Software Development Timesaver #7

Often nowadays on GitHub you get these Dependabot alerts, and if you’re using Node you often have a vulnerability far down the dependency hierarchy. It is not that easy to assert just from the alert alone which dependency of your project that actually depends on the vulnerable dependency in question.

Dependabot alert

There is a handy command you can use for this:

npm ls <package_name>

For example, in the case of follow-redirects you get this output that clearly shows that follow-redirects is used by webpack-dev-server in your project:

λ npm ls follow-redirects
[email protected] C:\Projects\a-project
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]