4

In my project, I use "laravel-mix", which depends on "webpack-dev-server"

"npm audit" reports a high severity vulnerability on my version webpack-dev-server so I've been trying to update it to the latest version.. but with no success.

I've tried

npm update
npm update webpack-dev-server
npm update laravel-mix

with no success.. I guess the issue is that laravel-mix is already up-to-date, yet its dependency is not..

I've tried to add as a dependency a later version of webpack-dev-server hoping it would replace the old one, but instead, I just the two versions co-existing:

npm ls webpack-dev-server
+-- [email protected]
| `-- [email protected]
`-- [email protected]

Is there a way for me to force the update of the webpack-dev-server dependency? I need laravel-mix for this project, and as my assets are compiled on the production server, I can't even set it as a dev-only dependency..

Improve this question

2 Answers 2

Reset to default
4

Unfortunately if the package you're using has pinned its own dependency there is no way of fixing it at the top level of your project, although this is a planned future feature of npm to allow aliasing to override sub-dependencies.

You can see a short guide here to manually review sub-dependencies and creating a PR to the project to get their own dependency fixed.

In future, might I also suggest using npm audit fix if it's available on the version you're using as this will attempt to automatically fix issues if it can.

As an aside I wouldn't worry too much about this vulnerable package, although it is a high severity it would only be an issue if you were using the dev-server in production, which as it says dev on the tin, you definitely shouldn't be using it anywhere but locally in dev. :-)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks! I did try npm audit fix but no luck on this one unfortunately. I did see that this package should be used in dev only but I must say I'm a bit confused as to how to enforce that.. The package is a dependency of laravel-mix, and I do use the latter in prod, so wouldn't this dependency be automatically installed too?
I am still a bit confused with this "dev-server" package.. how could I ensure that it is not used in production? Do I need to exclude it explicitely, or would it be ignored automatically by npm when run a "production" script?
3

We had a simillar issue with puppeteer > extract-zip > mkdirp > minimist, where minimist had a security vulnerability. It was upgraded and so was mkdirp , but extract-zip isn't at the time of this writting.

Using npx npm-force-resolutions under the scripts entry in package.json seems to have done the trick. 

$ git diff package.json 
diff --git a/package.json b/package.json
index cf825cf..0d694b3 100644
--- a/package.json
+++ b/package.json
@@ -8,8 +8,13 @@
     "lib": "lib" 
   },
   "scripts": {
+    "preinstall": "npx npm-force-resolutions",
     "test": "echo \"Error: no test specified\" && exit 1" 
   },
+  "resolutions": {
+    "minimist": "1.2.3",
+    "mkdir": "0.5.3" 
+  },

Then running npm install: 

$ npm install && npm audit

> [email protected] preinstall /home/jlam/code/prjName
> npx npm-force-resolutions

npx : 5 installé(s) en 5.733s
added 1 package from 1 contributor, removed 1 package and audited 72 packages in 7.212s

[...]

found 0 vulnerabilities

[...]    

                       === npm audit security report ===                        

found 0 vulnerabilities
 in 72 scanned packages
Improve this answer

1 Comment

I had the same problem and over 3000 vulnerabilities with minimist and I just removed my package-lock.json and node_modules and reinstalled with npm i and it said: "found 0 vulnerabilities"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.