Verifying Security Patch Updates
Use package.json diff to confirm that security advisory fixes have been properly applied by checking for patch version bumps in affected packages.
Detailed Explanation
Validating Security Patches
When a security advisory is published (via npm audit, GitHub Dependabot, or Snyk), you need to update the affected packages. The Package.json Diff tool helps you verify that the correct patches were applied.
Typical security update diff
dependencies:
~ axios: 1.5.0 -> 1.5.1 [PATCH]
~ express: 4.18.1 -> 4.18.2 [PATCH]
~ jsonwebtoken: 9.0.0 -> 9.0.2 [PATCH]
devDependencies:
~ webpack: 5.88.0 -> 5.88.2 [PATCH]
Security update characteristics
Security updates are typically patch-level changes:
- They fix a specific vulnerability without changing the API
- The PATCH badge in the diff confirms the minimal version bump
- Multiple packages may be updated simultaneously if they share a vulnerability
Verification workflow
- Run
npm auditto get the list of affected packages - Apply fixes with
npm audit fixor manually update versions - Compare the before/after package.json using this tool
- Verify patch-level bumps -- security fixes should rarely be major or minor
- Check that no packages were accidentally downgraded
Red flags to watch for
| Sign | Concern |
|---|---|
| MAJOR bump for a security fix | May introduce breaking changes beyond the fix |
| Downgrade detected | Could reintroduce previously fixed vulnerabilities |
| Many unrelated changes | Mix of security fixes and feature updates -- should be separate PRs |
| Missing expected packages | Not all advisories were addressed |
Audit summary
After verifying, use the Copy Results button to document which packages were updated and include it in your security audit log.
Use Case
A DevSecOps engineer receives a Dependabot PR that updates several packages for CVE fixes. They compare the base and PR branch package.json files to confirm only patch-level security updates were applied, with no unexpected major or minor version changes.