loading...

Resolve NPM security vulnerabilities

pamit profile image Payam Mousavi ・2 min read

If you have seen your CI pipeline builds failed due to security vulnerabilities in some NPM packages, you have probably tried npm audit fix and boom! No sign of those found N high severity vulnerabilities in scanned packages messages!

In some cases, that command won’t solve your issue; sometimes the issue is caused by a transitive dependency (sub-dependency) and you can’t or don’t want to wait for a version patch for the package.

For instance, consider the following security vulnerability (https://www.npmjs.com/advisories/1213):

NPM Audit issue

It says, the dot-prop package has a security issue which needs to get fixed, and serverless-apigateway-service-proxy and serverless depend on it. But if you run npm audit fix you’ll probably see a similar message:

fixed 0 of N vulnerabilities in X scanned packages
  N vulnerabilities required manual review and could not be updated

You have some options here! One option is to ignore that specific vulnerability in your CI pipeline using another NPM package like audit-ci which is basically something like this:

npx audit-ci --allowlist 1213

That is a good way of skip security issues temporarily, however, this approach is not always recommended as your project may still be vulnerable even if it is a dev package.

The second option is to force a specific unaffected version of that package. This means we need to change our packahe.json and add the following:

{
  "name": "project-x",
  ...  "scripts": {
    "preinstall": "npx npm-force-resolutions"
  },
  ...   "resolutions": {
    "dot-prop": "5.1.1"
  }
}

This will override the affected versions with the specified version. Again, this is not always recommended and should be used carefully and only if you have no other option! Normally, we need to wait for a version patch from the package maintainers to fix a vulnerability.

That’s it! Happy coding!

Posted on by:

pamit profile

Payam Mousavi

@pamit

I'm a software developer with interest in Software Architecture, Security and lots of other stuff! Also a fan of many languages including Ruby | Elixir | Go | Swift | Java.

Discussion

markdown guide
 

I'm always cautious with using --force with any command! npm audit is no exception for me so I prefer to see what's going wrong and fix it step by step.