Addressing GitHub’s Vulnerability Warning in Your Code Repository

If you’re not averse through trawling through threads on GitHub issues, this is a concise list on how to address GitHub’s vulnerability warnings in your code repository. You will see a yellow-coloured warning box if one has been detected in your package-lock.json file.

(Courtesy of GitHub)

Assuming that the offending package is hoek:

  1. $ npm ls hoek
  2. Examine the output.
  3. Look at the package listed at the top of the tree – json-serverin this case. Hoek is a subdependency to it via request, so the latest (or, updated) version of request would solve this issue.
  4. I looked at the releases page for json-server and updated my package.json`to the latest version of the package.
  5. $ npm install
  6. If you run the first command again, you either will see the updated version of hoek or it won’t show up at all. The latter case means that it was dropped in the latest version of json-server.

There you go! May it save someone hours of pain and Googling…

Verified by ExactMetrics