Find and fix vulnerable npm dependencies
org.openrewrite.node.dependency-vulnerability-check
This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from the GitHub Security Advisory Database.
Recipe source
GitHub, Issue Tracker, Maven Central
This recipe is available under the Moderne Source Available License.
Options
| Type | Name | Description | Example |
|---|---|---|---|
null | scope | Optional. Match dependencies with the specified scope. Default includes all scopes. Use 'dependencies' for production dependencies, 'devDependencies' for development only, etc. Valid options: dependencies, devDependencies, peerDependencies, optionalDependencies | dependencies |
null | overrideTransitive | Optional. When enabled, transitive dependencies with vulnerabilities will have their versions overridden using npm overrides, yarn resolutions, or pnpm overrides. By default only direct dependencies have their version numbers upgraded. | true |
null | maximumUpgradeDelta | Optional. The maximum difference to allow when upgrading a dependency version. Use 'none' to only report vulnerabilities without making any changes. Patch version upgrades are the default and safest option. Minor version upgrades can introduce new features but typically no breaking changes. Major version upgrades may require code changes. Valid options: none, patch, minor, major | patch |
null | minimumSeverity | Optional. Only fix vulnerabilities with a severity level equal to or higher than the specified minimum. Vulnerabilities are classified as LOW, MODERATE, HIGH, or CRITICAL based on their potential impact. Default is LOW, which includes all severity levels. Valid options: LOW, MODERATE, HIGH, CRITICAL | MODERATE |
null | cvePattern | Optional. Only fix vulnerabilities matching this regular expression pattern. This allows filtering to specific CVEs or CVE ranges. For example, 'CVE-2023-.*' will only check for CVEs from 2023. If not specified, all CVEs will be checked. | CVE-2023-.* |
Usage
In order to run JavaScript recipes, you will need to use the Moderne CLI. For JavaScript specific configuration instructions, please see our configuring JavaScript guide.
Once the CLI is installed, you can install this JavaScript recipe package by running the following command:
mod config recipes npm install @openrewrite/rewrite
Then, you can run the recipe via:
mod run . --recipe org.openrewrite.node.dependency-vulnerability-check