Search code examples
npmlodashnightmarenpm-audit

npm audit fix not fixing low vulnerability

I am using nightmare for testing.After running npm audit I get a warning about lodash Prototype pollution.I tried to fix this by running npm audit fix but no result.After that I tried using --force but still get :

fixed 0 of 1 vulnerability in 2108 scanned packages
  1 vulnerability required manual review and could not be updated

Any ideas how can I fix it?

Here is a screenshot: enter image description here

Solution

  • npm dependencies do not automatically get upgraded to a higher major version. So if package A depends on package B with a version specification such as:

    // A/package.js
dependencies: {
  "B": "^2.1.3"
}

    Then npm will keep B up to date for any version 2.x.y where x >= 1 and (y >= 3 if x == 1 or y >= 0 if x > 1).

    However, if the security fix happened in B version 3.v.w, then the security issue is going to remain in your npm repository.

    The problem here is that to be able to use version 3.v.w you may have to update A because it is likely that there are breaking changes between 2 and 3 (i.e. a function name changed or support for a certain property was removed.)

    Here is an example of breaking changes in the react-idle-timer module:

    Migration from v3 to v4

    There are a few breaking changes in version 4:

    • Although still capable of rendering children, as of version 4 we don't pass children to IdleTimer. Unless you are really good with shouldComponentUpdate you should avoid using IdleTimer as a wrapper component.
    • The property startOnLoad has been renamed to startOnMount in order to make more sense in a React context.
    • The property activeAction has been renamed to onActive.
    • The property idleAction has been renamed to onIdle.