Show me the code! Do you prefer seeing how something works instead of instructions? If so, check out this pull request to the Amortize module. Each instruction below lives as its own commit. cfpb/amortize#11
The contents of the file should be:
save-exact=true
This will ensure that all new dependencies are installed at the exact version number, ensuring that incremental version changes are intentional.
Pin all project dependencies in the package.json. npm's defualt behavior is to download incremental updates to packages. By removing ~ or ^ from a dependency's version number in the package.json we are able to ensure that we're always using the same version of the package.
Example of pinned dendencies:
"dependencies": {
"backbone": "1.0.0",
"jquery": "1.11.3",
"underscore": "1.4.4"
}
Run npm shrinkwrap in the root of your project. This will not only pin your direct dependencies but do the same for their dependencies. This ensures that the project uses the same dependency versions in all environments. Running this command will produce an npm-shrinkwrap.json file.
First, install snyk globally on your machine and then run Snyk's wizard from the root of your project's directory:
npm install –g snyk
snyk wizard
Snyk will walk you through updating vulnerable dependencies and ask if you want to add snyk test to your package.json, reply yes. In npm test isn't run automatically as part of your project build step, be sure to add it so that the snyk test is run as part of the Travis and Jenkins build process.
Note: For a project with some out of date dependencies, I had to run this a couple of times to get everything passing.
I would recommend adding .snyk to your .gitignore as I don't think that there's a need for it being checked into source control.