Use of software with known vulnerabilities in environments
Need
Remediation of dependencies with known vulnerabilities in npm for TypeScript projects
Context
• Usage of npm for package management in TypeScript projects
• Usage of Node.js with TypeScript for type-safe application development
Description
1. Non compliant code
{
"name": "my-ts-app",
"version": "1.0.0",
"dependencies": {
"axios": "1.5.0",
"typescript": "5.2.2"
}
}...The package.json file below pins a version of axios that contains a known server-side request forgery vulnerability (CVE-2023-45857). Additionally, the project pulls in a vulnerable transitive dependency (semver 5.7.1) through a build tool, which is susceptible to ReDoS. Direct dependencies appear explicitly in package.json, while transitive dependencies are resolved automatically by npm and may not be immediately visible. Both types must be audited and remediated.
2. Steps
• Run npm audit to identify packages with known vulnerabilities
• Update vulnerable direct dependencies with npm update <package>
• For transitive dependencies, update the parent package that pulls them in
• If updating the parent does not resolve the issue, add an overrides entry in package.json to force a safe version of the transitive dependency
• Run npm install, then verify with npm audit and tsc
• If no safe version exists upstream, monitor the repository for a patch
3. Secure code example
{
"name": "my-ts-app",
"version": "1.0.0",
"dependencies": {
"axios": "1.6.2",
"typescript": "5.2.2"
},
"overrides": {...The fixed package.json updates axios to a patched version and adds an overrides entry to force a safe version of semver. The overrides field ensures npm substitutes the safe version regardless of what the parent package requests. After applying the changes, run npm install, then npm audit and tsc to confirm all vulnerabilities are resolved and the project compiles correctly.