How to address security vulnerabilities

Sometimes, an npm audit scan might report packages that are used in development but are not in your deployed application bundle and therefore not in your runtime application. The urgency of fixing issues with these packages is reduced.

For vulnerabilities that you discover through npm audit that are High or Critical, you must address them as soon as possible. For most, the fix is already available or to be provided within hours or days of registration of the vulnerability. You must redeploy your production code from a repository that was updated to the patched version of the vulnerable package. Typically, npm audit advises you what you need to do.

In some cases, the fix might require upgrading a package to a major version, which requires a manual upgrade as it might be a breaking change for your code. Where the package was included through your own custom code, you can do this upgrade yourself. In other cases, the fix is outside your control. For example, where the vulnerable package is a dependency of a package that you depend on, you need the owner of that package to fix their code. If IBM owns the package, you can open a support case for the issue.

For more information about how deal with security audits, see this npm article.