securitygithubdependenciespackage-lock.json

How to update a dependency in package-lock.json

I've received for the first time a notification from GitHub about a potential security issue (label: high-severity) with some of my project's dependencies. Here's the sample message:

url-parse vulnerability found in package-lock.json

And this is the proposed solution:

Upgrade url-parse to version 1.4.3 or later. For example:

"dependencies": {
  "url-parse": ">=1.4.3"
}

or…

"devDependencies": {
  "url-parse": ">=1.4.3"
}

Now, what I did was to simply check for any outdated packages by running npm outdated -g --depth=0 in my terminal as per the official documentation and execute the npm -g update command (I also tried targeting the dependency itself with npm update url-parse). A few packages were successfully updated, but it didn't seem to find the package causing the issue. Am I supposed to update it manually by adding the suggested line of code: "url-parse": ">=1.4.3"?

And finally, how much should I be concerned with such alerts?

Thank you!

Solution

  • The easiest way to update it is probably to go into the package-lock.json file as you suggested and modifying the old "version": "#.#.#" to be "version": ">=1.4.3" under the url-parse JSON object. I'd suggest COMMAND+Fing the dependency name (CONTROL+F for the W indows users) since the package-lock.json file can easily be thousands of lines long, and once you find your dependency, changing the version number to what GitHub deems to be safe from the vulnerability.

    I just created a new repo and I got a very similar message for the ws dependency, and after updating the version in the package-lock.json file manually I received this message after refreshing the GitHub alerts page:

    No open alerts on ws were found in package-lock.json.
Alerts may have been resolved and deleted by recent pushes to this repository.

    For reference, here's what it looked like for me before I updated the ws dependency:

    "ws": {
      "version": "1.1.5",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

    and after:

    "ws": {
      "version": ">=3.3.1",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

    You've probably already figured this out by now, as I see you posted this question almost a year ago, but leaving this here to help anyone in the future who comes across a similar issue.