You can use npm shrinkwrapfunctionality, in order to override any dependency or sub-dependency.

您可以使用npm shrinkwrap功能来覆盖任何依赖项或子依赖项。

I've just done this in a grunt project of ours. We needed a newer version of connect, since 2.7.3. was causing trouble for us. So I created a file named npm-shrinkwrap.json :

我刚刚在我们的一个 grunt 项目中完成了这项工作。从 2.7.3 开始，我们需要更新版本的 connect。给我们带来了麻烦。所以我创建了一个名为 npm-shrinkwrap.json 的文件：

{
  "dependencies": {
    "grunt-contrib-connect": {
      "version": "0.3.0",
      "from": "[email protected]",
      "dependencies": {
        "connect": {
          "version": "2.8.1",
          "from": "connect@~2.7.3"
        }
      }
    }
  }
}

npm should automatically pick it up while doing the install for the project.

npm 应该在为项目安装时自动选择它。

(See: https://nodejs.org/en/blog/npm/managing-node-js-dependencies-with-shrinkwrap/)

（参见：https: //nodejs.org/en/blog/npm/managing-node-js-dependencies-with-shrinkwrap/）

For those from 2018 and beyond, using npm version 5 or later: edit your package-lock.json: remove the library from "requires"section and add it under "dependencies".

对于 2018 年及以后的版本，使用 npm 5 或更高版本：编辑您的package-lock.json: 从"requires"部分中删除库并将其添加到“依赖项”下。

For example, you want deglobpackage to use globpackage version 3.2.11instead of its current one. You open package-lock.jsonand see:

例如，您希望deglob包使用glob包版本3.2.11而不是当前版本。你打开package-lock.json看看：

"deglob": {
  "version": "2.1.0",
  "resolved": "https://registry.npmjs.org/deglob/-/deglob-2.1.0.tgz",
  "integrity": "sha1-TUSr4W7zLHebSXK9FBqAMlApoUo=",
  "requires": {
    "find-root": "1.1.0",
    "glob": "7.1.2",
    "ignore": "3.3.5",
    "pkg-config": "1.1.1",
    "run-parallel": "1.1.6",
    "uniq": "1.0.1"
  }
},

Remove "glob": "7.1.2",from "requires", add "dependencies"with proper version:

删除"glob": "7.1.2",从"requires"，添加"dependencies"适当的版本：

"deglob": {
  "version": "2.1.0",
  "resolved": "https://registry.npmjs.org/deglob/-/deglob-2.1.0.tgz",
  "integrity": "sha1-TUSr4W7zLHebSXK9FBqAMlApoUo=",
  "requires": {
    "find-root": "1.1.0",
    "ignore": "3.3.5",
    "pkg-config": "1.1.1",
    "run-parallel": "1.1.6",
    "uniq": "1.0.1"
  },
  "dependencies": {
    "glob": {
      "version": "3.2.11"
    }
  }
},

Now remove your node_modulesfolder, run npm installand it will add missing parts to the "dependencies"section.

现在删除您的node_modules文件夹，运行npm install，它将向该"dependencies"部分添加缺少的部分。

For those using yarn.

对于那些使用纱线的人。

I tried using npm shrinkwrap until I discovered the yarn cli ignored my npm-shrinkwrap.json file.

我尝试使用 npm shrinkwrap ，直到我发现 yarn cli 忽略了我的 npm-shrinkwrap.json 文件。

Yarn has https://yarnpkg.com/lang/en/docs/selective-version-resolutions/for this. Neat.

Yarn 对此有https://yarnpkg.com/lang/en/docs/selective-version-resolutions/。整洁的。

Check out this answer too: https://stackoverflow.com/a/41082766/3051080

也看看这个答案：https: //stackoverflow.com/a/41082766/3051080

I had an issue where one of the nested dependency had an npm audit vulnerability, but I still wanted to maintain the parent dependency version. the npm shrinkwrap solution didn't work for me, so what I did to override the nested dependency version:

我遇到了一个问题，其中一个嵌套依赖项存在 npm 审计漏洞，但我仍然想维护父依赖项版本。npm shrinkwrap 解决方案对我不起作用，所以我做了什么来覆盖嵌套的依赖版本：

1. Remove the nested dependency under the 'requires' section in package-lock.json
2. Add the updated dependency under DevDependencies in package.json, so that modules that require it will still be able to access it.
3. npm i

1. 删除 package-lock.json 中“requires”部分下的嵌套依赖项
2. 在 package.json 中的 DevDependencies 下添加更新的依赖项，以便需要它的模块仍然能够访问它。
3. 我的

NPM shrinkwrapoffers a nice solution to this problem. It allows us to override that version of a particular dependency of a particular sub-module.

NPM 收缩包装为这个问题提供了一个很好的解决方案。它允许我们覆盖特定子模块的特定依赖项的版本。

Essentially, when you run npm install, npm will first look in your root directory to see whether a npm-shrinkwrap.json file exists. If it does, it will use this first to determine package dependencies, and then falling back to the normal process of working through the package.json files.

本质上，当您运行 npm install 时，npm 将首先查看您的根目录以查看是否存在 npm-shrinkwrap.json 文件。如果是，它将首先使用它来确定包依赖项，然后返回到正常的处理 package.json 文件的过程。

To create an npm-shrinkwrap.json, all you need to do is

要创建一个 npm-shrinkwrap.json，您需要做的就是

 npm shrinkwrap --dev

code:

代码：

{
  "dependencies": {
    "grunt-contrib-connect": {
      "version": "0.3.0",
      "from": "[email protected]",
      "dependencies": {
        "connect": {
          "version": "2.8.1",
          "from": "connect@~2.7.3"
        }
      }
    }
  }
}

I found a solution that worked for me.

我找到了一个对我有用的解决方案。

So. First edit your npm-shrinkwrap.json file as recommended all others solutions.

所以。首先按照推荐的所有其他解决方案编辑您的 npm-shrinkwrap.json 文件。

Then, (on Windows):

然后，（在 Windows 上）：

• Right click on 'npm-shrinkwrap.json' file
• Properties
• Under Attributes select 'Read-Only'.This will prevent npm to modify the mpn-shrinkwrap.json file.

• 右键单击“npm-shrinkwrap.json”文件
• 特性
• 在属性下选择“只读”。这将阻止 npm 修改 mpn-shrinkwrap.json 文件。

The other proposed solutions are good enough if you are making the 'npm install' operation just once. But after the first 'npm install' the file 'npm-shrinkwrap.json' is modified again as before your modification.

如果您只进行一次“npm install”操作，其他建议的解决方案就足够了。但是在第一次 'npm install' 之后，文件 'npm-shrinkwrap.json' 会像修改前一样再次修改。