npm audit: which type of fix to use


(Giorgi M) #1

As result of npm audit I got:

# Run  npm install react-scripts@2.1.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change

  High            Missing Origin Validation

  Package         webpack-dev-server

  Dependency of   react-scripts

  Path            react-scripts > webpack-dev-server

  More info       https://nodesecurity.io/advisories/725

I am unsure should I do:

$ npm audit fix

or

$ npm audit fix --force

Can someone help explain which to use here?


(Lars Willighagen) #2

If you want to install the update you should run

npm audit fix --force

or, if you only want to install that update

npm install react-scripts@2.1.1

Note: The update has some breaking changes (which is why npm needs --force): CHANGELOG.md


(Giorgi M) #3

OK, I did

$ npm audit fix --force

project compiled and started, so I guess it is ok.


(system) #4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.