Hi Matt,
npm update
is the correct command. Your dependencies in package.json should use the β^β, like β^2.99.0β, so that any updates to the minor or patchlevel version are automatically brought in by βnpm updateβ.
As for those vulnerabilities, the mongodb vulnerability youβre talking about does not apply to apostrophe, but unfortunately βnpm auditβ has no tools for creating a βsafelistβ of irrelevant vulnerabilities. So we wrote our own, and if you check out the apostrophe repo from github and run βnpm run auditβ there, you will not get an error (unless there is a new, un-safelisted vulnerability, of course).
Specifically, the mongodb vulnerability only applies to software that lets end users type in their own MongoDB collection names. We never allow that. It would be a large bc break, and/or a big retro wrapper effort, to move to the mongo 3.x driver in apostrophe 2.x just to kill this warning. We are trying to get the attention of the npm team to implement a safelist feature for npm audit.