shell-quote 1.7.2 vulnerabilities -unable to fix it using force reslutions

Question

I have a nextjs app which has "next": "^10.2.0". It in turn has shell-quote as a transitive dependency and the version installed in 1.7.2 which has some critical security vulnerabilities. I have to fix this for now, and shell-quote version 1.7.3 does not have these vulnerabilities. So I added this

"preinstall": "npx npm-force-resolutions"

and

 "resolutions": {
        "shell-quote": ">=1.7.3"
}

in package.json.

But it still gives me the error and when I check npm ls shell-quote, I see that

├─┬ @storybook/[email protected]
│ └─┬ [email protected]
│   └── [email protected]

└─┬ [email protected]
  └─┬ @next/[email protected]
    └── [email protected] deduped

Does this mean, [email protected] cannot have shell quote of 1.7.2? Can this issue be fixed for now without a nextjs upgrade?

Package-lock.json is auto generated when we do npm install. yes, thats happening — keerti, Dec 21 '21 at 21:05
you can modify it to get specific versions of packages, this can be used to change a specific peer-dependency — MaartenDev, Dec 22 '21 at 17:36

M.Yilmaz · Answer 1 · 2022-09-23T08:05:48.657

You don't need to use resolutions as you are not changing the package but only the version of it. Override is fine here. So, add following code block to the package.json

  "overrides": {
     "[email protected]": {
       "shell-quote": "1.7.3"
     },
     "@next/[email protected]": {
       "shell-quote": "1.7.3"
     }
  },

Now remove node_modules with rm -rf node_modules. Then, you have two options:

Remove package-lock.json completely. This way, you'll lose locked versions for your other packages too.
Or, open package-lock.json and remove all entries with react-dev-utils, node_modules/react-dev-utils, @next/react-dev-overlay, node_modules/react-dev-overlay, shell-quote and node_modules/shell-quote. This way, you'll keep locked versions for other packages.

And run npm install, when you run npm list shell-quote, you'll see all packages uses it with v1.7.3.

Since npm install will edit your package-lock.json for this change, you will have complete packge-lock.json and won't have to edit it next time you run npm install.

I've been editing our repository to get rid of vulnerabilities in this way and it works fine. I've used this answer from another SO question.

Of course, you have to make sure that these versions are compatible with each other. Because with overrides, npm does not do any checking for the versions, you force it. For example, you have to make sure that [email protected] can work with [email protected]. In minor version upgrades, libraries generally work as the same before but it doesn't always have to be this way.

shell-quote 1.7.2 vulnerabilities -unable to fix it using force reslutions

1 Answers1