DEV Community

Vasily Malykhin
Vasily Malykhin

Posted on

8 4 1 1

Fix a transitive npm dependency vulnerability

#npm #vulnerabilities #javascript

Thanks to community, from time to time, npm reports about vulnerabilities found amongst the installed dependencies. Our team works on a SPA based on react, webpack, storybook, babel, and so on, pretty basic setup nowadays. We strive to keep the number of vulnerabilities as small as possible. But sometimes it is not that easy to fix them.

The transitive dependency or, in other words, the indirect one might be located very deep in the tree. For example, on March 6th, 2020 a kind of vulnerability vulnerability in kind-of package had been found. All of a sudden, we ended up with more than 38000 of low-level vulnerabilities, reported by npm audit.

Alt Text

We didn't have it in our package.json file, but obviously it was used by a ton of packages deep in the tree. For example, take a look at this path to kind-of:



jest>jest-cli>@jest/core>@jest/reporters>jest-runtime>jest-config>@jest/test-sequencer>jest-runner>jest-jasmine2>@jest/environment>@jest/transform>jest-haste-map>jest-util>@jest/fake-timers>jest-message-util>micromatch>nanomatch>kind-of
Enter fullscreen mode Exit fullscreen mode

The standard recommendation given by the npm audit is to run 



npm update  package-name --depth=N
Enter fullscreen mode Exit fullscreen mode

To be honest, I haven't seen it working yet. Sometimes this command does nothing, sometimes it does "so much" that it hangs forever.

So, the only way to fix it for us was to do it manually. Exploring package-lock.json, we noticed that a vulnerable version (6.0.2) was installed multiple times by different packages. In order to get rid of the vulnerabilities, we had to update all occurrences of kind-of:

  1. npm install -D kind-of@6.0.2 - install 6.0.2 to remove duplicates on the next step
  2. npm dedupe - remove duplicates of 6.0.2
  3. npm update kind-of - fix vulnerability upgrading to 6.0.3
  4. npm uninstall kind-of - remove the direct dependency

After these manipulations, we saw a much better picture:
Alt Text

In that case, it was rather simple to identify duplicates and find out how to dedupe dependencies. But in more complex cases we find it very useful to use discovery.js. See it in action here

P.S.
Don't pay attention to the rest of the vulnerabilities. We are already working on them ;)

profile
Sentry
 Promoted

Sentry blog image

How I fixed 20 seconds of lag for every user in just 20 minutes.

Our AI agent was running 10-20 seconds slower than it should, impacting both our own developers and our early adopters. See how I used Sentry Profiling to fix it in record time.

Read more

Top comments (0)

profile
_SurveyJS
 Promoted

SurveyJS custom survey software

JavaScript Form Builder UI Component

Generate dynamic JSON-driven forms directly in your JavaScript app (Angular, React, Vue.js, jQuery) with a fully customizable drag-and-drop form builder. Easily integrate with any backend system and retain full ownership over your data, with no user or form submission limits.

Learn more

Read next

norbs profile image

JavaScript: The "English" of Programming Languages

Norbs' Notes -

dmnchzl profile image

WTF Is Reactivity !?

Damien Chazoule -

yujin profile image

Creating a Synchronized Scrolling Two-Column Layout

Yujin -

hamzakhan profile image

🚀 Why TypeScript is Better Than Vanilla JavaScript: A Technical Deep Dive 🛠️

Hamza Khan -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay