Skip to content

Instantly share code, notes, and snippets.

@jonschlinkert

jonschlinkert/patchy-patch-patch.md

Created June 19, 2019 17:37
Show Gist options
  • Star 9 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save jonschlinkert/9a62534c4f8bc76aee6058caa3f05fd6 to your computer and use it in GitHub Desktop.
Save jonschlinkert/9a62534c4f8bc76aee6058caa3f05fd6 to your computer and use it in GitHub Desktop.
Download ZIP
The very brief guide to getting rid of NPM's annoying "vulnerability" messages for packages that have been patched.
Raw
patchy-patch-patch.md

How to get the latest patch

This little guide describes what to do when:

  1. You see a vulnerability warning for a package, and
  2. The package has already been fixed, and a patch version has been released.

TLDR;

  1. Delete all lock files
  2. Delete node_modules
  3. Reinstall

If you directly depend on the patched library

You shouldn't need to do anything else. When a library is patched, all dependent libraries will automatically use the patched version, unless the version was locked. Thus, make sure the version isn't locked in package.json when you reinstall, and you should get the patch.

If you indirectly depend on the patched library

You might not need to do anything else, for the same reasons as if you directly depended on the library. However, if intermediate dependency foo depends on a locked version of the patched library, you will need to ask the maintainers of foo to update the version in the package.json of that project so that you can get the fix.

Please always check for existing open and/or closed issues on a repository before you create a new one.

Happy patching!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment