'NPM node-fetch security vulnerability
I have a node-module called node-fetch which is producing a Denial of Service security vulnerability. The only way to fix this is to update it to version 2.6.1. When I run npm ls node-fetch I can see that it's a dependency of swagger-ui.
`-- [email protected]
+-- [email protected]
| `-- [email protected]
| `-- [email protected]
| `-- [email protected] deduped
`-- [email protected]
`-- [email protected]
`-- [email protected]
I tried npm install swagger-ui@latest to see if that would fix the issue, but it did not. I also tried editing the version in package-lock.json but it reverts when running npm install
I am very new to fixing security vulnerabilities so I don't know exactly what to do here.
Anything helps! 🍻 Cheers
Solution 1:[1]
As a solution, I can suggest adding the resolutions to your package.json
{
....
"dependencies": {
...
"swagger-ui": "3.23.11",
...
},
"resolutions": {
"node-fetch": "2.6.1"
}
}
Solution 2:[2]
As of npm 8.3.0, you should be able to add this to your package.json to fix the issue.
"overrides": {
"node-fetch": "^2.6.7"
},
This tells the installer to override any npm-fetch installed version with version 2.6.7 or any minor release that came this version (e.g. 2.6.8 would be allowed but 3.0.0 would not).
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | CyberEternal |
| Solution 2 | Kameron Blackthorn |