npm update is the correct command. Your dependencies in package.json should use the “^”, like “^2.99.0”, so that any updates to the minor or patchlevel version are automatically brought in by “npm update”.
As for those vulnerabilities, the mongodb vulnerability you’re talking about does not apply to apostrophe, but unfortunately “npm audit” has no tools for creating a “safelist” of irrelevant vulnerabilities. So we wrote our own, and if you check out the apostrophe repo from github and run “npm run audit” there, you will not get an error (unless there is a new, un-safelisted vulnerability, of course).
Specifically, the mongodb vulnerability only applies to software that lets end users type in their own MongoDB collection names. We never allow that. It would be a large bc break, and/or a big retro wrapper effort, to move to the mongo 3.x driver in apostrophe 2.x just to kill this warning. We are trying to get the attention of the npm team to implement a safelist feature for npm audit.