In the article: <a target="_blank" rel="noopener noreferrer" href="https://deniapps.com/blog/upgrade-dependencies-of-your-node">Upgrade Dependencies of Your NodeJS Application</a>, we learned that Github Dependabot could detect and update packages that have known vulnerabilities. Not only it checks the package.json, but also the package-lock.json. Usually, when Dependabot finds the available update of the package to fix <a target="_blank" rel="noopener noreferrer" href="https://github.com/deniapps/nextfeathers/network/alert/feathers/package-lock.json/lodash/open">security vulnerability</a>, it will submit an automated pull request.&nbsp;<figure class="image"><img src="https://images.unsplash.com/photo-1543966888-7c1dc482a810?ixlib=rb-1.2.1&amp;q=80&amp;fm=jpg&amp;crop=entropy&amp;cs=tinysrgb&amp;w=1080&amp;fit=max&amp;ixid=eyJhcHBfaWQiOjExODA5M30"><figcaption>Photo By: <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@pinjasaur?utm_source=unsplash-chrome-extension&amp;utm_medium=referral">Paul Esch-Laurent</a></figcaption></figure>One issue I found is that it's not very smart in the case of the vulnerabilities lying the package-lock.json, then it will not be able to automatically update them for us.&nbsp;For example, I received one notification from Github Dependabot yesterday about:<blockquote>Known high severity security vulnerability detected in <code>serialize-javascript &lt; 3.1.0</code> defined in <a target="_blank" rel="noopener noreferrer" href="https://github.com/deniapps/nextfeathers/blob/master/feathers/package-lock.json"><code>package-lock.json</code></a>.</blockquote>But this time, there is no pull request because “Dependabot cannot update to the required version”<figure class="image"><img src="https://images.deniapps.com/image.png"></figure>To fix this, &nbsp;I have to find out which main package (i.e., the package in the package.json) uses “serialize-javascript”. Here is a handy command we can use:<pre><code class="language-plaintext">$ npm list serialize-javascript
feathers-dna@1.0.0 /Users/Adam/Projects/next-feathers/feathers
└─┬ mocha@8.0.1
 └── serialize-javascript@3.0.0 </code></pre>Then I ran <code>ncu</code>, fortunately, there was an update for mocha, which is 8.1.1. After bumping mocha from 8.0.1 to 8.1.1, and I ran the same command:<pre><code class="language-plaintext">$ npm list serialize-javascript
feathers-dna@1.0.0 /Users/Adam/Projects/next-feathers/feathers
└─┬ mocha@8.1.1
 └── serialize-javascript@4.0.0 </code></pre>Toda! The serialize-javascript is updated to 4.0.0, which is higher than recommended 3.1.0. &nbsp;All done!<h3>Update (9/20/2020)</h3>The solution above did not work if &nbsp;“mocha” was not updated. In the other words, if the vulnerable dependency is a dependency of one of your dependencies, and the parent package does not update its dependency right away, then the above solution will not work.This happens all the time, and one of possible solutions is manually updating the package-lock.json. If you uses <code>yarn</code>, then &nbsp;you may use “resolutions”. &nbsp;For npm, someone created <a target="_blank" rel="noopener noreferrer" href="https://www.npmjs.com/package/npm-force-resolutions">npm-force-resolutions</a> to support this, but as I tested, it does not work very well because it does not updated all vulnerable dependency to the latest in the package-lock.json.Likely the best way to resolution this is to raise an issue (potentially with a PR to help them) with the maintainer of the parent package, then when they provide an update, update the dependency itself in your project. Unfortunately, this may take some time.For example, currently, <a target="_blank" rel="noopener noreferrer" href="https://github.com/deniapps/nextfeathers/network/alerts">nextfeathers</a> is pending node-fetch vulnerability fix. &nbsp;<pre><code class="language-plaintext">next-dna@1.0.0 /Users/adam/Projects/next-feathers/next
└─┬ next@9.5.3
 └─┬ @ampproject/toolbox-optimizer@2.6.0
 ├─┬ cross-fetch@3.0.5
 │ └── node-fetch@2.6.0 deduped
 └── node-fetch@2.6.0 </code></pre>And I see <code>cross-fetch</code> already had it fixed in <code>3.0.6</code>, but <code>toolbox-optimizer</code> is not updated yet. <code>next</code> has it fixed in branch 'canary', but not in master yet.

Github Dependabot could detect and update packages that have known vulnerabilities. Not only it checks the package.json, but also the package-lock.json. Usually, when Dependabot finds the available update of the package to fix security vulnerability, it will submit an automated pull request. However, in the case of Dependabot cannot update to the required version, we need to manually update NPM.

Serialize-Javascript Vulnerability Fix

<figure class="image"><img src="https://images.unsplash.com/photo-1618401471353-b98afee0b2eb?crop=entropy&amp;cs=tinysrgb&amp;fit=max&amp;fm=jpg&amp;ixid=MnwxNTQwMTB8MHwxfHNlYXJjaHwxfHxnaXRodWJ8ZW58MHx8fHwxNjMyMDY4Nzgx&amp;ixlib=rb-1.2.1&amp;q=80&amp;w=1080"><figcaption>Photo by <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@synkevych?utm_source=DNX&amp;utm_medium=referral">Roman Synkevych</a> on <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/?utm_source=DNX&amp;utm_medium=referral">Unsplash</a></figcaption></figure>Says you have been working on some code for a while, and are ready to move it to Github. Here is what Github tells you how to do after you create a repository there:&nbsp;Note: I suggest choosing SSH, so you don't need to log in every time. To set this up, please follow the official doc <a target="_blank" rel="noopener noreferrer" href="https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account">here</a><pre><code class="language-plaintext" id="7EXf0JUAk">echo "# dnx-tallentAPI" &gt;&gt; README.md
git init
git add README.md
git commit -m "first commit"
git branch -M main
git remote add origin git@github.com:deniapps/dnx-tallentAPI.git
git push -u origin main</code></pre>Here are a few issues:<ol><li>Since your code is almost ready, which means you should add all files, not just README.md, therefore, you don't need line #1 and line #3.</li><li>By running <code>git init</code>, it will not specify the Git user, so the global Git user will be used. If you have only one Git account, then it's fine, but if you have multiple users, then you may see your Github repo shows a different username that you don't want. So make sure to add the user to the git config file first.</li></ol>Okay, so here is the correct way:<pre><code class="language-plaintext" id="7EXf0JUAk">// First "cd" to your project root
git init
vim .git/config</code></pre>Add <code>sshCommand</code> under [core], which tell Git which account you are going to use. You don't need this if you have only one account. To set up SSH with Github, check the official doc <a target="_blank" rel="noopener noreferrer" href="https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh/about-ssh">here</a>. &nbsp;And then, add [user] info, after that it will be like this:<pre><code class="language-plaintext" id="FzOXEe9In">[core]
 repositoryformatversion = 0
 filemode = true
 bare = false
 logallrefupdates = true
 ignorecase = true
 precomposeunicode = true
 sshCommand = ssh -i ~/.ssh/id_rsa_adam
[user]
 name = Adam C.
 email = adam@deniapps.com</code></pre>The next step is adding all files you would like to commit to the repo. Remember to have a correct .gitignore file created before running <code>git add .</code><pre><code class="language-plaintext" id="7EXf0JUAk">git add . ### WARNING! - CHECK YOUR .gitignore to make excludes the files you don't want to coimmit
git commit -m "first commit"
git branch -M main</code></pre>Again, Instead of <code>git remote add origin https://github.com/deniapps/dnx-tallentAPI.git</code>, I suggest using SSH, like below, so you don't need to log in every time. To set this up, please follow the official doc <a target="_blank" rel="noopener noreferrer" href="https://docs.github.com/en/github/authenticating-to-github/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account">here</a>.<pre><code class="language-plaintext" id="7EXf0JUAk">git remote add origin git@github.com:deniapps/dnx-talentAPI.git
git push -u origin main</code></pre><h3>Note</h3>Updated: Apr 22nd, 2022Try to clarify some confusion at least I had.<ol><li>sshCommand is an option in yours “.git/config”. You do need an SSH key if you want to clone from SSH instead of HTTPS. Git command will use the default one from “~/.ssh” folder. which is id_algorithm, (ex: id_ed25519 if you don't specify one in the “.git/config”.</li><li>You CAN NOT share the SSH key among different Github accounts. If you are not using the default one, then you have to specify it in the Git command, ex: <code>git clone git@github.com:deniapps/private.git --config core.sshCommand="ssh -i ~/.ssh/id_ed25519_adam"</code> (Note that you should provide the private key here.)</li><li>ssh-keygen command with -C (-C is just for comment)</li><li>If you did not set the default user.name &amp; user.email, you will be asked for that.</li><li>If you have one at the global level, then it will be used when you don't set a user for the individual repository.</li><li>If you need one user for your company repo and another one for your personal project, then set the user in the repository level. &nbsp;Just in your repository folder run ‘<code>git config user.name “USERNAME”</code>’ &amp; <code>‘git config user.email “USEREMAIL”’</code>.</li></ol>

The right way to move your existing code to Github Repository, so it shows the correct user name. Also, you should make sure only to check in the files you wanted by using .gitigonore. Furthermore, use SSH instead of HTTPS, so you don't need to log in every time you push or pull. 

All Posts In Github