Skip to main content
Skip table of contents

How To Resolve Vulnerable NPM Transitive Dependency

This article demonstrates steps on how to resolve a vulnerable NPM transitive dependency, which is a dependency that is not directly used in your project, but brought in by other third-party components.

In most cases, you have control of the versions that are being used as direct dependencies by updating the manifest file package.json. However, in the case that you are already using the latest version of a direct dependency, it is not always straightforward on how to fix a vulnerable transitive dependency.

Force install transitive dependency version

This approach will use the npm-force-resolutions (https://www.npmjs.com/package/npm-force-resolutions ) to force install a specific version of a transitive dependency.

  1. Install npm-force-resolutions by running npm install npm-force-resolutions

  2. Add the resolutions field in the package.json with the transitive dependency version that you would like to install. For example, the vulnerable package http-proxy-1.11.1 is introduced by a direct dependency cors-anywhere-0.4.4, to fix this, we have added the resolutions for the latest version http-proxy-1.18.1

CODE 
  "dependencies": {
    "cors-anywhere": "^0.4.4",
    "npm-force-resolutions": "0.0.10"
  },
  "resolutions": {
    "http-proxy": "1.18.1"
  }

3. Add the following preinstall script

CODE 
  "scripts": {
    "preinstall": "npx npm-force-resolutions"
  },

4. Run npm install to update the dependencies

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close