Sorry for my overall dumbness and weak understanding of how npm works.
I now work on a project on Angular 6, and github says that hoek package has vulnerabilities.
Running npm ls hoek I get this dependency tree:
+-- @angular-devkit/build-angular@0.6.8
| `-- node-sass@4.9.0
| +-- node-gyp@3.7.0
| | `-- request@2.81.0
| | `-- hawk@3.1.3
| | +-- boom@2.10.1
| | | `-- hoek@2.16.3 deduped
| | +-- hoek@2.16.3
| | `-- sntp@1.0.9
| | `-- hoek@2.16.3 deduped
| `-- request@2.79.0
| `-- hawk@3.1.3
| +-- boom@2.10.1
| | `-- hoek@2.16.3 deduped
| +-- hoek@2.16.3
| `-- sntp@1.0.9
| `-- hoek@2.16.3 deduped
+-- karma@2.0.4
| `-- log4js@2.9.0
| `-- loggly@1.1.1
| `-- request@2.75.0
| `-- hawk@3.1.3
| +-- boom@2.10.1
| | `-- hoek@2.16.3 deduped
| +-- hoek@2.16.3
| `-- sntp@1.0.9
| `-- hoek@2.16.3 deduped
No matter what I do, npm install recreates this dependency tree. As far as I understand, these dependencies are picked up automatically, and to resolve the problem all packages in this tree should update their dependencies, starting from the bottom: first, new versions of boom and sntp should start use new version of hoek, then new version of hawk should use new versions of boom and sntp...
But as far as I've seen on github, some packages in chain are not yet updated.
So, my question is: how can I fix this problem in this project, as for now? Can I manually change dependency versions in package-lock.json (humbly hoping that later versions of lower packages will be compatible with old versions of higher ones)?
Will it resolve my problem in a way, that hoek 2.16.3 will disappear from the project?
