Update Transitive Dependencies in Npm
Let’s say you are working with a project that has transitive dependencies that have vulnabilities. Updating the main library might not be enough. The use case for this is when there is a security vulnerability and you have to update a nested dependency otherwise your project would be vulnerable.
Check the dependency tree
The ls command is used to list the dependency tree of a specific package in your Node.js project.
npm ls packagenameExample output:
npm ls third-package-name
myproject@0.1.0 /Users/username/path/to/myproject
├─┬ package-name@3.12.0
│ └─┬ another-package-name@4.12.0
│ └── third-package-name@9.17.0
├─┬ ...
When you perform security scans and audits with Snyk or Fossa or a similar tool, you may discover that for example third-package-name@9.17.0 has a vulnability. Updating the library or package using this transitive package is the best, but if this is not possible your could pin it like this.
Use npm overrides
Since npm 8.3, npm has built-in support for overriding transitive dependencies through the overrides field in package.json. This is the native equivalent of yarn’s selective dependency resolutions — no extra packages or preinstall scripts needed.
Add an overrides key to package.json
"overrides": {
"third-package-name": "^12.0.0"
}Where as an example 12.0.0 is the updated version that doesn’t have vulnabilities.
If you only want to override the version when it’s nested under a specific parent, you can scope it:
"overrides": {
"package-name": {
"third-package-name": "^12.0.0"
}
}Install and update the transitive dependency
Install again
npm iNow, when you check the dependency tree agin, you can see it has been fixed:
npm ls third-package-name
myproject@0.1.0 /Users/username/path/to/myproject
├─┬ package-name@3.12.0
│ └─┬ another-package-name@4.12.0
│ └── third-package-name@12.0.0
├─┬ ...