npm-check-updates icon indicating copy to clipboard operation
npm-check-updates copied to clipboard

Published 20 hours ago verified publisher icon raineorshine

Feature Request: Update to the minimum version with no security vulnerabilities of a certain severity

Open norcino opened this issue 1 year ago • 6 comments

It would be nice to have an option like --min-secure "severity", to allow a safer and quicker upgrade if security issues are found within the dependencies.

For example if I specify --min-secure high, the tool should list the next available version to upgrade to, which is not affected by any issue with severity high or critical.

norcino avatar Nov 05 '24 11:11 norcino

Hi, thanks for the suggestion.

I have a question. When you say "next available version," what did you have in mind? Since the default behavior of npm-check-updates is to update the dependency to the latest version, there is no "next" version. Are you using other options to limit the version number?

raineorshine avatar Nov 05 '24 11:11 raineorshine

Hi I mean the minimum version to update to, in order to have no security issues.

For example, assuming my application.. Current version: 1.0.0 (Affected by a high security issue) Lowest version with no security issues: 1.0.19 Last version: 1.3.0

Using the --min-secure, should suggest me to update to 1.0.19 instead of 1.3.0. This would help me mitigate the risk of me breaking something during an upgrade.

To give you context, in a "SDL Secure Development Lifecycle", during each sprint we ask teams to work on a small security item, to review, fix, prevent and so on. A team could work to remove at least "critical" findings, if this could be done potentially quicker and with less risk of introducing issues, or requiring to address breaking changes. Upgrading a patch or minor version generally require much less effort.

norcino avatar Nov 05 '24 14:11 norcino

I see! And if 1.0.20 also had no security issue, would you want to upgrade to 1.0.19 or 1.0.20?

raineorshine avatar Nov 05 '24 15:11 raineorshine

Very good question. Shall we truest the package development team to properly use semver? Yes it would be fine I guess.

norcino avatar Nov 05 '24 16:11 norcino

So I think in that case what you're looking for is the maximum secure version, rather than the minimum.

I'm not sure how to access the security vulnerabilities, but it sounds like a good suggestion.

raineorshine avatar Nov 05 '24 17:11 raineorshine

I'm not sure how to access the security vulnerabilities

I guess looking at what sources tools like npm audit uses would be a good start.

hlovdal avatar Jun 10 '25 18:06 hlovdal