How to Handle Vulnerability Warnings When Running npm ci

programming javascript

This guide explains how to handle vulnerability warnings when running npm ci.

Environment

• Ubuntu 24.04.3 LTS (WSL2 distribution)
• Docker Engine 28.4.0
• Amazon Linux 2023(OS of the Docker container)
• Node.js 24.13.1
• npm 11.8.0

When running npm ci, I encountered security warnings recommending npm audit fix.
However, npm audit fix did not resolve the issue.

npm audit report showed:

ajv  7.0.0-alpha.0 - 8.17.1
Severity: moderate
...
minimatch  <10.2.1
Severity: high

It said that above versions of packages had vulnerabilities.
Even after updating the parent packages (e.g., npm install --save-dev jest@latest), these specific sub-dependencies often remained stuck on vulnerable versions because the parent packages still referenced the older versions.

To force these sub-dependencies to a safe version, I used the overrides field in the package.json.
This feature allows you to specify a version for a dependency anywhere in your dependency tree.

package.json:

{
...
  "overrides": {
    "ajv": "^8.17.1",
    "minimatch": "^10.2.1"
  }
}

After running npm install, the vulnerabilities were resolved.

Note:
The overrides field forcefully overrides package versions.
Be sure to verify that all packages continue to function properly after applying this change.

Related articles

• How to Handle Vulnerability Warnings When Running npm ci
• Installing Node.js During Docker Image Build