Use of software with known vulnerabilities in environments
Need
Remediation of dependencies with known vulnerabilities in npm
Context
• Usage of npm for package management in JavaScript and TypeScript projects
• Usage of Node.js for server-side and client-side application development
Description
1. Non compliant code
{
"name": "my-app",
"version": "1.0.0",
"dependencies": {
"lodash": "4.17.15",
"express": "4.17.1"
}
}...The package.json file below pins a version of lodash that contains a known prototype pollution vulnerability (CVE-2020-8203). Additionally, the project pulls in a vulnerable transitive dependency (qs 6.5.2) through express, which is susceptible to prototype pollution as well. Direct dependencies appear explicitly in package.json, while transitive dependencies are resolved automatically by npm and may not be immediately visible. Both types must be audited and remediated.
2. Steps
• Run npm audit to identify packages with known vulnerabilities
• Update vulnerable direct dependencies with npm update <package>
• For transitive dependencies, update the parent package that pulls them in
• If updating the parent does not resolve the issue, add an overrides entry in package.json to force a safe version of the transitive dependency
• Run npm install, then verify with npm audit and the test suite
• If no safe version exists upstream, monitor the repository for a patch
3. Secure code example
{
"name": "my-app",
"version": "1.0.0",
"dependencies": {
"lodash": "4.17.21",
"express": "4.18.2"
},
"overrides": {...The fixed package.json updates lodash to a patched version and upgrades express to a release that resolves the transitive qs vulnerability. For cases where updating the parent package does not resolve the transitive issue, the overrides field forces npm to substitute a safe version regardless of what the parent requests. After applying the changes, run npm install, then npm audit and the test suite to confirm all vulnerabilities are resolved and the application behaves correctly.