Answer a question

Today github is showing following error on my github repository:

We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated.

On clicking on Review vulnerable dependency button following message was displayed:

hoek node module before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge'

Till yesterday it was not showing such error. I have not done any push to this repository for more than 5 days. Any idea why it is happening.

Answers

npm update should work only if the vulnerable package is declared as direct project's dependency. But usually (as in the case of hoek) vulnerabilities lay in those packages which live down in you sub-dependencies tree.

Since in my case I decided to not update all the dependencies of my project (by deleting and rebuilding the entire package-lock.json file), I went for the following (and, of course, more time consuming) approach:

• find all the occurrencies of the vulnerable package in my package-lock.json
• follow up the dependency tree to find which top-level packages import them
• uninstall and re-install those top-level packages using the same minor version

Like:

npm r package-1 package-2 && npm i package-1@^1.2.3 package-2@^1.2.3

This approach will work only if the vulnerable package was fixed and released and the consuming packages import the vulnerable one with a loose version number open to patch or minor versions.