@urre Let’s say you are working with a project that has transitive dependencies that have vulnabilities. Updating the main library might not be enough. The use case for this is when there is a security vulnerability and you have to update a nested dependency otherwise your project would be vulnerable.
Check the dependency tree
The ls command is used to list the dependency tree of a specific package in your Node.js project.
npm ls packagename
Example output:
npm ls third-package-name
myproject@0.1.0 /Users/username/path/to/myproject
├─┬ package-name@3.12.0
│ └─┬ another-package-name@4.12.0
│ └── third-package-name@9.17.0
├─┬ ...
When you perform security scans and audits with Snyk or Fossa or a similar tool, you may discover that for example third-package-name@9.17.0 has a vulnability. Updating the library or package using this transitive package is the best, but if this is not possible your could pin it like this.
Install force-resolutions
This package modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency), similar to yarn’s selective dependency resolutions, but without having to migrate to yarn.
npm i -D force-resolutions
Add a resolutions key to package.json
"resolutions": {
"third-package-name": "^12.0.0"
}
Where as an example 12.0.0 is the updated version that doesn’t have vulnabilities
Add an npm script to fix resolutions before your install command
"preinstall": "npx force-resolutions",
Install and update the transitive dependency
Install again
npm i
Now, when you check the dependency tree agin, you can see it has been fixed:
npm ls third-package-name
myproject@0.1.0 /Users/username/path/to/myproject
├─┬ package-name@3.12.0
│ └─┬ another-package-name@4.12.0
│ └── third-package-name@12.0.0
├─┬ ...
