如何在 package-lock.json 中 npm 更新依赖项版本? [英] How do I npm update dependency versions in the package-lock.json?

问题描述

和标题一样，但是:

• 如果可能，我不想在 package-lock.json 中手动重写版本字符串，
• 我尝试了以下操作:如何将 package.json 中的每个依赖项更新到最新版本? 但当然正如预期的那样，它只更新了 package.json 文件，
• 我查看了文档:package-lock.json 文档 和package-locks 解释文档、
• 如这个问题所述，npm安装npm v5.1.0 中的行为已更改，如果我是正确的，这意味着如果我的 npm 版本高于 5.1.0，我的应用程序将(默认情况下)始终从 tha package.json npm install，而不是 package-锁.json.但是，我的 package-lock.json 中仍然列出了一个存在漏洞的依赖项，我的 github 正在为此发出警告.

• If it is possible, I don't want to hand-rewrite the version string manually in the package-lock.json,
• I tried the following: How do I update each dependency in package.json to the latest version? but of course as expected, it only updated the package.json file,
• I looked at the docs: package-lock.json docs and package-locks explanation docs,
• as written in this question, the npm install behaviour was changed in npm v5.1.0, which if I'm correct, means that if I have npm version higher than 5.1.0, my app will (by default) always npm install from tha package.json, instead of the package-lock.json. However, I still have a dependency listed in my package-lock.json which has a vulnerability, and my github is screaming warning for it.

如何最好地解决这个问题?如果我还是从 package.json 安装，删除 package-lock.json 是一个好习惯吗?我应该保持更新吗?如果我想改用锁怎么办?

How to best solve this? If I'm installing from package.json anyway, is it a good practice to just delete the package-lock.json? Should I rather keep it updated? What to do if I want to use the lock instead?

我以前从未做过这样的事情，所以我什至不确定如果我只是在 json 中重写一个版本字符串它会起作用还是破坏 npm 安装.

I have never done anything like this before, so I'm not even sure that if I just rewrote a version string in the json it would work or break the npm install.

是否有一种安全/专业的方法可以更改为 package-lock.json，并通过 npm 保持更新?

推荐答案

如果你想更新 package-lock.json 中的版本，你可以通过使用

If you want update version in package-lock.json,you can do it by updating the package using

npm update <package_name>

• '^' >>大约相当于版本"
• '~' >>兼容版本"

在 package.json 中阅读更多关于 '^' 和 '~' >> 参考

Read more about '^' and '~' in your package.json >> Reference

由于 package-lock 为每个模块及其每个依赖项指定了版本、位置和完整性哈希，因此它创建的安装将是相同的，对于共享项目中的每个用户来说，每次都是相同的.

As the package-lock specifies a version, location and integrity hash for every module and each of its dependencies, the install it creates will be the same, every single time for each user in shared project.

你想要的一切了解 package-lock.json

希望这能帮助您理清思路.

Hope this will help you clear your thoughts.

这篇关于如何在 package-lock.json 中 npm 更新依赖项版本?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！