When upgrading a dependency for a security issue, we might upgrade and move on:
npm install <dependency>@<version>
But wait! Was every <dependency> version upgraded, or just the version in
package.json? Check with:
npm list // or npm ls
Packages like Prettier might only be in your lockfile once:
npm list prettier
hugo@ /Users/dev/code/hugo
└── prettier@3.8.3 -> ./node_modules/.pnpm/prettier@3.8.3/node_modules/prettier
But packages like lodash are used by many dependency libraries, even in production:
npm list lodash
fe@0.1.0 /dev/frontend
├─┬ @testing-library/jest-dom@5.17.0
│ └── lodash@4.18.1 overridden
├─┬ antd@4.16.3
│ ├─┬ @ant-design/icons@4.8.3
│ │ └── lodash@4.18.1 deduped
│ ├─┬ @ant-design/react-slick@0.28.4
│ │ └── lodash@4.18.1 deduped
│ └── lodash@4.18.1 deduped
# ...hundreds of lines omitted 😅
Just because you’ve upgraded it in package.json, it might be installed in your
project as a dependency of a dependency on the vulnerable version. Check it.