You should try to identify the problematic package's name, and then run

npm install package-name

replacing package-name, obviously.

This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:

npm install package-name@^1.2

and the latest patched version will be installed

New: now, with npm@6 you can directly run

npm audit fix

To resolve this:

Solution1: First find the vulnerability:Using your terminal: cd into your project, then run "npm ls hoek"

And finally: npm install bcrypt@latest

Then push the updated project to git.(i.e perform a fresh commit).

Solution 2:

if the first option/solution does not resolve the issue.Change the version manually in your package-lock.json. Change your version manually from 2.16.3 to 4.2.1

"hoek": {
      "version":  "4.2.1",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-4.2.1.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
      "dev": true

Then update your project on GitHub(commit/push) Just make sure every hoek version occurrence in your package-lock.json version is changed to 4.2.1

Alternatively if you can figure out a way to change the hoek version/update hoek using npm,will make things much simpler.(something like : npm update @hoek..version)..or uninstall the specific dependency then reinstall it using bower or npm.

The simplest/easiest way to fix this is:

1. npm install <dep>
2. npm uninstall <dep>
3. npm update
4. npm install

From: https://github.com/Microsoft/vscode/issues/48783#issuecomment-384873041

To my understanding it isn't good practice to delete the package-lock.json file and regenerate it.

Yet, this is what is usually done in this instance.
See for example angular/angular-cli issue 8534, which is resolved by PR 8535.
That leads a dependent project like frees-io/freestyle-opscenter-webclient to update its package-lock.json: PR 31.