Applying resolutions does not work for all dependencies with npm version 7

Question

Applying resolutions does not work for all dependencies with npm version 7

FlorianBeese opened this issue 4 years ago · comments

Hi,

first I'd like to say thank you for this great tool. We are using this to patch old dependencies in a quick and easy way. But now we are facing an issue with the latest npm version.

I just upgraded from npm version 6 to 7 and now old vulnerabilities stated by npm audit, that we had already resolved before by using resolutions with npm-force-resolutions, are back.

Doing a more detailed analysis showed, that not all dependencies have been patched with the stated resolutions, but only some of them. To reproduce the issue, you can use the following package.json:

  "author": {
    "name": "Florian"
  },
  "bundleDependencies": false,
  "dependencies": {
    "grunt-ng-annotate": "^4.0.0"
  },
  "deprecated": false,
  "description": "testing resolutions using node 12 with npm 6 (works correctly) and 7 (does not replace all sub dependencies)",
  "resolutions": {
    "minimist": "1.2.5"
  },
  "scripts": {
    "preinstall": "npx npm-force-resolutions"
  },
  "name": "testing-npm",
  "version": "0.0.1"
}

Testing resolutions using node 12.21.0 on ubuntu 18.04 with npm 6.14.11 (works correctly) and 7.5.6 (does not replace all sub dependencies):

Test for npm 6 (6.14.11):

npm i -g npm@6
remove package-lock.json and node_modules directory
modify package.json remove preinstall instruction
npm install
npm audit (shows 1 issue with minimist package)
npm ls minimist (shows old vulnerable version 0.0.10)
modify package.json add preinstall instruction
npm install
npm audit (shows 0 issues)
npm ls minimist (shows fixed version 1.2.5, stated invalid, but works)

Test for npm 7 (7.5.6):

npm i -g npm@7
remove package-lock.json and node_modules directory
modify package.json remove preinstall instruction
npm install
npm audit (shows 4 (1) issues because of minimist package)
npm ls minimist (shows old vulnerable version 0.0.10)
modify package.json add preinstall instruction
npm install
npm audit (still shows the same issue)
npm ls minimist (still shows old vulnerable version 0.0.10)

Hope this helps you to work on the issue with npm 7.

Best regards
Florian

Rogério Chaves · Answer 1 · Sat Feb 27 2021 01:10:50 GMT+0800 (China Standard Time)

hmm funny, apparently npm 7 add some entries like node_modules/minimist instead of just minimist on the package-lock file, I think just matching on those as well should do the trick, maybe I can pick this up when I have some time

Rogério Chaves · Answer 2 · Sat Feb 27 2021 07:08:49 GMT+0800 (China Standard Time)

this should now have been fixed by 68cc61f, and released on v0.0.10, can you try again and let me know? I will close this for now, please reopen if it's still not working

FlorianBeese · Answer 3 · Tue Mar 02 2021 16:22:22 GMT+0800 (China Standard Time)

Hi rogeriochaves, I validated your fix on my local environment with the provided test case and it worked. Due to some other issues with npm 7 I will not upgrade npm in our project yet. If I find further issues when upgrading the whole project, I will let you know. Thank you for the fast fix. Best regards, Florian

Rashad Rivera · Answer 4 · Tue Jun 29 2021 06:15:10 GMT+0800 (China Standard Time)

When can we expect this fix to be in NPM. Currently, I'm using 7.19.0 and it fails to update old dependencies