npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Security vulnerability in mpath; a mongoose dependency that doesn't receive the update in fawn.

I am receiving security vulnerability detected in mpath defined in my package-lock.json file as a mongoose dependency. I try to update fawn and mongoose but mongoose in fawn doesn’t receive the update!
Mongoose version in package.json is “^5.6.7” but in package-lock.json the version under fawn is “4.12.3”.
How can I update it?

Thank you

Have you tried following the advice from npm audit?
Is it a public package so we can take a look?

It can be hard to updated nested dependencies before they are updated by the package that includes them.

Thanks John
Yes, I did.
Here is the implementation:

package-lock.json line 1893 fawn package
Cannot update mongoose nested in fawn.
Receiving security vulnerability for ‘mpath’ which needs to be updated but nested under mongoose.
It is difficult to update this nested dependency indeed. I tried different solutions; deleted all, installed again, audit fix force …

As you noted, fawn explicitly requires mongoose 4.12.3. You can hand-edit its package.json, or look for an updated version of fawn.

It looks like the dev branch of fawn has been updated, but I don’t know what state the branch is in so this is a demonstration not a recommendation!

$ npm install e-oj/Fawn#dev
$ npm audit
                       === npm audit security report ===                        
found 0 vulnerabilities
 in 874218 scanned packages