NodeJs: How do I fix package vulnerabilities dependent on another npm package?

Question

How do I sort out npm vulnerabilities dependent on another package. For example I am getting the below error where the package undici is dependent on the prismix package.

Thinks I have tried:

Running npm audit fix
Prismix is already updated to the latest version

Moderate        undici before v5.8.0 vulnerable to CRLF injection in request headers                                                    
Package         undici                                                        
Patched in      >=5.8.0
Dependency of   prismix
Path            prismix > @prisma/sdk > @prisma/engine-core > undici
More info       https://github.com/advisories/GHSA-3cvr-822r-rqcc

score 1 · Answer 1 · answered Oct 18 '22 at 16:39

The authors of prismix may not have updated their dependencies yet.

You might need to wait for their dependencies to be updated, or you could try installing the version 5.8.0 of undici nonetheless and cross your finger that they are compatible.

To specify a version:

npm install undici@5.8.0

NodeJs: How do I fix package vulnerabilities dependent on another npm package?

1 Answers1