How I Update Node.js Dependencies to the Latest Version to Remove object-path Vulnerability Found in package-lock.json

So, after I commit my Laravel project to GitHub today, I received an alert from GitHub stating that there's a vulnerability in my project. And that vulnerability is inside package-lock.json, which is a file that got created when installing npm for my project.

Because I'm a newbie and don't know much about Node.js and NPM, I tried to search on Google on how to 'update object-path dependencies' but didn't get any straightforward answers like I wanted. The result doesn't show any pages from StackOverflow so it's not helpful for me. But on the last result in the first page, I was interested to read it because the title is 'Update all the Node.js dependencies to their latest version' that comes from nodejs.dev website.

I followed the instructions on the site.

1. Run npm install -g npm-check-updates
2. Run ncu -u
3. Run npm update

However, on the second step which is running command ncu -u command, I received an error. It says ncu : File C:\Users\ASUS\AppData\Roaming\npm\ncu.ps1 cannot be loaded because running scripts is disabled on this system. To solve this error, I Googled 'ncu u running scripts is disabled on this system' and clicked on the first YouTube video that appear in the result. Following the video tutorial, I did:

1. Run Windows PowerShell as administrator
2. Run Set-ExecutionPolicy RemoteSigned
3. I wrote Y and hit enter

When I run ncu -u again, I no longer receive any error. And so, I was able to update everything to the latest version.

After updating, I accidentally ran npm run dev and so, my front-end got compiled accidentally too. All of these steps I took has made several changes to 3 of my files - package-lock.json, package.json and public/js/app.js.

The vulnerability alert is now gone.

Last but not least, I run Set-ExecutionPolicy RemoteSigned in Windows PowerShell again to disable running scripts. I mean... it may cause error when I run npm in the future but Windows made the system to not run scripts by default must be for a reason so I decided to change it to the default. If I receive the same error about running scripts is disabled when running npm, I already know how to fix it. :)

---

By the way, before I follow the above steps, I have tried running npm install --object-path save and npm fix audit like stated in this site but it doesn't change my package-lock.json that much and the "version": "0.9.2", is still there. Probably the vulnerability is still there too so that's why I decided to update everything. Perhaps running the fix audit is enough to fix the vulnerability, perhaps not. But this fix audit has quite a lot of vouch that it can fix most problematic package so maybe try running it first.