How to update a dependency in package-lock.json

A

3

21

I've received for the first time a notification from GitHub about a potential security issue (label: high-severity) with some of my project's dependencies. Here's the sample message:

url-parse vulnerability found in package-lock.json

And this is the proposed solution:

Upgrade url-parse to version 1.4.3 or later. For example:

"dependencies": {
  "url-parse": ">=1.4.3"
}

or…

"devDependencies": {
  "url-parse": ">=1.4.3"
}

Now, what I did was to simply check for any outdated packages by running npm outdated -g --depth=0 in my terminal as per the official documentation and execute the npm -g update command (I also tried targeting the dependency itself with npm update url-parse). A few packages were successfully updated, but it didn't seem to find the package causing the issue. Am I supposed to update it manually by adding the suggested line of code: "url-parse": ">=1.4.3"?

And finally, how much should I be concerned with such alerts?

Thank you!

Apiculture answered 2/11, 2018 at 9:28 Comment(0)

P

11

The easiest way to update it is probably to go into the package-lock.json file as you suggested and modifying the old "version": "#.#.#" to be "version": ">=1.4.3" under the url-parse JSON object. I'd suggest COMMAND+Fing the dependency name (CONTROL+F for the W indows users) since the package-lock.json file can easily be thousands of lines long, and once you find your dependency, changing the version number to what GitHub deems to be safe from the vulnerability.

I just created a new repo and I got a very similar message for the ws dependency, and after updating the version in the package-lock.json file manually I received this message after refreshing the GitHub alerts page:

No open alerts on ws were found in package-lock.json.
Alerts may have been resolved and deleted by recent pushes to this repository.

For reference, here's what it looked like for me before I updated the ws dependency:

"ws": {
      "version": "1.1.5",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

and after:

"ws": {
      "version": ">=3.3.1",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

You've probably already figured this out by now, as I see you posted this question almost a year ago, but leaving this here to help anyone in the future who comes across a similar issue.

Pomegranate answered 28/9, 2019 at 1:26 Comment(3)

"leaving this here to help anyone in the future who comes across a similar issue." That's the spirit! – Undershrub 29/2, 2020 at 6:57

Sorry if this is a silly question, but won't this just get overwritten next time someone runs npm install? – Snatch 14/12, 2022 at 7:43

I just tried doing a manual update and then running npm install, and it does indeed overwrite the manual change – Floreated 4/1 at 14:57

P

16

You don't need to edit the lock file by hand, just run:

npm install --package-lock-only url-parse

it should install latest version of the package and update only lock file

For unknow reason it also update package.json so you need:

git checkout package.json

Perk answered 14/3, 2020 at 12:13 Comment(3)

According to this that command only modifies package-lock.json without installing. Other than that, it behaves the same as npm i. So the fact it modifies package.json is totally expected, and it does not really install anything. No idea why you mention git checkout, either. – Gametangium 30/11, 2021 at 6:20

Huh? What if package.json is the updated file and you want to run the project using that, but not package-lock.json? How do you change package-lock.json to reflect what's in package.json? – Freedman 1/4 at 19:17

@JohnPitts ask another question. This is the answer to the question on how to update package-lock file. – Perk 1/4 at 21:20

P

11

The easiest way to update it is probably to go into the package-lock.json file as you suggested and modifying the old "version": "#.#.#" to be "version": ">=1.4.3" under the url-parse JSON object. I'd suggest COMMAND+Fing the dependency name (CONTROL+F for the W indows users) since the package-lock.json file can easily be thousands of lines long, and once you find your dependency, changing the version number to what GitHub deems to be safe from the vulnerability.

I just created a new repo and I got a very similar message for the ws dependency, and after updating the version in the package-lock.json file manually I received this message after refreshing the GitHub alerts page:

No open alerts on ws were found in package-lock.json.
Alerts may have been resolved and deleted by recent pushes to this repository.

For reference, here's what it looked like for me before I updated the ws dependency:

"ws": {
      "version": "1.1.5",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

and after:

"ws": {
      "version": ">=3.3.1",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

You've probably already figured this out by now, as I see you posted this question almost a year ago, but leaving this here to help anyone in the future who comes across a similar issue.

Pomegranate answered 28/9, 2019 at 1:26 Comment(3)

"leaving this here to help anyone in the future who comes across a similar issue." That's the spirit! – Undershrub 29/2, 2020 at 6:57

Sorry if this is a silly question, but won't this just get overwritten next time someone runs npm install? – Snatch 14/12, 2022 at 7:43

I just tried doing a manual update and then running npm install, and it does indeed overwrite the manual change – Floreated 4/1 at 14:57

F

0

I tried both the accepted answer and the other answer, and neither worked.

I found this article by Ankur Kaushur, Updating a package's dependency in package-lock.json

Step 1. Run npm audit fix which will update most dependencies.

Step 2. If your security audit has found other issues that were not picked up in step 1, you can change the version numbers manually in package-lock.json and then run npm ci (this will retain your manual change).

If you get an error when running npm ci saying that you package.json and your lock file are out of sync, you can then run npm install and it still won't overwrite your manual change.

Floreated answered 4/1 at 15:20 Comment(4)

The content from your link is gone-- deleted. – Freedman 1/4 at 19:19

What if package.json is updated by you, but package-lock.json is NOT updated? How do you get package-lock to reflect what you changed in package.json? – Freedman 1/4 at 19:20

the article is still there. – Floreated 4/4 at 17:50

"How do you get package-lock to reflect what you changed in package.json?" -- run npm install and it should update packalge-lock.json – Floreated 4/4 at 17:50

Recommended topics

Hot tags