npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Force dependency selectively


One of the dependencies of dependencies we have has a vulnerability. How can I force the vulnerable dependency version bump to avoid being exposed?

The first thing I try is running npm audit and seeing if it has advice on how to try fixing it. For example, my package currently has one warning with this advice:

# Run  npm update handlebars --depth 7  to resolve 1 vulnerability