How to update a dependency in package-lock.json

Question

I've received for the first time a notification from GitHub about a potential security issue (label: high-severity) with some of my project's dependencies. Here's the sample message:

url-parse vulnerability found in package-lock.json

And this is the proposed solution:

Upgrade url-parse to version 1.4.3 or later. For example:

"dependencies": {
  "url-parse": ">=1.4.3"
}

or…

"devDependencies": {
  "url-parse": ">=1.4.3"
}

Now, what I did was to simply check for any outdated packages by running npm outdated -g --depth=0 in my terminal as per the official documentation and execute the npm -g update command (I also tried targeting the dependency itself with npm update url-parse). A few packages were successfully updated, but it didn't seem to find the package causing the issue. Am I supposed to update it manually by adding the suggested line of code: "url-parse": ">=1.4.3"?

And finally, how much should I be concerned with such alerts?

Thank you!

Answer 1

The easiest way to update it is probably to go into the package-lock.json file as you suggested and modifying the old "version": "#.#.#" to be "version": ">=1.4.3" under the url-parse JSON object. I'd suggest COMMAND+Fing the dependency name (CONTROL+F for the W indows users) since the package-lock.json file can easily be thousands of lines long, and once you find your dependency, changing the version number to what GitHub deems to be safe from the vulnerability.

I just created a new repo and I got a very similar message for the ws dependency, and after updating the version in the package-lock.json file manually I received this message after refreshing the GitHub alerts page:

No open alerts on ws were found in package-lock.json.
Alerts may have been resolved and deleted by recent pushes to this repository.

For reference, here's what it looked like for me before I updated the ws dependency:

"ws": {
      "version": "1.1.5",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

and after:

"ws": {
      "version": ">=3.3.1",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

You've probably already figured this out by now, as I see you posted this question almost a year ago, but leaving this here to help anyone in the future who comes across a similar issue.

Answer 2

You don't need to edit the lock file by hand, just run:

npm install --package-lock-only url-parse

it should install latest version of the package and update only lock file

For unknow reason it also update package.json so you need:

git checkout package.json

Answer 3

I tried both the accepted answer and the other answer, and neither worked.

I found this article by Ankur Kaushur, Updating a package's dependency in package-lock.json

Step 1. Run npm audit fix which will update most dependencies.

Step 2. If your security audit has found other issues that were not picked up in step 1, you can change the version numbers manually in package-lock.json and then run npm ci (this will retain your manual change).

If you get an error when running npm ci saying that you package.json and your lock file are out of sync, you can then run npm install and it still won't overwrite your manual change.