解决在package-lock.json中定义的依赖项中的潜在安全漏洞的正确方法 [英] Proper way to fix potential security vulnerability in a dependency defined in package-lock.json

问题描述

Github在我的一个存储库中给了我这个错误.

Github has given me this error on one of my repositories.

We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security vulnerabilities 
and should be updated.

在我们的package.json文件中未定义依赖项.据我了解，删除package-lock.json文件并重新生成它不是一个好习惯.但是，我看不到任何其他方法可以解决此问题.如果我消除了此安全漏洞，则几天后它将再次出现.有任何想法吗?谢谢！

The dependency is not defined in our package.json file. To my understanding it isn't good practice to delete the package-lock.json file and regenerate it. However, I cannot see any other way to fix this issue. If I dismiss this security vulnerability it will appear again a couple of days later. Any ideas? Thanks!

推荐答案

新功能:现在，使用npm @ 6，您可以直接运行

New: now, with npm@6 you can directly run

npm audit fix

---

旧答案:

---

Old answer:

您应该尝试确定有问题的软件包的名称，然后运行

You should try to identify the problematic package's name, and then run

npm install package-name

很显然，替换软件包名称.

replacing package-name, obviously.

这将安装软件包的最新版本，并且大多数情况下，最新版本已修复了安全问题.如果您对版本有限制(例如:1.2)，则可以随时尝试:

This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a constraint on version (eg: 1.2), you can always try to:

npm install package-name@^1.2

，并将安装最新的修补程序版本

and the latest patched version will be installed

这篇关于解决在package-lock.json中定义的依赖项中的潜在安全漏洞的正确方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！