[RECIPE]: fix vulnerable sub-dependencies in package.json
Regular Typescript or Javascript project has number of dependencies from NPM. Most of them have own dependencies, different versions of them. To see them all you can review auto generated file package-lock.json.
Different versions of some library can be used in range of other libraries. Which can cause dependencies hell. And one thing which bothered me recently - security vulnerability of some particular version library.
We can see such security reports in github repository. They usually advise to increase version of some lib. But how to do this if it is indirect dependency, which is added by other libraries? And even more, they can reference different versions of it.
As straightforward solution I fixed it manually in package-lock.json file. It works, but it takes time. And it can be broken down again after the next npm install
call.
Wise colleague advised me to use this - just add resolution rule to package.json
at root level
{
...
"resolutions": {
"minimist": "^1.2.5"
},
...
}
This fix all sub dependencies and redirect it to version you specified in resolutions.
Nice!