npm强制软件包锁定以更新子依赖软件包 [英] npm force package-lock to update a sub-dependency package

问题描述

由于某些代码漏洞，我试图更新一个子依赖项.软件包为 snapdragon ，目前我已安装0.8.2版本，但我希望升级到最新的0.12.0.

Due to some code vulnerability, I am trying to update a sub-dependency. The package is snapdragon, currently I have the version 0.8.2 installed, but I wish to upgrade to the latest 0.12.0.

我已经更新了所有需要snapdragon作为依赖项的软件包.现在，根据这些软件包package.json，它们需要"^0.8.1"，也应该也支持0.12.0.

I have updated all the packages that require snapdragon as a dependency. Now according to those packages package.json they require "^0.8.1" which should namely support 0.12.0 as well.

这是npm ls snapdragon的结果:

├─┬ nodemon@1.19.2
│ └─┬ chokidar@2.1.8
│   └─┬ braces@2.3.2
│     └── snapdragon@0.8.2  deduped
└─┬ webpack@4.40.2
  └─┬ micromatch@3.1.10
    ├─┬ extglob@2.0.4
    │ ├─┬ expand-brackets@2.1.4
    │ │ └── snapdragon@0.8.2  deduped
    │ └── snapdragon@0.8.2  deduped
    ├─┬ nanomatch@1.2.13
    │ └── snapdragon@0.8.2  deduped
    └── snapdragon@0.8.2 

我尝试运行npm update snapdragon，也尝试了没有包锁但没有运气的全新npm install.最终，我决定强行安装snapdraon@0.12.0，但现在看来我有未满足的依赖项.

I have tried running npm update snapdragon, I have also tried a fresh npm install with no package-lock but with no luck. Eventually, I decided to forcibly install snapdraon@0.12.0 but now it seems I have unmet dependencies.

├─┬ nodemon@1.19.2
│ └─┬ chokidar@2.1.8
│   └─┬ braces@2.3.2
│     └── UNMET DEPENDENCY snapdragon@^0.8.1
├── snapdragon@0.12.0 
└─┬ webpack@4.40.2
  └─┬ micromatch@3.1.10
    ├─┬ extglob@2.0.4
    │ ├─┬ expand-brackets@2.1.4
    │ │ └── UNMET DEPENDENCY snapdragon@^0.8.1
    │ └── UNMET DEPENDENCY snapdragon@^0.8.1
    ├─┬ nanomatch@1.2.13
    │ └── UNMET DEPENDENCY snapdragon@^0.8.1
    └── UNMET DEPENDENCY snapdragon@^0.8.1

要求^0.8.1是否接受版本0.12.0?如何指示程序包锁定将程序包更新为最新版本?

Shouldn't the requirement ^0.8.1 accept version 0.12.0? How can I instruct package-lock to update the package to the latest version?

推荐答案

我无法回答有关carret的问题，但是关于标题(强制npm更新子依赖项)的主题，我们遇到了类似的问题puppeteer > extract-zip > mkdirp > minimist，其中minimist具有安全漏洞.它已升级，mkdirp也已升级，但撰写本文时尚未extract-zip.

I can't answer the carret question, but on the topic of the header (forcing npm to update a sub-dependency), we had a simillar issue with puppeteer > extract-zip > mkdirp > minimist, where minimist had a security vulnerability. It was upgraded and so was mkdirp , but extract-zip isn't at the time of this writting.

在package.json的scripts条目下使用npx npm-force-resolutions似乎已解决(尽管不是理想的)漏洞

Using npx npm-force-resolutions under the scripts entry in package.json seems to have solved (albeit not ideally) the vulnerability

$ git diff package.json 
diff --git a/package.json b/package.json
index cf825cf..0d694b3 100644
--- a/package.json
+++ b/package.json
@@ -8,8 +8,13 @@
     "lib": "lib" 
   },
   "scripts": {
+    "preinstall": "npx npm-force-resolutions",
     "test": "echo \"Error: no test specified\" && exit 1" 
   },
+  "resolutions": {
+    "minimist": "1.2.3",
+    "mkdir": "0.5.3" 
+  },

然后运行npm install:

$ npm install && npm audit

> sge@1.0.0 preinstall /home/jlam/code/prjName
> npx npm-force-resolutions

npx : 5 installé(s) en 5.733s
added 1 package from 1 contributor, removed 1 package and audited 72 packages in 7.212s

[...]


found 0 vulnerabilities
[...]

                       === npm audit security report ===                        

found 0 vulnerabilities
 in 72 scanned packages

这篇关于npm强制软件包锁定以更新子依赖软件包的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！