Github has given me this error on one of my repositories.
We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security vulnerabilities
and should be updated.
The dependency is not defined in our package.json file. To my understanding it isn't good practice to delete the package-lock.json file and regenerate it. However, I cannot see any other way to fix this issue. If I dismiss this security vulnerability it will appear again a couple of days later. Any ideas? Thanks!
You should try to identify the problematic package's name, and then run
npm install package-name
replacing package-name, obviously.
This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:
npm install package-name@^1.2
and the latest patched version will be installed
New: now, with npm@6 you can directly run
npm audit fix
To resolve this:
Solution1:
First find the vulnerability:Using your terminal:
cd into your project, then run "npm ls hoek"
And finally:
npm install bcrypt@latest
Then push the updated project to git.(i.e perform a fresh commit).
Solution 2:
if the first option/solution does not resolve the issue.Change the version manually in your package-lock.json.
Change your version manually from 2.16.3 to 4.2.1
"hoek": {
"version": "4.2.1",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz",
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
"dev": true
Then update your project on GitHub(commit/push)
Just make sure every hoek version occurrence in your package-lock.json version is changed to 4.2.1
Alternatively if you can figure out a way to change the hoek version/update hoek using npm,will make things much simpler.(something like : npm update @hoek..version)..or uninstall the specific dependency then reinstall it using bower or npm.
To my understanding it isn't good practice to delete the package-lock.json file and regenerate it.
Yet, this is what is usually done in this instance.
See for example angular/angular-cli issue 8534, which is resolved by PR 8535.
That leads a dependent project like frees-io/freestyle-opscenter-webclient to update its package-lock.json: PR 31.
The simplest/easiest way to fix this is:
npm install <dep>npm uninstall <dep>npm updatenpm install
From: https://github.com/Microsoft/vscode/issues/48783#issuecomment-384873041
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 爷、活的狠高调 的文章《Proper way to fix potential security vulnerability》','https://www.manongdao.com/article-293648.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}