如何修复package.json中未列出的package-lock.json中的易受攻击的npm软件包? [英] How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?

问题描述

Github告诉我，我的package-lock.json文件中的依赖项容易受到攻击并且已经过时.问题是，如果我执行npm install或npm update，则它们都不会更新package-lock.json文件中的依赖项.

Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update, neither of them update the dependency in the package-lock.json file.

我已经对此进行了很多搜索，并删除了文件并完成了npm install.

I've done a lot of googling on this, as well as deleted the file and done npm install.

如果有人可以帮助解决此问题，我将不胜感激.有问题的程序包是Hoek，我的package.json文件中实际上没有该程序包.

If anyone can help resolve this I'd hugely appreciate it. The package in question is Hoek, which I don't actually have in my package.json file.

非常感谢.

推荐答案

听起来Hoek是您其中一个依赖项的依赖项(因此，您package.json中包含的包需要它自己的package.json中的依赖项) ).

It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it's own package.json).

您已经尝试删除/重新安装和更新项目依赖项而没有成功，因此似乎所涉及的软件包依赖项已指定了显式或最高版本.

You've already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.

在没有看到每个依赖项的package.json的情况下，很难进一步建议如何强制进行更新.

Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.

为了帮助您确定哪些软件包正在使用哪些依赖项，可以使用NPM的ls命令: https://docs .npmjs.com/cli/ls

To help you identify which packages are using which dependencies, you can use NPM's ls command: https://docs.npmjs.com/cli/ls

例如，查看使用Hoek的软件包: npm ls hoek

For example, to see which packages are using Hoek: npm ls hoek

修改2: 正如Ulysse BN正确指出的那样，如果您具有NPM版本6或更高版本，则可以使用npm audit fix要求NPM尝试为您修复漏洞.

Edit 2: As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fix to ask NPM to attempt to fix the vulnerabilities for you.

修改3: 那些阅读此书的人还应该在下面查看JBallin的答案.它扩展了我在此处提供的信息，并且(在我看来)是一种结构更合理的答案，可以更好地解决OP的问题.但是-如果您想快速解决-该答案就足够了.

Edit 3: Those reading this should also check out JBallin's answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP's question better. However - if you want a quick fix - this answer should suffice.

这篇关于如何修复package.json中未列出的package-lock.json中的易受攻击的npm软件包?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！