Recently I happened to work in an Angular upgrade work and came across this message after doing the npm installations.
How to fix the issues
Obviously, it is not a good idea to provide a code with known security vulnerabilities. Hence, below are a few suggestions to fix the issues.
- Get a detailed report of the security vulnerabilities with npm audit
It will show in which package you have the issue, severity, and the path of package in dependency tree. Moreover, apart from that some of the vulnerabilities may show a command to resolve the issue as well.
- As we are more concerned about the security vulnerabilities in production dependencies, use npm audit –production command to check for prod dependencies directly. If there are no vulnerabilities, you are good to go.
- Else, to resolve the vulnerabilities automatically run npm audit fix command. As a result, it will execute a npm install command under the hood and will upgrade patch versions of the packages with issues.
In my case there are still some vulnerabilities to be fixed manually. As suggested npm audit –force will upgrade dependencies with issues to major version. Hence, this may cause breaking changes in the code. Therefore, it is not advisable to apply this command without taking a closer look.
- Try running npm update command. It will update all the package minor versions to the latest and may fix potential security issues.
- If you have a vulnerability that requires manual review, you will have to raise a request to the maintainers of the dependent package to get an update. For the below vulnerability, changes are expected in svg-baker package to refer to a postcss version higher than 7.0.36. Nevertheless, in the worst case, if the package is not maintained anymore, you will have to do the update yourself.
Want to solve complex technical issues and bring solutions?
Join IFS today: Careers | IFS