With my project hosted on github, I have been getting a lot of emails from Dependabot regarding packages that may have security flaws, and suggestions to upgrade the version.
Checking your dependencies are easy in command line. Run the following. Alternatively, go to your GitHub page and check Dependabot Vulnerabilities. (Under the Security tab in GitHub)
npm audit
After finding the vulnerabilities, the first method is the quick and dirty way to fix things.. This worked for about 90% of my Dependabot vulnerabilities.
npm audit fix
or
npm audit fix --forceBe carefull of the “–force” parameter. It can really break things for you, if you don’t know what you are doing.
I usually stick with the “npm audit fix” method, then update other packages manually. To manually update packages, use the following commands.
npm i [parent package name]to find the parent package, run this:
npm ls [package name]this will output something like this tree diagram.
After this, test your app > push to github > Refresh the Dependabot page to verify (or wait for automated emails if you signed up for those) > publish your project > enjoy knowing your app is secure.
