I found vulnerability in my repository from the github notifications.
According to this this tweet, the original maintainer transferred ownership to someone they didn't trust.
Now I know what is the vulnerable package, but still have no idea which dependency is the problem. Let's see what npm audit
gives us. I found nodemon uses malicious dependency package.
nodemon already updated new version vulnerableility fixed! So we can download the latest version of it.
With npm outdated
command, can check if there's an update for the installed packages.
If you want to latest version, type npm install [PACKAGE-NAME]@latest
and add an option --save
for updating only this package.
Awesome! Now we removed vulnerabilities from our packages!
Great article! (어쩐지 영어로 댓글을 달아야 할것 같네요)
저도 nodemon 쓰는 저장소가 있는데 참고 해야겠어요