Vulnerabilities found in bundled dependencies. please help me find out how to fix???

[I-keep-trying]

This is not your fault, but I am about to give up on web development entirely because of this. I'm so frustrated!

Every time I install anything with a tar dependency, and now I see also minimatch and js-yaml are being flagged as high severity vulnerability as well, because they are bundled with old versions. Others are moderate and low severity. I don't know if it's gulp, glob, or at what point along the bundle chain it is being bundled with the wrong version, but nobody is willing to take responsibility to fix it. Everybody claims it has been fixed, but obviously, it is not fixed.

After cloning and running npm install I get the following message:

found 30 vulnerabilities (16 low, 8 moderate, 6 high) in 15827 scanned packages

I have spent hours chasing down issues in the specific packages, all the way down the dependency chain, and everybody says they have resolved the problem in their package, but the other packages that have bundled dependencies have not updated their packages to the correct versions.

The only thing that ever has worked in the past has been to directly edit the package-lock file, which is what github actually instructs, when they warn you that your repo has vulnerabilities, but the owners of the tar package say not to do that. But don't say why.

Also, I just now tried editing the package-lock of my clone of this repo, and it broke something.

Got any ideas?

Thanks in advance, sorry for the griping, I know this is not your problem.

[NickStees]

Have you tried https://docs.npmjs.com/cli/audit I think that helps you find out details.