If you’re not averse through trawling through threads on GitHub issues, this is a concise list on how to address GitHub’s vulnerability warnings in your code repository. You will see a yellow-coloured warning box if one has been detected in your package-lock.json
file.
(Courtesy of GitHub)
Assuming that the offending package is hoek
:
$ npm ls hoek
- Examine the output.
- Look at the package listed at the top of the tree –
json-server
in this case.Hoek
is a subdependency to it viarequest
, so the latest (or, updated) version of request would solve this issue. - I looked at the releases page for json-server and updated my
package.json
`to the latest version of the package. $ npm install
- If you run the first command again, you either will see the updated version of hoek or it won’t show up at all. The latter case means that it was dropped in the latest version of
json-server
.
There you go! May it save someone hours of pain and Googling…