'How to upgrade the the dependency under specific package in npm
I have 5 high-risk vulnerabilities from npm audit --production. This is the dependency of node-sass .
# Run npm update ansi-regex --depth 8 to resolve 5 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > sass-graph > yargs > cliui > strip-ansi > │
│ │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > sass-graph > yargs > cliui > string-width > │
│ │ strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > sass-graph > yargs > cliui > wrap-ansi > │
│ │ strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > sass-graph > yargs > cliui > wrap-ansi > │
│ │ string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-sass > sass-graph > yargs > string-width > strip-ansi > │
│ │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
I tried the recommended command npm update ansi-regex --depth 8 but it doesn't fix the vulnerability.
npm notice created a lockfile as package-lock.json. You should commit this file.
+ [email protected]
added 1 package from 1 contributor, updated 1 package and audited 7 packages in 0.345s
found 0 vulnerabilities
npm notice created a lockfile as package-lock.json. You should commit this file.
+ [email protected]
added 3 packages from 3 contributors, updated 1 package and audited 10 packages in 0.376s
found 0 vulnerabilities
npm notice created a lockfile as package-lock.json. You should commit this file.
+ [email protected]
added 5 packages from 2 contributors, updated 1 package and audited 15 packages in 0.507s
1 package is looking for funding
run `npm fund` for details
found 0 vulnerabilities
I found a solution by using npm-force-resolutions
"scripts": {
"preinstall": "npx npm-force-resolutions"
},
"resolutions": {
"ansi-regex": "5.0.1"
},
After modifying package.json and running npm i, these vulnerabilities are gone but looks like npm i upgraded all packages with dependency ansi-regex. It made a lot off change to my package-locak.json file.
How do I upgrade ansi-regex which is only under [email protected] ?
npm ls ansi-regex
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected] deduped
│ └─┬ [email protected]
│ └─┬ [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
I am very new to npm and javascript, any help is appreciated!
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|