npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

ripple-lib dependency on https-proxy-agent, how to update the dependency/version ?

I have a package.json with this sole Dependencies:

"dependencies": {
    "https-proxy-agent": "^2.2.3",
    "ripple-lib": "*"
},
"devDependencies": {
    "eslint": "*"
}

npm list -depth=0
±- eslint@6.5.1
`-- ripple-lib@1.3.4

npm audit says there is a high severity vulnerability:
Package: https-proxy-agent
Patched in: >=2.2.3

(why it does not show the current “bad” version?)

Due to the fact that npm audit fix does not work (returning other problems), I have to solve the issue manually.

npm list https-proxy-agent:
-- ripple-lib@1.3.4 – https-proxy-agent@2.2.1

So, I need to update that https-proxy-agent to minimum version 2.2.3

How?
Add it as dependency:

"dependencies": {     
    "ripple-lib": "*",
    "https-proxy-agent": "^2.2.3"
},

Now I have this situation:

npm list hhtps-proxy-agent:
±- https-proxy-agent@2.2.3
-- ripple-lib@1.3.4 – https-proxy-agent@2.2.1

npm audit shows the same exact high severity vulnerability for https-proxy-agent, so I assume ripple-lib still use the version 2.2.1.

How can I solve this problem ?


ripple-lib 1.3.4 has an explicit dependency on that version listed in its package.json

  "dependencies": {
...
    "https-proxy-agent": "2.2.1",

You could edit the package.json locally, but the real fix is another release of ripple-lib.

(On the develop branch of ripple-lib the dependency has been updated to "https-proxy-agent": "^3.0.0" and there is a beta 1.4.0-b2 release on npmjs.)


Hi John, thanks for the investigation.

So, npm itself does not have a easy mechanism to “override” packages dependencies?

This situation is very common, I always have vulnerability that must be solved with a dependency package update, so what is the common workaround ?
Wait an update from the package owner, force a local “untested” dependency update, use an old version ?
That are the options or there is a better workatound ?

If I write a batch script to replace that dependency (2.2.1 -> 2.2.3) there is a sort of trigger “post-install” for npm install command ? or an install configuration ?


Sometimes the dependency specifies a dependency range and can be updated with a custom install command (which npm audit will suggest), but not in this case.

For an actively developed package, waiting for an update from the package owner is often easiest.