This little guide describes what to do when:
- You see a vulnerability warning for a package, and
- The package has already been fixed, and a patch version has been released.
- Delete all lock files
- Delete
node_modules
- Reinstall
If you directly depend on the patched library
You shouldn't need to do anything else. When a library is patched, all dependent libraries will automatically use the patched version, unless the version was locked. Thus, make sure the version isn't locked in package.json
when you reinstall, and you should get the patch.
If you indirectly depend on the patched library
You might not need to do anything else, for the same reasons as if you directly depended on the library. However, if intermediate dependency foo
depends on a locked version of the patched library, you will need to ask the maintainers of foo
to update the version in the package.json
of that project so that you can get the fix.
Please always check for existing open and/or closed issues on a repository before you create a new one.
Happy patching!