3

I recently discovered the npm audit feature and ran the command to find vulnerabilities in a project I'm working on. Came across a bunch of them (over 100).

npm suggests that running npm audit fix will fix all vulnerabilities except those which have breaking changes. I didn't encounter any such vulnerability in my code and now it shows 0 vulnerabilities.

My question is that when I push the code to github will these vulnerabilities be fixed already for someone who clones/forks this repo?

For context, node_modules are ignored in my .gitignore file (Which means they are not pushed to github along with the code). Since node_modules is where these "vulnerability fixes" are applied, do they persist for everyone who then forks/clones this repo?

If so, how? Does it have something to do with package-lock.json?

If not, is there a way to make these changes persistent?

animesharma
  • 81
  • 1
  • 2
  • 9

2 Answers2

1

Yes it has to do with the package-lock.json, read more about package-locks here According to the site currently, the package-lock represents a reproducible tree of your node_modules folder.

MrPooh
  • 59
  • 1
  • 5
1

Yes, changes made by npm audit fix are persistent, but only if you commit your package-lock.json file to your git repository.

According to NPM, "this file is intended to be committed into source repositories."

If you commit your existing package-lock.json file to your repository and then run npm audit fix, you will see changes to your local package-lock.json file (assuming npm audit was able to fix any vulnerable packages). You can review these changes and then commit the package-lock.json file a second time to persist the changes.

srk
  • 1,625
  • 1
  • 10
  • 26