19

I've received for the first time a notification from GitHub about a potential security issue (label: high-severity) with some of my project's dependencies. Here's the sample message:

url-parse vulnerability found in package-lock.json

And this is the proposed solution:

Upgrade url-parse to version 1.4.3 or later. For example:

"dependencies": {
  "url-parse": ">=1.4.3"
}

or…

"devDependencies": {
  "url-parse": ">=1.4.3"
}

Now, what I did was to simply check for any outdated packages by running npm outdated -g --depth=0 in my terminal as per the official documentation and execute the npm -g update command (I also tried targeting the dependency itself with npm update url-parse). A few packages were successfully updated, but it didn't seem to find the package causing the issue. Am I supposed to update it manually by adding the suggested line of code: "url-parse": ">=1.4.3"?

And finally, how much should I be concerned with such alerts?

Thank you!

Bruno Mazza
  • 675
  • 1
  • 10
  • 24

2 Answers2

11

You don't need to edit the lock file by hand, just run:

npm install --package-lock-only url-parse

it should install latest version of the package and update only lock file

For unknow reason it also update package.json so you need:

git checkout package.json
jcubic
  • 61,973
  • 54
  • 229
  • 402
  • 1
    According to [this](https://stackoverflow.com/questions/55599356/what-does-npm-i-package-lock-only-do) that command only modifies `package-lock.json` without installing. Other than that, it behaves the same as `npm i`. So the fact it modifies package.json is totally expected, and it does not really install anything. No idea why you mention `git checkout`, either. – jjmerelo Nov 30 '21 at 06:20
10

The easiest way to update it is probably to go into the package-lock.json file as you suggested and modifying the old "version": "#.#.#" to be "version": ">=1.4.3" under the url-parse JSON object. I'd suggest COMMAND+Fing the dependency name (CONTROL+F for the W indows users) since the package-lock.json file can easily be thousands of lines long, and once you find your dependency, changing the version number to what GitHub deems to be safe from the vulnerability.

I just created a new repo and I got a very similar message for the ws dependency, and after updating the version in the package-lock.json file manually I received this message after refreshing the GitHub alerts page:

No open alerts on ws were found in package-lock.json.
Alerts may have been resolved and deleted by recent pushes to this repository.

For reference, here's what it looked like for me before I updated the ws dependency:

"ws": {
      "version": "1.1.5",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

and after:

"ws": {
      "version": ">=3.3.1",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

You've probably already figured this out by now, as I see you posted this question almost a year ago, but leaving this here to help anyone in the future who comes across a similar issue.

slow-but-steady
  • 961
  • 9
  • 15
  • 7
    "leaving this here to help anyone in the future who comes across a similar issue." That's the spirit! – MEMark Feb 29 '20 at 06:57
  • 2
    Sorry if this is a silly question, but won't this just get overwritten next time someone runs `npm install`? – jamesmortensen Dec 14 '22 at 07:43