1

I'm trying to update one of the dependencies in package-lock.json due to a security vulnerability with that specific version. From my Googling, I understand that you would update the package that contains that dependency. I'm running into an issue because I've updated that package to the newest version but the vulnerable package has not been updated.

I'm attempting to update yargs-parser from 11.1.1 to the latest, which appears to be 18.1.3

  +-- cli-highlight@2.1.4
  | -- yargs@15.3.1
  |   -- yargs-parser@18.1.3


  -- webpack-dev-server@3.10.3
    -- yargs@12.0.5
      -- yargs-parser@11.1.1

If webpack-dev-server is already at the newest version, how can I update it's dependencies of yargs@12.0.5 and yargs-parser@11.1.1?

Andrew
  • 11
  • 2
  • Have you tried deleting the package-lock.json file, updating the package.json file, and then running npm install? This should install the proper versions as listed in the package.json file and create a new package-lock.json file containing the updated module references. – Schleichermann Apr 16 '20 at 22:58

1 Answers1

0

In most cases, you have to delete the package-lock.json and node_modules folder before npm i. The newly created lock file will have the vulnerable package updated.

Raju
  • 2,299
  • 2
  • 16
  • 19
  • I tried deleting ```package-lock.json``` and the node_modules folder, but when I reinstalled everything I ended up with the same versions of the packages as before. – Andrew Apr 17 '20 at 16:26
  • Hi @Andrew, it looks the `yargs` maintainers have upgraded the package on their end as well. https://github.com/yargs/yargs/blob/master/package.json. It should be fixed now if you do npm i and push the latest lock file. – Raju Apr 22 '20 at 10:51
  • I set package versions to `latest` and then used `npm update`. – Pysis Jan 03 '23 at 19:37