How to find and update NPM packages?

GitHub notifies you when you have dependencies in your project with security vulnerabilities. But often it complains about an NPM package I didn't even install by myself. It's a package that a package I did install depends on. But which package that I did install is the parent of that package?

  1. Go to your repository on GitHub.

  2. Go to SecurityDependabot alerts to find all security issues that this bot has found in your repository.

  3. Click on one of the security issues. This will show you the name of the vulnerable package, the reason why this package is vulnerable and which versions are affected.

  4. Open a terminal and navigate to the root of your project.

  5. To check which package or packages that you installed depends on this package run the following command.

npm ls NAME-OF-PACKAGE
  1. To find out what installed packages have newer versions you can run the following command. Note that there is not always a newer version for the parent package you want to update.
npm outdated
  1. To update a package to the latest version you can run the following command.
npm update NAME-OF-PACKAGE --save

OR you can also specify a version you want to update to.

npm update NAME-OF-PACKAGE@1.0.0 --save-dev

Sources: