This third NPM reading explains how to update and run packages.
When NPM finishes installing packages, it will give you a health report on your dependencies, something like this:
6 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
This report comes from a list of known package vulnerabilities that NPM maintains. If you want to see what the offending packages are, you can run npm audit for a more detailed report.
Feel free to run npm audit fix. This will go through and replace the vulnerable versions with newer, fixed versions, as long as the version specifications (^, ~) in your package.json allow for the update.
Even if vulnerabilities still remain after you run npm audit fix, you should avoid NPM's other "helpful" suggestion, namely, running npm audit fix --force. NPM suggests this command when it can't patch a vulnerability because a fix either isn't available or isn't available in an allowed version. The problem with this "solution" is that, as NPM warns, it could introduce changes that break your program, either by incorporating a more advanced version or by reverting to a (so...
Nevertheless, don't despair! The situation may not be as dire as the warnings suggest. Why not? Many of the vulnerable dependencies could well stem from your devDependencies, which are only ever available in development, i.e., a presumably secure environment accessible only by you (and your team). In other words, it is quite possible that many of those reported critical vulnerabilities will be gone by the time your app appears exposed to the world in production. To read more about these "false" w...
Note: You should, of course, address any significant vulnerabilities that appear when building for production.
You can also update all the dependencies in your package-lock.json--i.e., not just those with known vulnerabilities--to the most recent versions allowable according to ^ and ~ tags by running npm update.
What if you have a version of a package installed globally, but you want to run a different version in a specific project? To solve this issue with NPM packages, use npx. When given the name of a package to run, npx--short for Node Package Execute--will first search the local node_modules folder for the package. If it finds the package, it will run it. If it does not find the package in node_modules, then it will look to the NPM registry, download a temporar...
In the final NPM reading, you will learn about NPM scripts.