When upgrading a dependency for a security issue, we might upgrade and move on:

npm install <dependency>@<version>

But wait! Was every <dependency> version upgraded, or just the version in package.json? Check with:

npm list // or npm ls

Packages like Prettier might only be in your lockfile once:

npm list prettier
hugo@ /Users/dev/code/hugo
└── prettier@3.8.3 -> ./node_modules/.pnpm/prettier@3.8.3/node_modules/prettier

But packages like lodash are used by many dependency libraries, even in production:

npm list lodash
fe@0.1.0 /dev/frontend
├─┬ @testing-library/jest-dom@5.17.0
│ └── lodash@4.18.1 overridden
├─┬ antd@4.16.3
│ ├─┬ @ant-design/icons@4.8.3
│ │ └── lodash@4.18.1 deduped
│ ├─┬ @ant-design/react-slick@0.28.4
│ │ └── lodash@4.18.1 deduped
│ └── lodash@4.18.1 deduped

# ...hundreds of lines omitted 😅

Just because you’ve upgraded it in package.json, it might be installed in your project as a dependency of a dependency on the vulnerable version. Check it.