Resolve NPM security vulnerabilities

Payam Mousavi
2 min readJul 30, 2020

--

If you have seen your CI pipeline builds failed due to security vulnerabilities in some NPM packages, you have probably tried npm audit fix and boom! No sign of those found N high severity vulnerabilities in scanned packages messages!

In some cases, that command won’t solve your issue; sometimes the issue is caused by a transitive dependency (sub-dependency) and you can’t or don’t want to wait for a version patch for the package.

For instance, consider the following security vulnerability (https://www.npmjs.com/advisories/1213):

It says, the dot-prop package has a security issue which needs to get fixed, and serverless-apigateway-service-proxy and serverless depend on it. But if you run npm audit fix you’ll probably see a similar message:

fixed 0 of N vulnerabilities in X scanned packages
N vulnerabilities required manual review and could not be updated

You have some options here! One option is to ignore that specific vulnerability in your CI pipeline using another NPM package like audit-ci which is basically something like this:

npx audit-ci --allowlist 1213

As per Quinn Turner’s comment, we can use a configuration file to allow specific package paths:

"allowlist": [
"1213|example3",
"1213|example4",
"1213|example5>example4"
],
...

The second option is to force a specific unaffected version of that package. This means we need to change our packahe.json and add the following:

{
"name": "project-x",
...
"scripts": {
"preinstall": "npx npm-force-resolutions"
},
...
"resolutions": {
"dot-prop": "5.1.1"
}
}

This will override the affected versions with the specified version. Again, this is not always recommended and should be used carefully and only if you have no other option! Normally, we need to wait for a version patch from the package maintainers to fix a vulnerability.

That’s it! Happy coding!

--

--