0

How to exclude dependencies or module which are available in package-lock.json in build.gradle to get rid of vulnerabilities

Here is some insight of the problem: When we do npm install on nodejs project,package-lock.json was generating and in package-lock.json all the dependencies are getting added for lodash,uglify-js etc...even though we have not declared lodash or uglify-js in package.json,these packages were adding to package-lock.json.

While we are doing white source scan or CVE remediation for the above project,we are getting vulnerabilities for lodash and uglify-js even though we have not used in nodejs code nor in package.json.

How to exclude the particular dependencies from package-lock.json?

Talluri Vamsi
  • 61
  • 1
  • 2
  • 3

2 Answers2

0

... in package-lock.json all the dependencies are getting added for lodash,uglify-js etc...even though we have not declared lodash or uglify-js in package.json,these packages were adding to package-lock.json.

One of the modules you used in your project has used lodash, uglify-js etc.. in their source(as dependencies when building the module). That's why they are available in package-lock.json.

You can use NPM's ls command to see which packages are using which dependencies.

npm ls lodash

You can read more on npm Docs

Bishan
  • 15,211
  • 52
  • 164
  • 258
  • └─┬ cypress@6.0.0 │ Cypress.io end to end testing tool │ git+https://github.com/cypress-io/cypress.git │ https://github.com/cypress-io/cypress └── lodash@4.17.20 Lodash modular utilities. git+https://github.com/lodash/lodash.git https://lodash.com/ – Talluri Vamsi Nov 27 '20 at 13:37
  • even though lodash has the latest version,still when i run whitesource scan it was showing it as vulnerability(to get rid of vulnerability have to be the latets version). – Talluri Vamsi Nov 27 '20 at 13:39
  • Main thing is my parent package using child package,but child package needs to be updated to latest version,but parent package was still old one.how can i solve this? – Talluri Vamsi Nov 27 '20 at 13:40
  • 1
    If the parent package uses the old version, you have to wait until the developers release an update with the latest dependency versions. Because there might need to make necessary code changes to the package according to the changes in dependencies. (method depreciations, parameter type changes etc...) – Bishan Nov 29 '20 at 04:21
0

To exclude any of the vulnerable dependencies, try adding those dependencies to "exclusions". Then run "npx npm-dependency-exclusion". Example below:

"exclusions": {
    "postcss": "any"
 }
Jathin
  • 1
  • 2