Updating your NPM packages

NPM

When you use node.js to develop your application you may use NPM to manage all the modules that are installed in your project. It is important to keep your modules up-to-date and install all security updates.

version requirements

In your project package.json file, all modules that you need for your project are defined. Those modules in turn, also have a package.json file to define which modules they need. Those modules also have package.json files with module requirements. This dependency tree can get pretty big, pretty fast.

Most of the time when a module dependency is declared a minimal version and a maximum major version is defined. For instance:

  "dependencies": {
    "@contentful/rich-text-html-renderer": "^15.11.1"
  }

This means that at least version 15.11.1 should be installed, but no versions that are higher than 16.0.0. That causes a problem when a security update is available in for instance version 17.2.0. Due to the version requirements, this security update can not be installed.

npm audit

Check which modules have security updates. For every update the treelist of modules that require that module is shown. Sometimes various modules require the same specific module.

npm audit fix

This will automatically update all modules that have security updates that meet the requirements. So if the security update is in the same major version as that is allowed in the requirements, it is installed.

project package

If there are security updates in major versions that are not allowed to be installed due to the requirements, you need to do some manual changes. If there is a security update in a module that is defined in your project's package.json file, you can simply increment the version so it reflects the latest version. So for instance, change "^15.11.1" to "^17.2.0" to allow the latest new major version to be installed.

overrides

Most of the times modules can't be upgraded to a new major version because the requirements are in dependent modules. Editing the package.json files to change the version numbers does not work, because those package.json files will be overwritten by NPM. To update dependant modules, add the major version number to the "overrides" section of your project package.json file. Then run 'npm install' to install the new versions.

For instance, update the "nth-check" module that is a dependency of the "svg-to-vue" module:

"overrides": {
  "svg-to-vue": {
    "nth-check": "^2.1.1"
  },
}

Update all dependencies that use the "semver" module.

"overrides": {
  "semver": "^7.5.3"
}