1

As a part of security vulnerability fix, I need update one of the transitive dependency.

The vulnerability is in minimist package, which needs to be updated to 0.2.1.

minimist :: 0.0.8 >> Mypackage >> node:npm:artifactory/npm-dcloud:less:3.9.0 >> node:npm:artifactory/npm-dcloud:mkdirp:0.5.1

This is how the vulnerable package is reported in my system.So I need to tell less:3.9.0 that it should use specific version of minimist when it is fetched in one of its dependencies from mkdirp.

As of now my package.json looks like:

"dependencies": {
   .......
   .......
    "less": "^3.0.4",

   .......
  }

I have two queries here:

  1. Why does package-lock.json has less version as 3.9.0 when I have 3.0.4 in package.json?In npm list also, I see only 3.9.0.

  2. How can I inform npm to use minimist 0.2.1 instead 0.0.8 as reported above?

npm ls minimist

├─┬ babel-cli@6.26.0
│ └─┬ chokidar@1.7.0
│   └─┬ fsevents@1.1.3
│     └─┬ node-pre-gyp@0.6.39
│       ├─┬ mkdirp@0.5.1
│       │ └── minimist@0.0.8 
│       └─┬ rc@1.2.1
│         └── minimist@1.2.0 
├─┬ babel-loader@7.1.5
│ └─┬ mkdirp@0.5.1
│   └── minimist@0.0.8 
├─┬ grunt@1.0.1
│ └─┬ dateformat@1.0.12
│   └─┬ meow@3.7.0
│     └── minimist@1.2.0 
├─┬ karma@1.5.0
│ └─┬ optimist@0.6.1
│   └── minimist@0.0.10 
├─┬ karma-mocha@1.3.0
│ └── minimist@1.2.0 
├── minimist@0.2.1 
├─┬ phantomjs-prebuilt@2.1.16
│ └─┬ extract-zip@1.6.6
│   └─┬ mkdirp@0.5.0
│     └── minimist@0.0.8 
├─┬ UNMET PEER DEPENDENCY webpack@3.12.0
│ └─┬ watchpack@1.6.0
│   └─┬ chokidar@2.0.4
│     └─┬ fsevents@1.2.4
│       └─┬ node-pre-gyp@0.10.0
│         ├─┬ mkdirp@0.5.1
│         │ └── minimist@0.0.8 
│         └─┬ rc@1.2.7
│           └── minimist@1.2.0 
└─┬ webpack-dev-server@2.9.7
  └─┬ internal-ip@1.2.0
    └─┬ meow@3.7.0
      └── minimist@1.2.0 

npm ERR! peer dep missing: webpack@^2.1.0-beta || ^2.2.0-rc || ^2.0.0, required by grunt-webpack@2.0.1
npm ERR! peer dep missing: webpack@^1.1.0 || ^2 || ^2.1.0-beta.0 || ^2.2.0-rc.0, required by karma-webpack@2.0.3

I have tried overrides as mentioned

https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
as follow:
 "overrides": {
    "mkdirp": {
      "minimist": "0.2.1"
    }

but still minimist older version is coming

user124
  • 423
  • 2
  • 7
  • 26
  • 1. Because `^3.0.4` doesn't mean _exactly_ 3.0.4, see e.g. https://semver.npmjs.com/. 2. As far as I can see `less@3.9.0` would use `minimist@1.2.6` (via `mkdirp@^0.5.0` -> `minimist@^1.2.6`), have you run e.g. `npm audit fix`, `npm update`, ...? Try `npm ls minimist` to see why it's being included. – jonrsharpe Apr 01 '22 at 14:58
  • As i saw, less@3.9.0 there are both mkdirp 0.5.0 and 0.5.1 in my package-lock.json and both requires "minimist": "0.0.8". Is there a simple way where I can tell in package-lock.json to use "minimist": "0.2.1" where-ever required? – user124 Apr 01 '22 at 16:00
  • No, because `mkdirp@0.5.0` requires `minimist@0.0.8` exactly. – jonrsharpe Apr 01 '22 at 16:01
  • I tried override mentioned https://stackoverflow.com/questions/59096862/how-do-you-bump-a-transitive-dependency-in-package-lock-json. It also did not work. There must be some way to specify the transitive dependency we want to use? – user124 Apr 01 '22 at 16:05

2 Answers2

1
npm install module_name@version_number
npm install less@3.0.4
Awereid.org
  • 21
  • 2
0

Second query:

  1. rm -rf node_modules/

  2. rm package-lock.json

  3. In the package.json file it is possible to add the transitive dependency version.

    "resolutions": {
    "minimist": "0.2.1"
},

  4. npm install

:)

Lucas Ângelo O. M. Rocha
  • 1
  • It did not work.I still see in my pakcage-lock.json – user124 Apr 07 '22 at 06:09
  • Did not work.I still see following in my package-lock.json"minimist": { "version": "0.0.8", "resolved": "https://artifactory.xyz.com/artifactory/api/npm/npm-dcloud/minimist/-/minimist-0.0.8.tgz", "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=", "dev": true }, "mkdirp": { "version": "0.5.1", "resolved": "https://artifactory.xyz.com/artifactory/api/npm/npm-dcloud/mkdirp/-/mkdirp-0.5.1.tgz", "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=", "dev": true, "requires": { "minimist": "0.0.8" } }, – user124 Apr 07 '22 at 06:13
  • Hey, try delete package-lock.json and run npm install – Lucas Ângelo O. M. Rocha Apr 08 '22 at 10:03