npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit: which type of fix to use

As result of npm audit I got:

# Run  npm install react-scripts@2.1.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change

  High            Missing Origin Validation

  Package         webpack-dev-server

  Dependency of   react-scripts

  Path            react-scripts > webpack-dev-server

  More info       https://nodesecurity.io/advisories/725

I am unsure should I do:

$ npm audit fix

or

$ npm audit fix --force

Can someone help explain which to use here?


If you want to install the update you should run

npm audit fix --force

or, if you only want to install that update

npm install react-scripts@2.1.1

Note: The update has some breaking changes (which is why npm needs --force): CHANGELOG.md


OK, I did

$ npm audit fix --force

project compiled and started, so I guess it is ok.