Fixing security vulnerabilities in npm

Problem

found 20 vulnerabilities (14 moderate, 5 high, 1 critical) run `npm audit fix` to fix them, or `npm audit` for details

Solution

1. npm update

• Run npm update
• Delete your package-lock.json file
• run npm install again

This should upgrade your dependencies and hopefully libraries will have updated their transitive dependencies containing vulnerabilities

2. Resolutions

If you must update a nested dependency and updating the top-level dependency does not fix your issue, you can force the installation of a specific version of a transitive dependency. However, this should only be used as a last resort.

• Run npm audit

we can see that react-scripts has a dependency on react-dev-utils which has a dependency on immer which contains the vulnerability. Also, notice npm audit tells us which version this vulnerability was patched in Patched in >= 9.0.6

• We then can either do npm install immer --save-dev or only install the patched version npm install immer@9.0.6 --save-dev

• After that add a resolutions key to your package.json file

{
  "resolutions": {
    "immer":"^9.0.6"
  }
}

• We then need to also install npm i npm-force-resolutions package and add the following to scripts in package.json

"scripts": {
  "preinstall": "npx npm-force-resolutions"

} 

• Run npm install and that should do it. You can verify the version by running npm ls immer