I've received for the first time a notification from GitHub about a potential security issue (label: high-severity) with some of my project's dependencies. Here's the sample message:
url-parse vulnerability found in package-lock.json
And this is the proposed solution:
Upgrade url-parse to version 1.4.3 or later. For example:
"dependencies": {
"url-parse": ">=1.4.3"
}
or…
"devDependencies": {
"url-parse": ">=1.4.3"
}
Now, what I did was to simply check for any outdated packages by running npm outdated -g --depth=0
in my terminal as per the official documentation and execute the npm -g update
command (I also tried targeting the dependency itself with npm update url-parse
). A few packages were successfully updated, but it didn't seem to find the package causing the issue. Am I supposed to update it manually by adding the suggested line of code: "url-parse": ">=1.4.3"
?
And finally, how much should I be concerned with such alerts?
Thank you!
The easiest way to update it is probably to go into the
package-lock.json
file as you suggested and modifying the old"version": "#.#.#"
to be"version": ">=1.4.3"
under theurl-parse
JSON object. I'd suggestCOMMAND+F
ing the dependency name (CONTROL+F
for the W indows users) since thepackage-lock.json
file can easily be thousands of lines long, and once you find your dependency, changing the version number to what GitHub deems to be safe from the vulnerability.I just created a new repo and I got a very similar message for the
ws
dependency, and after updating the version in thepackage-lock.json
file manually I received this message after refreshing the GitHub alerts page:For reference, here's what it looked like for me before I updated the
ws
dependency:and after:
You've probably already figured this out by now, as I see you posted this question almost a year ago, but leaving this here to help anyone in the future who comes across a similar issue.