DEV Community

Vasily Malykhin
Vasily Malykhin

Posted on

Fix a transitive npm dependency vulnerability

Thanks to community, from time to time, npm reports about vulnerabilities found amongst the installed dependencies. Our team works on a SPA based on react, webpack, storybook, babel, and so on, pretty basic setup nowadays. We strive to keep the number of vulnerabilities as small as possible. But sometimes it is not that easy to fix them.

The transitive dependency or, in other words, the indirect one might be located very deep in the tree. For example, on March 6th, 2020 a kind of vulnerability vulnerability in kind-of package had been found. All of a sudden, we ended up with more than 38000 of low-level vulnerabilities, reported by npm audit.

Alt Text

We didn't have it in our package.json file, but obviously it was used by a ton of packages deep in the tree. For example, take a look at this path to kind-of:

Enter fullscreen mode Exit fullscreen mode

The standard recommendation given by the npm audit is to run

npm update  package-name --depth=N
Enter fullscreen mode Exit fullscreen mode

To be honest, I haven't seen it working yet. Sometimes this command does nothing, sometimes it does "so much" that it hangs forever.

So, the only way to fix it for us was to do it manually. Exploring package-lock.json, we noticed that a vulnerable version (6.0.2) was installed multiple times by different packages. In order to get rid of the vulnerabilities, we had to update all occurrences of kind-of:

  1. npm install -D kind-of@6.0.2 - install 6.0.2 to remove duplicates on the next step
  2. npm dedupe - remove duplicates of 6.0.2
  3. npm update kind-of - fix vulnerability upgrading to 6.0.3
  4. npm uninstall kind-of - remove the direct dependency

After these manipulations, we saw a much better picture:
Alt Text

In that case, it was rather simple to identify duplicates and find out how to dedupe dependencies. But in more complex cases we find it very useful to use discovery.js. See it in action here

Don't pay attention to the rest of the vulnerabilities. We are already working on them ;)

Top comments (0)