antd is widely used so I don't know how others aren't seeing this in their AWS (or whatever) vulnerability scans. Or perhaps they have solved this in a way that I haven't thought of.

node.jsnpmdependencies


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

CMake and finding other projects and their dependencies

CMake and finding other projects and their dependencies

CMake and finding other projects and their dependencies

The engine "node" is incompatible with this module

Build gradle : Could not find method packagingOptions() for arguments root Project "fasterDev"

How to exclude dependency in a Maven plugin?

Implementation OKHTTP doesn't work on Android project

C++ object hierarchy - how to manage circular dependencies?

Problem referencing transitive dependencies when building a specific .NET Core project in TeamCity

What exactly does "next" mean in package.json dependencies?

How to get the information of transitive dependencies in a gradle task?

React Console warning --- React.createFactory()

Failed to resolve: com.github.barteksc:android-pdf-viewer:3.2.0-beta.1 how to fix this

In Maven, how can I exclude all transitive dependencies from a particular dependency?

Issue with Material UI Icons npm installation : unable to resolve dependency tree