9

My project depends on analytics-node which has a dependency on axios: "^0.16.2".

We have been flagged with npm audit that axios has a vulnerability in it but its fixed in 0.18.1.

However, analytics-node has no release candidate (only beta) which depends on 0.18.1 or higher.

We have tried:

  • npm audit fix,
  • npm update axios --depth 2,
  • npm install axios@0.18.1

The part I am most confused about is why doesnt npm allow us to override analytics-node version of axios given that the version should be compatible.

Dave
  • 131
  • 1
  • 6

3 Answers3

4

npm-force-resolutions specifically fixes transitive dependency version resolutions for this exact reason.

It would be nicer if there was a supported way to do this with package-lock.json though.

Dave
  • 131
  • 1
  • 6
4

NPM 8 introduced "overrides" which allows you to override specific transitive dependencies of your direct dependency. For your usecase, you would declare something like below in your package.json.

{
  "overrides": {
    "analytics-node": {
      "axios": "0.18.1"
    }
  }
}

More details @ https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

Sateesh
  • 735
  • 8
  • 10
0

To bump (i.e. update) a transitive dependency in a package-lock.json file, you can use the npm command line interface (CLI). To update a transitive dependency, you will first need to identify the package that you want to update. Then, you can use the following steps:

  1. Navigate to your project directory in the terminal and run the npm ls command to list all of the dependencies in your project, including transitive dependencies. This will show you the full dependency tree, with each package and its dependencies listed in a hierarchical structure.

  2. Find the package that you want to update in the dependency tree, and note the version number of the transitive dependency that you want to update.

  3. Run the npm install command, followed by the name and version of the package that you want to update, in the following format: npm install <package-name>@<version>. This will update the specified package to the specified version.

  4. Run the npm ls command again to verify that the transitive dependency has been updated. You should see the new version number for the package listed in the dependency tree.

If you want to save the updated dependency in your package-lock.json file, run the npm shrinkwrap or npm update command, depending on which version of npm you are using. This will update the package-lock.json file to reflect the updated transitive dependency.

Note: Bumping a transitive dependency in package-lock.json can potentially cause conflicts or other issues if the updated dependency is not compatible with your project's dependencies. It is recommended to carefully review the dependencies and their versions before updating any packages.

user18267064
  • 21
  • 3