When I run
npm audit
It tells me I have a critical vulnerability in lodash. When I run
npm ls lodash
I have 47 instances of lodash being deduped.
How can I tell which of my dependencies are holding on to the vulnerable version?
Asked
Active
Viewed 266 times
0
linuxdan
- 4,476
- 4
- 30
- 41
1 Answers
0
If you temporarily add the vulnerable package at the patched version:
"lodash": ">=4.17.21",
to your package.json and then run npm update <VULNERABLE_PACKAGE> for the vulnerable package. NPM will update all the child dependencies it can.
You can then run npm outdated --depth=5 <VULNERABLE_PACKAGE> and it will show which dependencies are forcing an earlier version.
linuxdan
- 4,476
- 4
- 30
- 41
-
I hope this helps someone, it took me much too long to figure out. – linuxdan Jun 23 '22 at 21:55