# Handling Package Vulnerabilities in Web Projects with pnpm

In today's fast-paced web projects, with ever-changing technologies, tools, and dependencies, it can be challenging to keep everything up to date. Some may argue that this isn't a significant concern, as long as the project works as expected at a given moment. However, as mentioned in [a previous article](https://bordeauxcoders.com/ensure-proper-dependency-maintenance), keeping dependencies up to date not only ensures stability or optimization but also provides the latest security patches for your application. As you might have guessed, pnpm provides a variety of features to assist you in this regard.

## Checking for vulnerabilities

First, we have to identify if the project has any known vulnerabilities within its dependencies using the [\`audit\` command](https://pnpm.io/cli/audit).

```powershell
pnpm audit
```

This command checks every package against the [GitHub Advisory Database](https://github.com/advisories) and indicates through a report which packages are currently carrying security issues and what is their level of threat.

![The output of pnpm audit command](https://cdn.hashnode.com/res/hashnode/image/upload/v1689715234887/847fd441-1f96-48d5-92f7-7b0a4308ef7b.png align="center")

## Vulnerabilities resolution

If the [`audit` command](https://pnpm.io/cli/audit) identifies some issues, you can try to automatically fix them by running the [`pnpm update`](https://pnpm.io/cli/update) command. This will try to update each vulnerable package to a safe version, without introducing breaking changes.

If there are still some vulnerabilities after running the update, you can try to use the [overrides field](https://pnpm.io/package_json#pnpmoverrides).

![pnpm section added after running audit --fix](https://cdn.hashnode.com/res/hashnode/image/upload/v1689837842508/18cae59d-5d5d-44c0-89f4-58584ac074ca.png align="center")

Simply run the [`audit` command](https://pnpm.io/cli/audit) with the fix option, and it will add a new section in the `package.json` file indicating the version of the packages to use whenever those packages and their dependency graph are resolved during the installation.

```powershell
pnpm audit --fix
```

You can also specify a threat level while fixing the vulnerabilities, for instance, to only fix the critical ones first :

```powershell
pnpm audit --audit-level critical
```

### Good to know

If you are running the `pnpm audit` command in a CI pipeline, you can output the audit report as a JSON file thanks to the `-json` option. You can then make available this report as an artifact of your pipeline for future reference.

---

To maintain a secure development environment in the long run, it's crucial to regularly audit your project for vulnerabilities. You should consider running the `audit` command as part of your continuous integration process or at regular intervals during development.
