Proper way to fix potential security vulnerability in a dependency defined in package-lock.json

New: now, with npm@6 you can directly run

npm audit fix

Old answer:

You should try to identify the problematic package's name, and then run

npm install package-name

replacing package-name, obviously.

This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:

npm install package-name@^1.2

and the latest patched version will be installed


To resolve this:

Solution1: First find the vulnerability:Using your terminal: cd into your project, then run "npm ls hoek"

And finally: npm install bcrypt@latest

Then push the updated project to git.(i.e perform a fresh commit).

Solution 2:

if the first option/solution does not resolve the issue.Change the version manually in your package-lock.json. Change your version manually from 2.16.3 to 4.2.1

"hoek": {
      "version":  "4.2.1",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
      "dev": true

Then update your project on GitHub(commit/push) Just make sure every hoek version occurrence in your package-lock.json version is changed to 4.2.1

Alternatively if you can figure out a way to change the hoek version/update hoek using npm,will make things much simpler.(something like : npm update @hoek..version)..or uninstall the specific dependency then reinstall it using bower or npm.


I was having the same issue with a lodash security vulnerability, in a project I was building with yarn. Github flagged these as security concerns.

I tried the answer from @rileymanda above, using a terminal: cd into project, then run npm ls lodash.

This uncovered that in my case, the error was in react-scripts. Quick Google for issues with react-scripts and lodash uncovered that this was a known issue.

I tried various things to fix via yarn - all with no success. npm ls lodash still showed the vulnerable version of lodash in use.

Having read Matt Turnbull's blog about improvements to npm I switched from yarn back to npm. (Delete yarn.lock, delete ./node_modules. Run npm install). npm ls lodash now showed the latest dependency versions being used - hurrah! Committed to github, and it was now happy that the vulnerability had gone.

It looks like yarn may be struggling to unpick such issues (or isn't intended to).

If you're getting this issue when building with yarn, then try switching [back] to npm!