8704. Security Vulnerability of Dependencies for Node.js AppNode.js
Tutorial for remove security vulnerabilities for node js apps.
1. Warning from GitHub
For some of the repositories on GitHub, we get the warning ‘We found a potential security vulnerability in one of your dependencies.’
2. Vulnerability Detection
Use ‘npm audit’ to scan your Node.js app and detect any security vulnerability. To use it, you must upgrade ‘npm’ to version 6.
npm install npm@latest -g
Go to the root folder of the app, run ‘npm audit’. It will list out the vulnerable dependencies.
npm audit
In the end, it shows the summary of the security vulnerabilities. In the example, we see there is one ‘high’ level vulnerability.
3. Removing Vulnerability
Run the following command to automatically install compatible updates to vulnerable dependencies. In the below example, it fixed 9 of 15 vulnerabilities.
npm audit fix
Run the command again, we see there are still 6 vulnerable dependencies. However, there is no ‘high’ level vulnerability anymore.
npm audit
- If you want to fix more vulnerabilities, you may run the following commands or fix them manually. For example, to fix the vulnerability in
hoekpackage, just run ‘npm install hoek’ to install the latest version of hoek.npm audit fix --force npm upgradeSubmit all the changes to GitHub, the warning should be gone.
4. Final Solution
# upgrade angular
npm install -g @angular/cli
ng update @angular/core
ng update @angular/cli --migrate-only --from=1.7.3
ng update
# upgrade react
npm install --save react@latest
# update packages
npm update
npm install