DEV Community

Vasily Malykhin
Vasily Malykhin

Posted on

Fix a transitive npm dependency vulnerability

#npm #vulnerabilities #javascript

Thanks to community, from time to time, npm reports about vulnerabilities found amongst the installed dependencies. Our team works on a SPA based on react, webpack, storybook, babel, and so on, pretty basic setup nowadays. We strive to keep the number of vulnerabilities as small as possible. But sometimes it is not that easy to fix them.

The transitive dependency or, in other words, the indirect one might be located very deep in the tree. For example, on March 6th, 2020 a kind of vulnerability vulnerability in kind-of package had been found. All of a sudden, we ended up with more than 38000 of low-level vulnerabilities, reported by npm audit.

Alt Text

We didn't have it in our package.json file, but obviously it was used by a ton of packages deep in the tree. For example, take a look at this path to kind-of:

jest>jest-cli>@jest/core>@jest/reporters>jest-runtime>jest-config>@jest/test-sequencer>jest-runner>jest-jasmine2>@jest/environment>@jest/transform>jest-haste-map>jest-util>@jest/fake-timers>jest-message-util>micromatch>nanomatch>kind-of
Enter fullscreen mode Exit fullscreen mode

The standard recommendation given by the npm audit is to run

npm update  package-name --depth=N
Enter fullscreen mode Exit fullscreen mode

To be honest, I haven't seen it working yet. Sometimes this command does nothing, sometimes it does "so much" that it hangs forever.

So, the only way to fix it for us was to do it manually. Exploring package-lock.json, we noticed that a vulnerable version (6.0.2) was installed multiple times by different packages. In order to get rid of the vulnerabilities, we had to update all occurrences of kind-of:

  1. npm install -D kind-of@6.0.2 - install 6.0.2 to remove duplicates on the next step
  2. npm dedupe - remove duplicates of 6.0.2
  3. npm update kind-of - fix vulnerability upgrading to 6.0.3
  4. npm uninstall kind-of - remove the direct dependency

After these manipulations, we saw a much better picture:
Alt Text

In that case, it was rather simple to identify duplicates and find out how to dedupe dependencies. But in more complex cases we find it very useful to use discovery.js. See it in action here

P.S.
Don't pay attention to the rest of the vulnerabilities. We are already working on them ;)

Top comments (0)

Read next

om0509 profile image

Docker Puppeeteer Node Railway

Om Bharti -

amjadmh73 profile image

Light/Dark Theme for your Web App

Amjad Abujamous -

lakshya-dhariwal profile image

Reusable Modal Component using React Portals

Lakshya Dhariwal -

jroycodes profile image

How To Get Started With "DOM" in JavaScript.

Jonathan R. Mugisha -