In my project, npm install warns about potential security issues that we should fix. Sounds great, and I'd happily keep the dependencies up to date, but it's really not working the way I'd expect it to… Here's the scenario:$ npm audit fix tells me:updated 1 package in 6.63s fixed 4 of 5 vulnerabilities in 909376 scanned packages 1 vulnerability required manual review and could not be updatedHowever, running npm install right after, makes them come back:updated 1 package and audited 909376 packages in 9.84s found 5 vulnerabilities (3 moderate, 2 high) run `npm audit fix` to fix them, or `npm audit` for detailsWhy is that?Continuing, if I do npm audit, the first listed item is:``` === npm audit security report ===Run npm update js-yaml --depth 5 to resolve 4 vulnerabilities┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ js-yaml │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ … │ … │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/788 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ```Following that helpful link, it tells me:``` RemediationUpgrade to version 3.13.0. ```But, if I check which version I have, it says:``` $ npm show js-yamljs-yaml@3.13.1 | MIT | deps: 2 | versions: 68 YAML 1.2 parser and serializer https://github.com/nodeca/js-yamlkeywords: yaml, parser, serializer, pyyamlbin: js-yaml … ```So, my current version is already higher than the version where the issue was remedied. Why does npm audit keep complaining about it?Thanks for any helpful pointers! 😇
Submitted July 23, 2019 at 09:09AM by bopp
No comments:
Post a Comment