解决在package-lock.json中定义的依赖项中的潜在安全漏洞的正确方法 [英] Proper way to fix potential security vulnerability in a dependency defined in package-lock.json
问题描述
Github在我的一个存储库中给了我这个错误.
Github has given me this error on one of my repositories.
We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security vulnerabilities
and should be updated.
在我们的package.json
文件中未定义依赖项.据我了解,删除package-lock.json
文件并重新生成它不是一个好习惯.但是,我看不到任何其他方法可以解决此问题.如果我消除了此安全漏洞,则几天后它将再次出现.有任何想法吗?谢谢!
The dependency is not defined in our package.json
file. To my understanding it isn't good practice to delete the package-lock.json
file and regenerate it. However, I cannot see any other way to fix this issue. If I dismiss this security vulnerability it will appear again a couple of days later. Any ideas? Thanks!
推荐答案
新功能:现在,使用npm @ 6,您可以直接运行
New: now, with npm@6 you can directly run
npm audit fix
旧答案:
Old answer:
您应该尝试确定有问题的软件包的名称,然后运行
You should try to identify the problematic package's name, and then run
npm install package-name
很显然,替换软件包名称.
replacing package-name, obviously.
这将安装软件包的最新版本,并且大多数情况下,最新版本已修复了安全问题.如果您对版本有限制(例如:1.2),则可以随时尝试:
This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:
npm install package-name@^1.2
,并将安装最新的修补程序版本
and the latest patched version will be installed
这篇关于解决在package-lock.json中定义的依赖项中的潜在安全漏洞的正确方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!