How to fix NPM package Tar, with high vulnerability about Arbitrary File Overwrite, when package is up to date?
The issue is being tracked on the gitgub page https://github.com/sass/node-sass/issues/2625
npm-audit
yarn upgrade to fix yarn audit errors
The solution to this problem in yarn is called selective version resolutions which is basically defining resolutions for the transitive dependencies in the package.json. The transitive dependencies are the dependencies of dependencies. { “resolutions”: { “**/**/lodash”: “^4.17.12” } } So here even if the lodash isn’t a direct dependency of your package, the dependent package … Read more
What does “npm audit fix” exactly do?
From NPM’s site on their audit command: npm audit fix runs a full-fledged npm install under the hood And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document: Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones: $ npm audit fix –force As … Read more
How to check for only high vulnerabilities when using “npm audit”?
Not the answer you are looking for, but it will do the same: npm audit | grep -B 1 -A 10 High
How to fix npm vulnerabilities manually?
lodash-cli in devDependencies doesn’t affect how browser-sync works in your project, devDependencies are ignored when a package is installed as a dependency. What audit report says is that it’s easy-extender that has lodash dependency: browser-sync > easy-extender > lodash It depends on Lodash 3, while the problem was fixed in Lodash 4. The problem could … Read more