DEV Community

Payam Mousavi
Payam Mousavi

Posted on

Resolve NPM security vulnerabilities

If you have seen your CI pipeline builds failed due to security vulnerabilities in some NPM packages, you have probably tried npm audit fix and boom! No sign of those found N high severity vulnerabilities in scanned packages messages!

In some cases, that command won’t solve your issue; sometimes the issue is caused by a transitive dependency (sub-dependency) and you can’t or don’t want to wait for a version patch for the package.

For instance, consider the following security vulnerability (https://www.npmjs.com/advisories/1213):

NPM Audit issue

It says, the dot-prop package has a security issue which needs to get fixed, and serverless-apigateway-service-proxy and serverless depend on it. But if you run npm audit fix you’ll probably see a similar message:

fixed 0 of N vulnerabilities in X scanned packages
  N vulnerabilities required manual review and could not be updated
Enter fullscreen mode Exit fullscreen mode

You have some options here! One option is to ignore that specific vulnerability in your CI pipeline using another NPM package like audit-ci which is basically something like this:

npx audit-ci --allowlist 1213
Enter fullscreen mode Exit fullscreen mode

That is a good way of skip security issues temporarily, however, this approach is not always recommended as your project may still be vulnerable even if it is a dev package.

The second option is to force a specific unaffected version of that package. This means we need to change our packahe.json and add the following:

{
  "name": "project-x",
  ...  "scripts": {
    "preinstall": "npx npm-force-resolutions"
  },
  ...   "resolutions": {
    "dot-prop": "5.1.1"
  }
}
Enter fullscreen mode Exit fullscreen mode

This will override the affected versions with the specified version. Again, this is not always recommended and should be used carefully and only if you have no other option! Normally, we need to wait for a version patch from the package maintainers to fix a vulnerability.

That’s it! Happy coding!

Discussion (2)

Collapse
pamit profile image
Payam Mousavi Author

I'm always cautious with using --force with any command! npm audit is no exception for me so I prefer to see what's going wrong and fix it step by step.