DEV Community

Cover image for How to update child npm modules to fix vulnerabilities
Pere Sola
Pere Sola

Posted on • Updated on

How to update child npm modules to fix vulnerabilities

Often you get messages from GitHub saying that one of the dependencies needs to be updated to fix a vulnerability. Every time I find myself Google-ing how to do that. I should Google no more, for I am writing this post... to remember!

  1. Often the alert is about modules that are dependencies, of dependencies, of dependencies of libraries you have installed. You can type npm ls {{type_package_name}} to find what's the parent module. Not that it is important or anything, but I am also curious.


  1. npm update updates modules but it inspects only the top level. There is a param that you can pass to the command: --depth. So npm update --depth 5 will update modules up to 5 levels deep.



As I have just discovered after writing this post (facepalm..), you can click on the title of the dependabot GitHub alert and it will create an automatic PR that fixes the issue. This one seems much easier... but it doesn't always work for me.


Other useful npm commands related to dependencies

  • npm list {{type_package_name}} (Source)

Returns the tree where dependency sits, and its version. for instance:

`-- react-scripts@3.4.1
  `-- webpack-dev-server@3.10.3
    `-- selfsigned@1.10.7
      `-- node-forge@0.9.0
Enter fullscreen mode Exit fullscreen mode

Delete node_modules folder and package.lock.json

I have noticed that sometimes the above does not work. I have read here that you can delete the node_modules folder and the package.lock.json files. You then run npm install and the packages should be updated. Worked for me anyway.

Top comments (0)