loading...

Fix a transitive npm dependency vulnerability

malykhinvi profile image Vasily Malykhin ・2 min read

Thanks to community, from time to time, npm reports about vulnerabilities found amongst the installed dependencies. Our team works on a SPA based on react, webpack, storybook, babel, and so on, pretty basic setup nowadays. We strive to keep the number of vulnerabilities as small as possible. But sometimes it is not that easy to fix them.

The transitive dependency or, in other words, the indirect one might be located very deep in the tree. For example, on March 6th, 2020 a kind of vulnerability vulnerability in kind-of package had been found. All of a sudden, we ended up with more than 38000 of low-level vulnerabilities, reported by npm audit.

Alt Text

We didn't have it in our package.json file, but obviously it was used by a ton of packages deep in the tree. For example, take a look at this path to kind-of:

jest>jest-cli>@jest/core>@jest/reporters>jest-runtime>jest-config>@jest/test-sequencer>jest-runner>jest-jasmine2>@jest/environment>@jest/transform>jest-haste-map>jest-util>@jest/fake-timers>jest-message-util>micromatch>nanomatch>kind-of

The standard recommendation given by the npm audit is to run

npm update  package-name --depth=N

To be honest, I haven't seen it working yet. Sometimes this command does nothing, sometimes it does "so much" that it hangs forever.

So, the only way to fix it for us was to do it manually. Exploring package-lock.json, we noticed that a vulnerable version (6.0.2) was installed multiple times by different packages. In order to get rid of the vulnerabilities, we had to update all occurrences of kind-of:

  1. npm install -D kind-of@6.0.2 - install 6.0.2 to remove duplicates on the next step
  2. npm dedupe - remove duplicates of 6.0.2
  3. npm update kind-of - fix vulnerability upgrading to 6.0.3
  4. npm uninstall kind-of - remove the direct dependency

After these manipulations, we saw a much better picture:
Alt Text

In that case, it was rather simple to identify duplicates and find out how to dedupe dependencies. But in more complex cases we find it very useful to use discovery.js. See it in action here

P.S.
Don't pay attention to the rest of the vulnerabilities. We are already working on them ;)

Discussion

markdown guide