How to get the latest patch
This little guide describes what to do when:
- You see a vulnerability warning for a package, and
- The package has already been fixed, and a patch version has been released.
- Delete all lock files
If you directly depend on the patched library
You shouldn't need to do anything else. When a library is patched, all dependent libraries will automatically use the patched version, unless the version was locked. Thus, make sure the version isn't locked in
package.json when you reinstall, and you should get the patch.
If you indirectly depend on the patched library
You might not need to do anything else, for the same reasons as if you directly depended on the library. However, if intermediate dependency
foo depends on a locked version of the patched library, you will need to ask the maintainers of
foo to update the version in the
package.json of that project so that you can get the fix.
Please always check for existing open and/or closed issues on a repository before you create a new one.