发表新帖
发表新帖

How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?

后端 未结
关注
9 1979
面向向阳花
面向向阳花 2020-12-07 19:44

Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update

相关标签:
9条回答
  • 孤街浪徒
    2020-12-07 20:08

    did you try this: go to your project root, delete the package-lock.json file, node_modules and .cache folders, and then npm install.

    0 讨论(0)
  • 忘掉有多难
    2020-12-07 20:10

    Edit package-lock.json manually and update vulnerable package version to the fixed one and then use

    npm ci

    That will install the packages according to package-lock.json by ignoring package.json first. Then use

    npm audit fix

    again, to be sure if it's properly done. If it does not help so, then use other given solutions.

    More Information here:

    https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable

    or here: https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities

    0 讨论(0)
  • 清酒与你
    2020-12-07 20:11

    TLDR: Update the parent package using npm i $PARENT_PKG_NAME.

    Note

    When updating dependencies, you should review the CHANGELOG for any breaking changes.

    Diagnosis

    npm audit will reveal both the vulnerable package (note that you'll need a package-lock.json file for this, so you'll need to run npm i), as well as the package that it is a dependency of (if applicable). Note that you can also use npm ls $CHILD_PKG_NAME to see its parent dependencies.

    Quick Fix Attempt

    npm audit fix and npm audit fix --force are worth a try, but sometimes the fix will need to be done manually (see below).

    Manual Fix

    Most likely the parent package will have already fixed their dependencies (you can verify this by going to their GitHub and reviewing the recent commits--or just seeing if this fixes it), so you can just run npm i $PARENT_PKG_NAME @$NEW_VERSION and it will update your package-lock.json.

    If parent has not fixed the vulnerability

    If the maintainer doesn't seem to be responsive, you may consider using an alternative package that accomplishes the same thing or forking the package and updating the vulnerability yourself.

    Verify Fix

    You can now verify that it worked by running npm audit and ensuring that no vulnerabilities are showing up. Commit your changes, push them to GitHub, refresh your notifications/alerts and they should be gone!

    0 讨论(0)
  • 被撕碎了的回忆
    2020-12-07 20:13

    I had this issue and found that it was because the server on which I was running npm had an old version of npm on it- package-lock.json is only supported by newer versions.

    0 讨论(0)
  • 后悔当初
    2020-12-07 20:14

    After installing new dependencies run the following command to update the package-lock.json file:

    npm update package-lock.json
    0 讨论(0)
  • 刺人心
    2020-12-07 20:16

    If you have npm@6 or later, you can use npm audit fix for your security issues.

    0 讨论(0)
 看不清?
提交回复
热议问题