npm强制软件包锁定以更新子依赖软件包 [英] npm force package-lock to update a sub-dependency package
问题描述
由于某些代码漏洞,我试图更新一个子依赖项.软件包为 snapdragon
,目前我已安装0.8.2版本,但我希望升级到最新的0.12.0
.
Due to some code vulnerability, I am trying to update a sub-dependency. The package is snapdragon
, currently I have the version 0.8.2 installed, but I wish to upgrade to the latest 0.12.0
.
我已经更新了所有需要snapdragon
作为依赖项的软件包.现在,根据这些软件包package.json,它们需要"^0.8.1"
,也应该也支持0.12.0
.
I have updated all the packages that require snapdragon
as a dependency. Now according to those packages package.json they require "^0.8.1"
which should namely support 0.12.0
as well.
这是npm ls snapdragon
的结果:
├─┬ nodemon@1.19.2
│ └─┬ chokidar@2.1.8
│ └─┬ braces@2.3.2
│ └── snapdragon@0.8.2 deduped
└─┬ webpack@4.40.2
└─┬ micromatch@3.1.10
├─┬ extglob@2.0.4
│ ├─┬ expand-brackets@2.1.4
│ │ └── snapdragon@0.8.2 deduped
│ └── snapdragon@0.8.2 deduped
├─┬ nanomatch@1.2.13
│ └── snapdragon@0.8.2 deduped
└── snapdragon@0.8.2
我尝试运行npm update snapdragon
,也尝试了没有包锁但没有运气的全新npm install
.最终,我决定强行安装snapdraon@0.12.0
,但现在看来我有未满足的依赖项.
I have tried running npm update snapdragon
, I have also tried a fresh npm install
with no package-lock but with no luck. Eventually, I decided to forcibly install snapdraon@0.12.0
but now it seems I have unmet dependencies.
├─┬ nodemon@1.19.2
│ └─┬ chokidar@2.1.8
│ └─┬ braces@2.3.2
│ └── UNMET DEPENDENCY snapdragon@^0.8.1
├── snapdragon@0.12.0
└─┬ webpack@4.40.2
└─┬ micromatch@3.1.10
├─┬ extglob@2.0.4
│ ├─┬ expand-brackets@2.1.4
│ │ └── UNMET DEPENDENCY snapdragon@^0.8.1
│ └── UNMET DEPENDENCY snapdragon@^0.8.1
├─┬ nanomatch@1.2.13
│ └── UNMET DEPENDENCY snapdragon@^0.8.1
└── UNMET DEPENDENCY snapdragon@^0.8.1
要求^0.8.1
是否接受版本0.12.0
?如何指示程序包锁定将程序包更新为最新版本?
Shouldn't the requirement ^0.8.1
accept version 0.12.0
? How can I instruct package-lock to update the package to the latest version?
推荐答案
我无法回答有关carret的问题,但是关于标题(强制npm更新子依赖项)的主题,我们遇到了类似的问题puppeteer > extract-zip > mkdirp > minimist
,其中minimist
具有安全漏洞.它已升级,mkdirp
也已升级,但撰写本文时尚未extract-zip
.
I can't answer the carret question, but on the topic of the header (forcing npm to update a sub-dependency), we had a simillar issue with puppeteer > extract-zip > mkdirp > minimist
, where minimist
had a security vulnerability. It was upgraded and so was mkdirp
, but extract-zip
isn't at the time of this writting.
在package.json
的scripts
条目下使用npx npm-force-resolutions
似乎已解决(尽管不是理想的)漏洞
Using npx npm-force-resolutions
under the scripts
entry in package.json
seems to have solved (albeit not ideally) the vulnerability
$ git diff package.json
diff --git a/package.json b/package.json
index cf825cf..0d694b3 100644
--- a/package.json
+++ b/package.json
@@ -8,8 +8,13 @@
"lib": "lib"
},
"scripts": {
+ "preinstall": "npx npm-force-resolutions",
"test": "echo \"Error: no test specified\" && exit 1"
},
+ "resolutions": {
+ "minimist": "1.2.3",
+ "mkdir": "0.5.3"
+ },
然后运行npm install
:
$ npm install && npm audit
> sge@1.0.0 preinstall /home/jlam/code/prjName
> npx npm-force-resolutions
npx : 5 installé(s) en 5.733s
added 1 package from 1 contributor, removed 1 package and audited 72 packages in 7.212s
[...]
found 0 vulnerabilities
[...]
=== npm audit security report ===
found 0 vulnerabilities
in 72 scanned packages
这篇关于npm强制软件包锁定以更新子依赖软件包的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!