How to update a dependency in package-lock.json

The easiest way to update it is probably to go into the package-lock.json file as you suggested and modifying the old "version": "#.#.#" to be "version": ">=1.4.3" under the url-parse JSON object. I'd suggest COMMAND+Fing the dependency name (CONTROL+F for the W indows users) since the package-lock.json file can easily be thousands of lines long, and once you find your dependency, changing the version number to what GitHub deems to be safe from the vulnerability.

I just created a new repo and I got a very similar message for the ws dependency, and after updating the version in the package-lock.json file manually I received this message after refreshing the GitHub alerts page:

No open alerts on ws were found in package-lock.json.
Alerts may have been resolved and deleted by recent pushes to this repository.

For reference, here's what it looked like for me before I updated the ws dependency:

"ws": {
      "version": "1.1.5",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

and after:

"ws": {
      "version": ">=3.3.1",
      "resolved": "https://registry.npmjs.org/ws/-/ws-1.1.5.tgz",
      "integrity": "sha512-o3KqipXNUdS7wpQzBHSe180lBGO60SoK0yVo3CYJgb2MkobuWuBX6dhkYP5ORCLd55y+SaflMOV5fqAB53ux4w==",
      "dev": true,
      "requires": {
        "options": ">=0.0.5",
        "ultron": "1.0.x"
      }

You've probably already figured this out by now, as I see you posted this question almost a year ago, but leaving this here to help anyone in the future who comes across a similar issue.


You don't need to edit the lock file by hand, just run:

npm install --package-lock-only url-parse

it should install latest version of the package and update only lock file

For unknow reason it also update package.json so you need:

git checkout package.json

Tags:

Security

Dependencies

Github

Package Lock.Json

Related

How to restrict merging specific branch into other branches in Gitlab? Angular project creation failed because of deprecated circular-json Infinite List in Flutter Application Xcode Simulator - CyMemDef.dylib: mach-o, but not built for iOS simulator Exporting In-House iOS app says certificate "Unknown", profile "none"? How can I get Java 11 run-time environment working since there is no more JRE 11 for download? PHP method scope binding One instance of BillingClient throughout app AZURE Active Directory - What is the difference between a Service Principal and an Enterprise Application? How to make `Map::get` return either an `Optional` of the found value or `Optional.empty()` Google reCAPTCHA V3.0 not working. "ERROR for site owner: Invalid key type" Can I check how much space my indexedDB is taking up?

Recent Posts