Closed
Description
Imagine in my package-lock I have a transitive dependency v1 which has vulnerability fixed in v3. If go to the package-lock and change version of the dependency to v2, which still has the vulnerability, npm audit will not raise a warning about it.
I faced that in one of my projects and managed to isolate this to the following steps:
- Create an empty project
- Install
node-sass@4.14.1 - npm audit shows a warning about
trim-newlines@1.0.0. The problem within the package is fixed in versions 3.0.1 and 4.0.1 - Now we want to resolve it to the version 2 with npm-force-resolutions https://github.com/rogeriochaves/npm-force-resolutions
4.1. Install the package
4.2. to your package.json add"resolutions": {"trim-newlines": "^2.0.0"}
4.3 run./node_modules/.bin/npm-force-resolutions
4.4 (seems doesn't affect it - we can runnpm ci) - Now run
npm auditagain and it finds 0 vulnerabilities. Despite both in node_modules and in package-lock we have vulnerable version
npm init --yes
npm i node-sass@4.14.1 npm-force-resolutions
see the warning about vulnerabilities
add "resolutions": {"trim-newlines": "^2.0.0"} to your package.json
./node_modules/.bin/npm-force-resolutions
npm ci
npm audit
see no warning here
I did it with npm@6.14.9 and similar thing happened with npm@7.20.3
I don't really understand if it is the problem with npm-force-resolutions or with npm itself. I also opened a ticket there rogeriochaves/npm-force-resolutions#40
Metadata
Metadata
Assignees
Labels
No labels