How to updating dependencies of dependencies using npm

I’m very wondered that I can’t find an answer to this simple question. Also I’m very wondered that npm update does not solve this.

I can’t post my complete dependency tree here but let me describe my issue anyway:

minimist is outdated (version 1.2.0) and has a security vulnerability in this version. The packages require minimist define the dependency as ^1.2.0 – so it is compatible with 1.2.2.

The common solution is to put it to package.json within devDependencies or dependencies with ^1.2.2. I don’t want to put it into package.json. I feel like npm update should also update indirect dependencies.

Am I missing something?

Here you can see my package-lock.json: https://github.com/tflori/riki-community/blob/master/package-lock.json

And the output of npm ls minimist:

[email protected] /home/iras/work/projects/riki/community
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   └── [email protected]  deduped
│ └─┬ [email protected]
│   └── [email protected] 
├─┬ [email protected]
│ └─┬ @jest/[email protected]
│   ├─┬ @jest/[email protected]
│   │ └─┬ @babel/[email protected]
│   │   └─┬ [email protected]
│   │     └── [email protected] 
│   └─┬ [email protected]
│     └─┬ [email protected]
│       ├─┬ @cnakazawa/[email protected]
│       │ └── [email protected]  deduped
│       └── [email protected]  deduped
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected] 
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected] 
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected]  deduped
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ UNMET OPTIONAL DEPENDENCY [email protected]
        └─┬ UNMET OPTIONAL DEPENDENCY [email protected]
          ├─┬ UNMET OPTIONAL DEPENDENCY [email protected]
          │ └── UNMET OPTIONAL DEPENDENCY [email protected] 
          └─┬ UNMET OPTIONAL DEPENDENCY [email protected]
            └── UNMET OPTIONAL DEPENDENCY [email protected] 

Answer

The problem is the depth. From the documentation:

As of [email protected], the npm update will only inspect top-level packages. Prior versions of npm would also recursively inspect all dependencies. To get the old behavior, use npm –depth 9999 update.

So we have to provide the depth that we want to update. In my case a 9999 took to long and I canceled it. But a --depth 5 was enough.

npm update --depth 5

If that does still not update the depdendency than you have to manually change the package-lock.json.

Open the package-lock.json and find all occurences of "minimist": { and remove the object.

Example:

Change this:

      "dependencies": {
        "minimist": {
          "version": "1.2.0",
          "bundled": true,
          "dev": true,
          "optional": true
        }
      }

to that:

      "dependencies": {
      }

And run npm install again.

Leave a Reply

Your email address will not be published. Required fields are marked *