Find and fix vulnerable npm dependencies
org.openrewrite.node.dependency-vulnerability-check
This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from the GitHub Security Advisory Database.
Recipe source
GitHub: rewrite+org.openrewrite.node.dependency-vulnerability-check, Issue Tracker, Maven Central
This recipe is available under the Moderne Source Available License.
Options
| Type | Name | Description | Example |
|---|---|---|---|
null | scope | Optional. Match dependencies with the specified scope. Default includes all scopes. Use dependencies for production dependencies, devDependencies for development only, etc. Valid options: dependencies, devDependencies, peerDependencies, optionalDependencies | dependencies |
null | transitiveFixStrategy | Optional. Strategy for handling transitive dependency vulnerabilities. report only reports them without fixing. override adds overrides/resolutions for transitive vulnerabilities. lock-file updates the lock file to resolve safe versions without modifying package.json (similar to Dependabot). Default is report. Valid options: report, override, lock-file | override |
null | preferDirectUpgrade | Optional. When fixing transitive vulnerabilities, first try to find higher versions of direct dependencies that include safe transitive versions. Falls back to the transitiveFixStrategy if no suitable direct upgrade exists. Queries npm registry. Default is true. | false |
null | maximumUpgradeDelta | Optional. The maximum difference to allow when upgrading a dependency version. Use none to only report vulnerabilities without making any changes. Patch version upgrades are the default and safest option. Minor version upgrades can introduce new features but typically no breaking changes. Major version upgrades may require code changes. Valid options: none, patch, minor, major | patch |
null | minimumSeverity | Optional. Only fix vulnerabilities with a severity level equal to or higher than the specified minimum. Vulnerabilities are classified as LOW, MODERATE, HIGH, or CRITICAL based on their potential impact. Default is LOW, which includes all severity levels. Valid options: LOW, MODERATE, HIGH, CRITICAL | MODERATE |
null | cvePattern | Optional. Only fix vulnerabilities matching this regular expression pattern. This allows filtering to specific CVEs or CVE ranges. For example, 'CVE-2023-.*' will only check for CVEs from 2023. If not specified, all CVEs will be checked. | CVE-2023-.* |
null | fixDeclaredVersions | Optional. When enabled, also upgrades version specifiers declared in package.json that specify vulnerable versions, even if the lock file already resolves to a safe version. This is a preventive measure to ensure that future installs (e.g., on a different machine or after lock file changes) won't install vulnerable versions. These preventive upgrades are NOT reported in the vulnerability data table since there's no actual vulnerability. Default is false. | true |
null | addOverrideComments | Optional. When enabled, adds a comment field (e.g., //overrides) alongside overrides to document which CVEs each override is fixing. This helps with auditing and knowing when overrides can be removed. Default is true. | true |
Usage
In order to run JavaScript recipes, you will need to use the Moderne CLI. For JavaScript specific configuration instructions, please see our configuring JavaScript guide.
Once the CLI is installed, you can install this JavaScript recipe package by running the following command:
mod config recipes npm install @openrewrite/rewrite
Then, you can run the recipe via:
mod run . --recipe org.openrewrite.node.dependency-vulnerability-check