问题
Due to some code vulnerability, I am trying to update a sub-dependency. The package is snapdragon, currently I have the version 0.8.2 installed, but I wish to upgrade to the latest 0.12.0.
I have updated all the packages that require snapdragon as a dependency. Now according to those packages package.json they require "^0.8.1" which should namely support 0.12.0 as well.
Here's the result of npm ls snapdragon:
├─┬ nodemon@1.19.2
│ └─┬ chokidar@2.1.8
│ └─┬ braces@2.3.2
│ └── snapdragon@0.8.2 deduped
└─┬ webpack@4.40.2
└─┬ micromatch@3.1.10
├─┬ extglob@2.0.4
│ ├─┬ expand-brackets@2.1.4
│ │ └── snapdragon@0.8.2 deduped
│ └── snapdragon@0.8.2 deduped
├─┬ nanomatch@1.2.13
│ └── snapdragon@0.8.2 deduped
└── snapdragon@0.8.2
I have tried running npm update snapdragon, I have also tried a fresh npm install with no package-lock but with no luck. Eventually, I decided to forcibly install snapdraon@0.12.0 but now it seems I have unmet dependencies.
├─┬ nodemon@1.19.2
│ └─┬ chokidar@2.1.8
│ └─┬ braces@2.3.2
│ └── UNMET DEPENDENCY snapdragon@^0.8.1
├── snapdragon@0.12.0
└─┬ webpack@4.40.2
└─┬ micromatch@3.1.10
├─┬ extglob@2.0.4
│ ├─┬ expand-brackets@2.1.4
│ │ └── UNMET DEPENDENCY snapdragon@^0.8.1
│ └── UNMET DEPENDENCY snapdragon@^0.8.1
├─┬ nanomatch@1.2.13
│ └── UNMET DEPENDENCY snapdragon@^0.8.1
└── UNMET DEPENDENCY snapdragon@^0.8.1
Shouldn't the requirement ^0.8.1 accept version 0.12.0? How can I instruct package-lock to update the package to the latest version?
回答1:
I can't answer the carret question, but on the topic of the header (forcing npm to update a sub-dependency), we had a simillar issue with puppeteer > extract-zip > mkdirp > minimist, where minimist had a security vulnerability. It was upgraded and so was mkdirp , but extract-zip isn't at the time of this writting.
Using npx npm-force-resolutions under the scripts entry in package.json seems to have solved (albeit not ideally) the vulnerability
$ git diff package.json
diff --git a/package.json b/package.json
index cf825cf..0d694b3 100644
--- a/package.json
+++ b/package.json
@@ -8,8 +8,13 @@
"lib": "lib"
},
"scripts": {
+ "preinstall": "npx npm-force-resolutions",
"test": "echo \"Error: no test specified\" && exit 1"
},
+ "resolutions": {
+ "minimist": "1.2.3",
+ "mkdir": "0.5.3"
+ },
Then running npm install:
$ npm install && npm audit
> sge@1.0.0 preinstall /home/jlam/code/prjName
> npx npm-force-resolutions
npx : 5 installé(s) en 5.733s
added 1 package from 1 contributor, removed 1 package and audited 72 packages in 7.212s
[...]
found 0 vulnerabilities
[...]
=== npm audit security report ===
found 0 vulnerabilities
in 72 scanned packages
回答2:
I did this and still get the same errors as before. Why? I'm very new to this.
found 1 low severity vulnerability in 3522 scanned packages 1 vulnerability requires manual review. See the full report for details. ➜ web-dev-starter git:(master) ✗ npx npm-force-resolutions npx: installed 5 in 1.27s ➜ web-dev-starter git:(master) ✗ npm install audited 3522 packages in 1.712s
2 packages are looking for funding
run npm fund for details
found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details
➜ web-dev-starter git:(master) ✗ npm fund
js-starter-code@1.0.0
├─┬ https://github.com/sponsors/isaacs
│ └── glob@7.1.6
└─┬ https://github.com/sponsors/ljharb
└── resolve@1.15.1
➜ web-dev-starter git:(master) ✗
I don't know who these people or this git hub is. Do I have to join a membership to get the code? What is this?
来源:https://stackoverflow.com/questions/58065817/npm-force-package-lock-to-update-a-sub-dependency-package