ripple-lib dependency on https-proxy-agent, how to update the dependency/version ?

I have a package.json with this sole Dependencies:

"dependencies": {
    "https-proxy-agent": "^2.2.3",
    "ripple-lib": "*"
},
"devDependencies": {
    "eslint": "*"
}

npm list -depth=0
±- eslint@6.5.1
`-- ripple-lib@1.3.4

npm audit says there is a high severity vulnerability:
Package: https-proxy-agent
Patched in: >=2.2.3

(why it does not show the current “bad” version?)

Due to the fact that npm audit fix does not work (returning other problems), I have to solve the issue manually.

npm list https-proxy-agent:
-- ripple-lib@1.3.4 – https-proxy-agent@2.2.1

So, I need to update that https-proxy-agent to minimum version 2.2.3

How?
Add it as dependency:

"dependencies": {     
    "ripple-lib": "*",
    "https-proxy-agent": "^2.2.3"
},

Now I have this situation:

npm list hhtps-proxy-agent:
±- https-proxy-agent@2.2.3
-- ripple-lib@1.3.4 – https-proxy-agent@2.2.1

npm audit shows the same exact high severity vulnerability for https-proxy-agent, so I assume ripple-lib still use the version 2.2.1.

How can I solve this problem ?

1 Like

ripple-lib 1.3.4 has an explicit dependency on that version listed in its package.json

  "dependencies": {
...
    "https-proxy-agent": "2.2.1",

You could edit the package.json locally, but the real fix is another release of ripple-lib.

(On the develop branch of ripple-lib the dependency has been updated to "https-proxy-agent": "^3.0.0" and there is a beta 1.4.0-b2 release on npmjs.)

1 Like

Hi John, thanks for the investigation.

So, npm itself does not have a easy mechanism to “override” packages dependencies?

This situation is very common, I always have vulnerability that must be solved with a dependency package update, so what is the common workaround ?
Wait an update from the package owner, force a local “untested” dependency update, use an old version ?
That are the options or there is a better workatound ?

If I write a batch script to replace that dependency (2.2.1 -> 2.2.3) there is a sort of trigger “post-install” for npm install command ? or an install configuration ?

Sometimes the dependency specifies a dependency range and can be updated with a custom install command (which npm audit will suggest), but not in this case.

For an actively developed package, waiting for an update from the package owner is often easiest.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.