Find and fix vulnerable npm dependencies
org.openrewrite.node.dependency-vulnerability-check
This software composition analysis (SCA) tool detects and upgrades dependencies with publicly disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and upgrades to newer versions with fixes. This recipe by default only upgrades to the latest patch version. If a minor or major upgrade is required to reach the fixed version, this can be controlled using the maximumUpgradeDelta option. Vulnerability information comes from the GitHub Security Advisory Database, which aggregates vulnerability data from several public databases, including the National Vulnerability Database maintained by the United States government.
Customizing Vulnerability Data
This recipe can be customized by extending DependencyVulnerabilityCheck and overriding the vulnerability data sources:
-
baselineVulnerabilities(ctx): Provides the default set of known vulnerabilities. The base implementation loads vulnerability data from the GitHub Security Advisory Database CSV file. Override this method to replace the entire vulnerability dataset with your own curated list. -
supplementalVulnerabilities(ctx): Allows adding custom vulnerability data beyond the baseline. The base implementation returns an empty list. Override this method to add organization-specific vulnerabilities, internal security advisories, or vulnerabilities from additional sources while retaining the baseline GitHub Advisory Database.
Both methods return Vulnerability[] arrays. Vulnerability data can be loaded from CSV files using VulnerabilityDatabase.loadFromFile(path).getAllVulnerabilities() or constructed programmatically. For example, override supplementalVulnerabilities() to add custom CVEs while keeping the standard vulnerability database, or override baselineVulnerabilities() to use an entirely different vulnerability data source.
Recipe source
This recipe is only available to users of Moderne.
This recipe is available under the Moderne Proprietary License.
Options
| Type | Name | Description | Example |
|---|---|---|---|
null | scope | Optional. Match dependencies with the specified scope. Default includes all scopes. Use dependencies for production dependencies, devDependencies for development only, etc. Valid options: dependencies, devDependencies, peerDependencies, optionalDependencies | dependencies |
null | transitiveFixStrategy | Optional. Strategy for handling transitive dependency vulnerabilities. report only reports them without fixing. override adds overrides/resolutions for transitive vulnerabilities. lock-file updates the lock file to resolve safe versions without modifying package.json (similar to Dependabot). Default is report. Valid options: report, override, lock-file | override |
null | preferDirectUpgrade | Optional. When fixing transitive vulnerabilities, first try to find higher versions of direct dependencies that include safe transitive versions. Falls back to the transitiveFixStrategy if no suitable direct upgrade exists. Queries npm registry. Default is true. | false |
null | maximumUpgradeDelta | Optional. The maximum difference to allow when upgrading a dependency version. Use none to only report vulnerabilities without making any changes. Patch version upgrades are the default and safest option. Minor version upgrades can introduce new features but typically no breaking changes. Major version upgrades may require code changes. Valid options: none, patch, minor, major | patch |
null | minimumSeverity | Optional. Only fix vulnerabilities with a severity level equal to or higher than the specified minimum. Vulnerabilities are classified as LOW, MODERATE, HIGH, or CRITICAL based on their potential impact. Default is LOW, which includes all severity levels. Valid options: LOW, MODERATE, HIGH, CRITICAL | MODERATE |
null | cvePattern | Optional. Only fix vulnerabilities matching this regular expression pattern. This allows filtering to specific CVEs or CVE ranges. For example, 'CVE-2023-.*' will only check for CVEs from 2023. If not specified, all CVEs will be checked. | CVE-2023-.* |
null | fixDeclaredVersions | Optional. When enabled, also upgrades version specifiers declared in package.json that specify vulnerable versions, even if the lock file already resolves to a safe version. This is a preventive measure to ensure that future installs (e.g., on a different machine or after lock file changes) won't install vulnerable versions. These preventive upgrades are NOT reported in the vulnerability data table since there's no actual vulnerability. Default is false. | true |
null | addOverrideComments | Optional. When enabled, adds a comment field (e.g., //overrides) alongside overrides to document which CVEs each override is fixing. This helps with auditing and knowing when overrides can be removed. Default is true. | true |
Usage
In order to run JavaScript recipes, you will need to use the Moderne CLI. For JavaScript specific configuration instructions, please see our configuring JavaScript guide.
Once the CLI is installed, you can install this JavaScript recipe package by running the following command:
mod config recipes npm install @openrewrite/recipes-nodejs
Then, you can run the recipe via:
mod run . --recipe org.openrewrite.node.dependency-vulnerability-check