Fix Security Issues Using Overrides

nodejs logo

I recently moved to pnpm which has the ability to override dependencies.
This feature can be used to patch security vulnerabilities quickly removing the need to wait for developers of dependant packages or frameworks to deploy fixes.

Security Alerts

Anyone who develops apps in nodejs most probably has some sort of security auditing solution which notifies them of outdated dependencies.

If you use github you probably receive Dependabot security alerts when a new vulnerability is found in your projects.

Sometimes there are multiple dependencies referencing outdated or unpatched versions of libraries making it hard to easily fix these problems.

Dependency Checking

NPM, Yarn & PNPM all have the ability to do a security audit of dependencies.

npm audit

The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities.
The report returned includes instructions on how to act on this information.

Dependency Updates

NPM

NPM features npm audit fix which writes the updated packages to the lock file.
This can be hard to keep track of & can even cause problems in the future when packages are upgraded.

One example I had was with my unsplash-nextjs project.
I had to remove the lockfile & create a new clean lockfile in order to fix CVEs.

clean package lock - fixes for CVE-2021-23368 & CVE-2021-23362

Yarn

I couldn't find much info on how to update non toplevel dependencies this using yarn.

There are some references to people writing workarounds which migrate yarn to npm allowing npm to do the security fixes & then migrate the lockfile back to yarn again.

npm install --package-lock-only
npm audit fix
rm yarn.lock
yarn import
rm package-lock.json

This seems like a lot of work as it installs all dependencies using npm, npm then installs fixes & it then removes yarn.lock before running yarn import.
(npm audit fix runs npm install)

npm audit fix

Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review.
Also note that since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install

Yarn audit fix: workaround | dev.to

PNPM

With pnpm there is the ability to do a security audit (as with yarn & npm).
One thing with pnpm is the overrides feature which allows you to match package versions & upgrade them throughout the whole dependency graph.

PNPM Overrides

This feature gives you the ability to patch depdendencies before developers update dependent projects (eg: Gatsby).

pnpm.overrides

This field allows you to instruct pnpm to override any dependency in the dependency graph.
This is useful to enforce all your packages to use a single version of a dependency, backport a fix, or replace a dependency with a fork.

This gives you a few advantages

  • Override dependency versions
  • Test new updates early
  • Implement & deploy updates early

Because of the way version matching works you can leave these overrides in package.json with no worries of breaking things when future updates are released.

Examples

I have used pnpm.overrides to fix various CVEs on this site.

Currently the overrides fix 6 CVEs

  "pnpm": {
    "overrides": {
      "axios@<0.21.1": "^0.21.1",
      "browserslist@<4.16.5": "^4.16.5",
      "dns-packet@<5.2.2": "^5.2.2",
      "sanitize-html@<2.3.2": "^2.3.2",
      "trim@<1.0.1": "^1.0.1"
    }
  }

CVEs fixed by these overrides

Security fixes pull request on github