8704. Security Vulnerability of Dependencies for Node.js App
Node.js


Tutorial for remove security vulnerabilities for node js apps.

1. Warning from GitHub

For some of the repositories on GitHub, we get the warning ‘We found a potential security vulnerability in one of your dependencies.’ image

2. Vulnerability Detection

Use ‘npm audit’ to scan your Node.js app and detect any security vulnerability. To use it, you must upgrade ‘npm’ to version 6.

npm install npm@latest -g

Go to the root folder of the app, run ‘npm audit’. It will list out the vulnerable dependencies.

npm audit

image
In the end, it shows the summary of the security vulnerabilities. In the example, we see there is one ‘high’ level vulnerability. image

3. Removing Vulnerability

Run the following command to automatically install compatible updates to vulnerable dependencies. In the below example, it fixed 9 of 15 vulnerabilities.

npm audit fix

image
Run the command again, we see there are still 6 vulnerable dependencies. However, there is no ‘high’ level vulnerability anymore.

npm audit

image

  • If you want to fix more vulnerabilities, you may run the following commands or fix them manually. For example, to fix the vulnerability in hoek package, just run ‘npm install hoek’ to install the latest version of hoek.
    npm audit fix --force
    npm upgrade
    

    Submit all the changes to GitHub, the warning should be gone. image

4. Final Solution

# upgrade angular
npm install -g @angular/cli
ng update @angular/core
ng update @angular/cli --migrate-only --from=1.7.3
ng update

# upgrade react
npm install --save react@latest

# update packages
npm update
npm install

5. References