发表新帖
发表新帖

How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?

后端 未结
关注
9 1987
面向向阳花
面向向阳花 2020-12-07 19:44

Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update

9条回答
  • 忘掉有多难
    忘掉有多难 (楼主)
    2020-12-07 20:10

    Edit package-lock.json manually and update vulnerable package version to the fixed one and then use

    npm ci

    That will install the packages according to package-lock.json by ignoring package.json first. Then use

    npm audit fix

    again, to be sure if it's properly done. If it does not help so, then use other given solutions.

    More Information here:

    https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable

    or here: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities

    0 讨论(0)
 看不清?
提交回复
热议问题