How to update npm nested (vulnerable) dependency?

NPM 8 introduced "overrides" to help workaround these type of issues. You can now override specific transitive dependencies of your direct dependency to the version you need. In your case, you would declare something like below to fix the vulnerable dependency.

{
  "overrides": {
    "your-direct-dependency": {
      "vulnerable-package": "fixed_version"
    }
  }
}

More details @ https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides


As explained here: https://stackoverflow.com/a/17423915, you can use npm shrinkwrap to explicitly tell npm to get the nested dependency version that you want.


You're correct - as the vulnerable package lies within one of your dependencies, like so:

Your Package -> Dependency -> Vulnerable package

You will be unable to update the dependencies' dependency in a way that would survive a future npm install or yarn.

However, you could take the following approaches:

  • Bug the maintainer: Get them to update their dependencies and bump versions. This will fix the issue for you and your peers who are depending on this package.
  • Are there alternative packages? Maybe you can use a different package instead of the vulnerable one. This will involve some updates to your code, but might be the best approach in the long run, especially if the original maintainer is unresponsive.
  • Fix it yourself: Fork the repository and update the dependency in this copy. You can then refer to the package in your package.json.

See this answer for more information on installing directly from Github repos.

This approach will fix the problem short term, but it is not advised as you won't benefit from any bug fixes the maintainer makes, and besides, by the time you've done this the dependency might have been updated anyway!

Tags:

Node.Js

Npm