🔧 Fixing High and Critical Vulnerabilities in npm Using npm audit

Introduction

• As a developer, keeping your project dependencies up to date is crucial for maintaining security and performance. The npm audit command helps identify security vulnerabilities in your project dependencies, categorizing them as low, moderate, high, or critical. In this blog, we will go through how to fix high and critical vulnerabilities and how to handle outdated packages that no longer receive security updates.

Running npm audit

• check for vulnerabilities in your project, run the following command:

npm audit

• This will generate a report listing all vulnerabilities along with their severity levels. If you find high or critical vulnerabilities, you need to take immediate action.

Understanding npm audit Output

The audit report consists of different sections, such as:

• Advisory ID – Unique ID assigned to a vulnerability.
• Module Name – The package containing the vulnerability.
• Vulnerable Versions – Affected versions of the package.
• Patched Versions – The versions where the vulnerability is fixed.
• Dependency Path – Shows how the package is included in your project.

Understanding these details helps you make informed decisions when fixing vulnerabilities.

Fixing Vulnerabilities Automatically

• In many cases, you can fix vulnerabilities automatically using the following command:

npm audit fix --force

⚠ Warning: Using --force can lead to major version upgrades that may break your application. Ensure you test your project thoroughly after applying this command.

Manually Upgrading Packages

If vulnerabilities persist, you may need to manually update specific packages. To check which versions are available, use:

npm outdated

Then, upgrade a package to its latest version using:

npm install package-name@latest

For example:

npm install lodash@latest

If a package has a major version update, read the changelog and test before upgrading.

Overwriting Deprecated or Unsupported Packages

Sometimes, a package may no longer receive security updates, but other dependencies still rely on it. In such cases, you can use overrides in your package.json file.

Add the following section to package.json:

"overrides": {
  "vulnerable-package": "patched-version"
}

For example:

"overrides": {
  "node-forge": "1.3.1"
}

Then, reinstall dependencies:

npm install

Using npx npm-check-updates for Bulk Upgrades

To upgrade all dependencies to their latest versions, you can use the npx npm-check-updates package. Install it globally with:

npm install -g npm-check-updates

Then, check outdated dependencies:

npx npm-check-updates

To update all packages in package.json:

npx npm-check-updates -u

After updating, reinstall dependencies:

npm install

Checking Security After Fixing

Once you've applied fixes, rerun npm audit to verify that all vulnerabilities have been resolved:

npm audit

If no critical or high vulnerabilities remain, your project is now more secure.

Best Practices for Keeping Dependencies Secure

1. Regularly update dependencies – Schedule periodic updates to keep your project secure.
2. Use semantic versioning (^ or ~) carefully – Ensure you allow minor and patch updates while preventing breaking changes.
3. Monitor security advisories – Subscribe to npm security advisories or use GitHub’s Dependabot to automate security updates.
4. Use alternative packages – If a package is no longer maintained, consider switching to a well-maintained alternative.
5. Run security audits in CI/CD – Integrate npm audit into your continuous integration workflow to catch vulnerabilities early.

Conclusion

Security vulnerabilities in npm packages can put your project at risk. By using npm audit, upgrading dependencies, and applying overrides where necessary, you can ensure your application remains secure. Make it a habit to check for vulnerabilities regularly and update dependencies responsibly.