8704. Security Vulnerability of Dependencies for Node.js AppNode.js
Tutorial for remove security vulnerabilities for node js apps.
1. Warning from GitHub
For some of the repositories on GitHub, we get the warning ‘We found a potential security vulnerability in one of your dependencies.’
2. Vulnerability Detection
Use ‘npm audit’ to scan your Node.js app and detect any security vulnerability. To use it, you must upgrade ‘npm’ to version 6.
npm install npm@latest -g
Go to the root folder of the app, run ‘npm audit’. It will list out the vulnerable dependencies.
In the end, it shows the summary of the security vulnerabilities. In the example, we see there is one ‘high’ level vulnerability.
3. Removing Vulnerability
Run the following command to automatically install compatible updates to vulnerable dependencies. In the below example, it fixed 9 of 15 vulnerabilities.
npm audit fix
Run the command again, we see there are still 6 vulnerable dependencies. However, there is no ‘high’ level vulnerability anymore.
- If you want to fix more vulnerabilities, you may run the following commands or fix them manually. For example, to fix the vulnerability in
hoekpackage, just run ‘npm install hoek’ to install the latest version of hoek.
npm audit fix --force npm upgrade
Submit all the changes to GitHub, the warning should be gone.
4. Final Solution
# upgrade angular npm install -g @angular/cli ng update @angular/core ng update @angular/cli --migrate-only --from=1.7.3 ng update # upgrade react npm install --save react@latest # update packages npm update npm install