How to Remove NPM Package Vulnerabilities

To discover how many vulnerabilities are in your project or application just run 'npm audit' (if you are using something like Nexus as a package holder and your devops team haven't set it up to handle audit requests, then you may need to comment out your .npmrc file to ignore those dependencies).

You will then see the number of Low, Moderate and High vulnerabilities. You can run 'npm audit fix' to be able to try and automatically fix a lot of the issues listed. However, it may suggest running 'npm audit fix --force' to force fix any issues that it thinks may cause breaking changes by fixing. So far I usually find by running force that Webpack was updated to version 5 and reverting this back to 4 solved a lot of my issues after the force. But be warned, using force can break your application.

Some of the vulnerabilities listed may not be solvable by using --force. Usually these are the vulnerabilities caused by child packages which are being used inside one of your dependencies. For example sass-lint uses the merge package which has some issues.

To resolve this we can see that it is patched in versions >=2.1.1 but we can't simple add it to our package as its a child dependency of another package.

How to Resolve

1. To resolve this we do need to add the correct package to our project, so add the correct version by running: 'npm i --save-dev merge@2.1.1'.

2. Now we need to install the npm-force-resolutions package. 'npm i --save-dev npm-force-resolutions'.

3. Add resolutions to your package.json like this:

"resolutions": {
    "merge": "2.1.1"
}

You will also need to add a prebuild script to your package.json scripts like this:

"preinstall": "npx npm-force-resolutions"

After this make sure to run 'npm i' again. Then running 'npm audit' you should now see the vulnerability has gone from the list.