I am using nightmare
for testing.After running npm audit I get a warning about lodash Prototype pollution.I tried to fix this by running npm audit fix
but no result.After that I tried using --force
but still get :
fixed 0 of 1 vulnerability in 2108 scanned packages
1 vulnerability required manual review and could not be updated
Any ideas how can I fix it?
npm
dependencies do not automatically get upgraded to a higher major version. So if package A
depends on package B
with a version specification such as:
// A/package.js
dependencies: {
"B": "^2.1.3"
}
Then npm
will keep B
up to date for any version 2.x.y where x >= 1 and (y >= 3 if x == 1 or y >= 0 if x > 1).
However, if the security fix happened in B
version 3.v.w, then the security issue is going to remain in your npm
repository.
The problem here is that to be able to use version 3.v.w you may have to update A
because it is likely that there are breaking changes between 2 and 3 (i.e. a function name changed or support for a certain property was removed.)
Here is an example of breaking changes in the react-idle-timer module:
There are a few breaking changes in version 4:
IdleTimer
. Unless you are really good with shouldComponentUpdate
you should avoid using IdleTimer
as a wrapper component.startOnLoad
has been renamed to startOnMount
in order to make more sense in a React context.activeAction
has been renamed to onActive
.idleAction
has been renamed to onIdle
.