Find source (in package.json) of vulnerability (in package-lock.json)

Question

GitHub sent me an email today warning me of a vulnerability in my package-lock.json file. However, as I understand it, this file is generated during npm i

Answer 1

How can I find out which package (from package.json) is linked to the vulnerable one (in package-lock.json)?

(Answering my own question): The vulnerable package was named growl. So, the command npm ls growl shows the packages that depend on it:

$ npm ls growl
my-project@1.0.1 C:\some_project
`-- mocha@3.5.3
  `-- growl@1.9.2

Then it's a question of finding a newer version of those packages (in this case mocha) that use a more modern version. At the time of this answer, the vulnerability was fixed in growl@1.10.0 (according to GitHub's vulnerability analysis). So, go through the release notes for mocha to see which version updated to growl 1.10. I spotted:

4.0.1 / 2017-10-05