Often you get messages from GitHub saying that one of the dependencies needs to be updated to fix a vulnerability. Every time I find myself Google-ing how to do that. I should Google no more, for I am writing this post... to remember!
- Often the alert is about modules that are dependencies, of dependencies, of dependencies of libraries you have installed. You can type
npm ls {{type_package_name}}to find what's the parent module. Not that it is important or anything, but I am also curious.
Source: https://stackoverflow.com/a/49523073/3630417
-
npm updateupdates modules but it inspects only the top level. There is a param that you can pass to the command:--depth. Sonpm update --depth 5will update modules up to 5 levels deep.
Source: https://stackoverflow.com/a/60725984/3630417
OR..
As I have just discovered after writing this post (facepalm..), you can click on the title of the dependabot GitHub alert and it will create an automatic PR that fixes the issue. This one seems much easier... but it doesn't always work for me.
Edit
Other useful npm commands related to dependencies
-
npm list {{type_package_name}}(Source)
Returns the tree where dependency sits, and its version. for instance:
`-- react-scripts@3.4.1
`-- webpack-dev-server@3.10.3
`-- selfsigned@1.10.7
`-- node-forge@0.9.0
Delete node_modules folder and package.lock.json
I have noticed that sometimes the above does not work. I have read here that you can delete the node_modules folder and the package.lock.json files. You then run npm install and the packages should be updated. Worked for me anyway.
Top comments (0)