如何修复 package-lock.json 中未在 package.json 中列出的易受攻击的 npm 包? [英] How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?

问题描述

Github 告诉我，我的 package-lock.json 文件中的依赖项容易受到攻击且已过时.问题是，如果我执行 npm install 或 npm update，它们都不会更新 package-lock.json 文件中的依赖项.

Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update, neither of them update the dependency in the package-lock.json file.

我已经在谷歌上搜索了很多，并删除了文件并完成了npm install.

I've done a lot of googling on this, as well as deleted the file and done npm install.

如果有人能帮助解决这个问题，我将不胜感激.有问题的包是 Hoek，我的 package.json 文件中实际上没有.

If anyone can help resolve this I'd hugely appreciate it. The package in question is Hoek, which I don't actually have in my package.json file.

非常感谢.

推荐答案

听起来 Hoek 是您的一个依赖项的依赖项(因此，您在 package.json 中的一个包需要它自己的 package.json).

It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it's own package.json).

您已经尝试删除/重新安装和更新您的项目依赖项但没有成功，因此似乎有问题的包依赖项指定了显式或最大版本.

You've already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.

如果没有看到每个依赖项的 package.json，就很难就如何强制更新提供进一步建议.

Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.

为了帮助您确定哪些包正在使用哪些依赖项，您可以使用 NPM 的 ls 命令:https://docs.npmjs.com/cli/ls

To help you identify which packages are using which dependencies, you can use NPM's ls command: https://docs.npmjs.com/cli/ls

例如，查看哪些包在使用 Hoek:npm ls hoek

For example, to see which packages are using Hoek: npm ls hoek

编辑 2:正如 Ulysse BN 正确指出的那样，如果您有 NPM 版本 6 或更高版本，您可以使用 npm audit fix 要求 NPM 尝试为您修复漏洞.

Edit 2: As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fix to ask NPM to attempt to fix the vulnerabilities for you.

编辑 3:阅读本文的人还应该查看下面 JBallin 的回答.它扩展了我在这里提供的信息，并且(在我看来)是一个更结构化的答案，可以更好地解决 OP 的问题.但是 - 如果您想要快速修复 - 这个答案就足够了.

Edit 3: Those reading this should also check out JBallin's answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP's question better. However - if you want a quick fix - this answer should suffice.

这篇关于如何修复 package-lock.json 中未在 package.json 中列出的易受攻击的 npm 包?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！