How do I fix a vulnerable npm package in my package-lock.json that isn’t listed in the package.json?

by

It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it’s own package.json).

You’ve already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.

Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.

Edit:
To help you identify which packages are using which dependencies, you can use NPM’s ls command: https://docs.npmjs.com/cli/ls

For example, to see which packages are using Hoek:
npm ls hoek

Edit 2:
As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fix to ask NPM to attempt to fix the vulnerabilities for you.

Edit 3:
Those reading this should also check out JBallin’s answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP’s question better. However – if you want a quick fix – this answer should suffice.

More Related Contents:

  1. What’s the difference between tilde(~) and caret(^) in package.json?
  2. What’s the difference between dependencies, devDependencies and peerDependencies in npm package.json file?
  3. How to set environment variables from within package.json?
  4. npm install private github repositories by dependency in package.json
  5. Is there a way to get version from package.json in nodejs code?
  6. Why does “npm install” rewrite package-lock.json?
  7. How to use private Github repo as npm dependency
  8. Why does `package-lock.json` causes a failure in a docker container build when `npm install`?
  9. How to use environment variables in package.json
  10. Is there any way to fix package-lock.json lockfileVersion so npm uses a specific format?
  11. How to set env var for .npmrc use
  12. What’s the difference between dependencies, devDependencies, and peerDependencies in NPM package.json file?
  13. how to specify local modules as npm package dependencies
  14. NPM global install “cannot find module”
  15. How to include scripts located inside the node_modules folder?
  16. How can I make multiple projects share node_modules directory?
  17. Command to remove all npm modules globally
  18. nvm keeps “forgetting” node in new terminal session
  19. npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents
  20. npm install errors with Error: ENOENT, chmod
  21. How can I change the version of npm using nvm?
  22. Angular 6 many Can’t resolve errors (crypto, fs, http, https, net, path, stream, tls, zlib)
  23. Install dependencies globally and locally using package.json
  24. Deleting `package-lock.json` to Resolve Conflicts quickly
  25. Node package ( Grunt ) installed but not available
  26. How to set npm credentials using `npm login` without reading from stdin?
  27. `npm install` fails on node-gyp rebuild with `gyp: No Xcode or CLT version detected!`
  28. npx command not found
  29. npm install not work
  30. How to store a file with file extension with multer?

Leave a Comment