When hitting an issue with nodejs modules having security vunerabilties, I follow the below process. Assume the problematic module is sharp version 0.22.1
Updating the module
Check out the repository
npm ci
// That just makes sure we have every installed locally, same as the pipeline where this is failing
npm ls sharp
// We should now see how and where this problematic module is being used.
npm i sharp@0.28.2
// Now we install the fixed version at the top of our package.json tree. This will also update the references lower down the tree to our version. This should also update our package-lock.json file too.
npm ls sharp
// Lets verify that we have managed to update the module references correctly.
npm uninstall sharp
// If we dont use this module directly in our code (only in module dependancies, we can now remove it, but the version should be updated in our tree.
Make sure we now commit this package.lock to the repository, and our CI pipeline should have been sorted.
Top comments (0)