DEVHIDE
Login Or Sign up

npm - a package's 6th level dependency is shown to be using outdated version by snyk

169 Views Asked by At

In my node.js project, I have dependency on packageA. Since this package is archived now, I had to override one of it's dependencies (not sure if this is relevant). My package.json looks like this-

...
  "dependencies": {
    "packageA": "1.4.39"
    ...
  }
  "overrides": {
    "packageA": {
      "nconf": "0.11.4"
    }
  },
...

When I run snyk test to detect vulnerabilities, it shows the following-

✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] and 17 other path(s)
  This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1

So [email protected] is using [email protected], which should be updated. But if I run npm show [email protected], the output is like this-

...
dependencies:
ansi-regex: ^5.0.1 
...

So [email protected] is not really dependant on that old version. However, the problem is not probably with snyk. Just that somehow my package-lock.json file is including an old version.

If I run npm update packageA, nothing happens - it's already up-to-date.

If I search package-lock.json file for all reference to [email protected], delete those, and then run npm install, it just goes back to the previous state.

I also tried deleting the node_modules folder and package-lock.json file and ran npm install after cleaning cache. This seems to solve the problem, but that also updates the whole package-lock.json file, which should be risky in production environment.

Any suggestions how I can fix this? Thanks in advance.

npm snyk
Original Q&A
1

There are 1 best solutions below

2
Jonathan Gruber On BEST ANSWER

As you wrote, the problem is the state of the package lockfile. A suggestion is to pin the ansi-regex package to version 3.0.1 which is noted as fixed by Snyk. You can achieve it like this:

"overrides": {
  "ansi-regex": "3.0.1",
}

And to then try an npm install to make the update and follow that with a snyk test to ensure versions are not free of vulns.

Also a suggestion to better understand what is happening in general is to run a snyk monitor command instead instead of snyk test?

Or, even better, scan from the Snyk UI in a direct SCM integration? It is a good practice to run npm install before (no need to delete node_modules). It may be more comprehensive than a CLI local results I think.

This would show you the project view with a clear dependency tree & hierarchy and would maybe help you identify the problem.

Hopefully this will give you a visualization of where the [email protected] is pulled from and Snyk will provide you with a suggestion for a fix.

Hope it's helpful

Related Questions in NPM

Related Questions in SNYK

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.