“npm 审计修复"有什么作用?到底怎么办? [英] What does "npm audit fix" exactly do?

问题描述

npm audit fix 旨在自动升级/修复 npm 包中的漏洞.但是，我还没有发现它究竟做了什么来修复这些漏洞.

npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.

我假设 npm audit fix 会将依赖项和依赖项的依赖项升级到包的 semver-definitions 允许的最新版本 - 实际上与 rm package-lock 相同.json;npm 安装.但是npm audit fix在锁文件移除+重新安装后仍然执行大量更改.

I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install. However npm audit fix still performs a lot of changes after lock file removal + reinstall.

npm audit fix 到底做了什么?例如，它是否安装了比相应 package.json 允许的版本更新的依赖项版本(但仍然与 semver 兼容)?

What exactly does npm audit fix do? Does it for example install versions of dependencies newer than those allowed by the corresponding package.json (but still semver-compatible)?

推荐答案

来自 NPM 的他们的审计命令站点:

npm audit fix 在幕后运行完整的 npm install

而且似乎审计修复默认只进行与 semvar 兼容的升级.在文档前面列出:

And it seems that an audit fix only does semvar-compatible upgrades by default. Listed earlier in the document:

对顶级依赖项进行审计修复安装 semver 主要更新，而不仅仅是与 semver 兼容的:

Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones:

$ npm audit fix --force

至于锁定文件，每次运行更改package.json的命令时都会重新生成.在这里的回答中有更多信息以及官方文档.

As for the lock file, it is regenerated each time you run a command that changes package.json. There is more information about that in an answer here as well as in the official documentation.

这篇关于“npm 审计修复"有什么作用?到底怎么办?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！