Any tips for how to update old deps inside of other packages? Most of my warnings come from larger packages that I don't have access to the internals of without significant hassle. If I update them in my repo, will the newer version I installed override the old version inside the library? Thanks!
@askdesigners Yup, that's exactly what this post is about. Just like in this post, I was using jest@23.x.x and it had 62 vulnerabilities coming from multiple internal packages that jest uses.
When running the suggested command that came from NPM, run npm install --save-dev jest@24.8.0, it will then grab that specific version of jest that fixes the vulnerabilities. This means that the maintaner(s) of your package have fixed the vulnerabilities and pushed a new version of their package for you to use.
Another option, that I wouldn't recommend, is to install the vulnerabilities of the internal packages into your own project. For example, if one of your packages is reporting a vulnerability from an internal package, braces like in my example in the post, you could install the fixed version of that package yourself using npm i --save-dev braces but this could cause breaking changes.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Any tips for how to update old deps inside of other packages? Most of my warnings come from larger packages that I don't have access to the internals of without significant hassle. If I update them in my repo, will the newer version I installed override the old version inside the library? Thanks!
@askdesigners Yup, that's exactly what this post is about. Just like in this post, I was using
jest@23.x.xand it had 62 vulnerabilities coming from multiple internal packages thatjestuses.When running the suggested command that came from NPM,
run npm install --save-dev jest@24.8.0, it will then grab that specific version ofjestthat fixes the vulnerabilities. This means that the maintaner(s) of your package have fixed the vulnerabilities and pushed a new version of their package for you to use.Another option, that I wouldn't recommend, is to install the vulnerabilities of the internal packages into your own project. For example, if one of your packages is reporting a vulnerability from an internal package,
braceslike in my example in the post, you could install the fixed version of that package yourself usingnpm i --save-dev bracesbut this could cause breaking changes.