The cleanest and best way to address a vulnerability is to upgrade to a vulnerability-free version of the package you’re using if possible. In most cases, disclosed vulnerabilities are fixed shortly after they’re discovered, and all you need to do is upgrade to the relevant version.
For Node.js and Ruby GitHub repos, you can generate a pull request to upgrade.
If you can’t upgrade, because there is no sufficient direct upgrade available, or because the upgrade includes breaking changes you can’t take on right now, your next best option is to apply a patch (if one is available). A patch changes the locally installed package file to fix the vulnerability.
- For Node.js projects, you can apply patches via a GitHub pull request with fixes.
- Patching is currently not supported for Ruby. You can open a pull request to ignore vulnerabilities that can’t be fixed.