Skip to content

Vulnerable dependencies in JS

Jump to bottom
Junha Yang(양준하) edited this page Jul 20, 2020 · 1 revision

Read the security alerts

  1. Go to the "Security" tab in GitHub repository
  2. Click the "Alerts" menu in the left bar.

Update inner vulnerable dependency in the yarn.lock file

if the vulnerable dependency is an internal library (not specified in the package.json file, but included by another dependency) follow the steps below.

  1. Run yarn upgrade XXX

Update vulnerable package in package.json file

  1. Try to update minor version of the library in the package.json
  2. If the library needs a major version update, please discuss it with other team members.

Tip

To inspect a dependency graph, you can use yarn why and npm ls command.

Try yarn why <package name> and npm ls <package name>.

Clone this wiki locally