I have followed npm documentation to solve this issue but it’s not use. This is what it I get on GitHub:
I open the terminal and go to my local repository, run npm install and I get the following message:
When I run npm audit fix I get an error: “fixed 0 of 4 vulnerabilities in 2924 scanned packages 4 vulnerabilities required manual review and could not be updated”
Then following npm documentation I run npm update and it still says that found 4 vulnerabilities:
And these are the vulnerabilities:
How can I fix this problem? I’m stuck here… Any help is very much appreciated.
It seems like it’s an old issue, I read a few comments and apparently there’s no solution to update this package.
One question though, recently I made a few changes to a project that uses this dependency and I re-installed npm modules and it updated everything, including the hoek dependency.
My question is, when I push the changes to me repo on GitHub, do I need to keep the node_modules to see if the package was updated? I ask this because I delete the node_modules folder from my local repo before pushing anything to my repo on GitHub. And after pushing the changes to my repo I still get the same message.
Thanks for the help btw.
Yea, it’s an issue with Node projects normally having a great deal of small modules as dependencies, and all of them in turn having dependencies. If there is an issue with a dependency of a dependency, it can be difficult to fix because the dependency tree is generally enormous.
When you run npm install it should have generated a package lockfile - that lists the whole dependency tree, and should be all you need. You shouldn’t ever need to commit the actual node_modules folder (though there are reasons to do that, it shouldn’t be necessary).
Yes, when I run npm install it generates a package-lock.json, but my question is, after I update a package in my local repo, do I need to commit the node modules for that change to be reflected in my repo on GitHub?
I ask this because I recently ran npm install in one of my projects using that package and it according to the terminal the package was updated but on GitHub I keep getting the same message 
