node.js 如何修复 package-lock.json 中未在 package.json 中列出的易受攻击的 npm 包?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/50328324/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?
提问by Raph117
Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm installor npm update, neither of them update the dependency in the package-lock.json file.
Github 告诉我,我的 package-lock.json 文件中的依赖项容易受到攻击且已过时。问题是,如果我这样做npm install或npm update,它们都不会更新 package-lock.json 文件中的依赖项。
I've done a lot of googling on this, as well as deleted the file and done npm install.
我已经对此进行了很多谷歌搜索,并删除了文件并完成了npm install.
If anyone can help resolve this I'd hugely appreciate it. The package in question is Hoek, which I don't actually have in my package.json file.
如果有人可以帮助解决这个问题,我将不胜感激。有问题的包是 Hoek,我的 package.json 文件中实际上没有。
Many thanks in advance.
提前谢谢了。
采纳答案by Alex Mulchinock
It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it's own package.json).
听起来 Hoek 是您的依赖项之一的依赖项(因此,您在 package.json 中的一个包需要它来自它自己的 package.json)。
You've already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.
您已经尝试删除/重新安装和更新您的项目依赖项但没有成功,因此似乎有问题的包依赖项指定了显式或最大版本。
Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.
如果没有看到每个依赖项的 package.json,就很难就如何强制更新提供进一步的建议。
Edit:To help you identify which packages are using which dependencies, you can use NPM's lscommand: https://docs.npmjs.com/cli/ls
编辑:为了帮助您确定哪些包正在使用哪些依赖项,您可以使用 NPM 的ls命令:https: //docs.npmjs.com/cli/ls
For example, to see which packages are using Hoek:
npm ls hoek
例如,要查看哪些包正在使用 Hoek:
npm ls hoek
Edit 2:As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fixto ask NPM to attempt to fix the vulnerabilities for you.
编辑 2:正如 Ulysse BN 正确指出的那样,如果您有 NPM 版本 6 或更高版本,您可以使用npm audit fix要求 NPM 尝试为您修复漏洞。
Edit 3:Those reading this should also check out JBallin's answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP's question better. However - if you want a quick fix - this answer should suffice.
编辑 3:阅读本文的人还应该查看下面 JBallin 的回答。它扩展了我在这里提供的信息,并且(在我看来)是一个更结构化的答案,可以更好地解决 OP 的问题。但是 - 如果您想要快速修复 - 这个答案就足够了。
回答by JBallin
TLDR: Update the parent package using npm i $PARENT_PKG_NAME.
TLDR:使用npm i $PARENT_PKG_NAME.
Note
笔记
When updating dependencies, you should review the CHANGELOG for any breaking changes.
更新依赖项时,您应该查看 CHANGELOG 以了解任何重大更改。
Diagnosis
诊断
npm auditwill reveal both the vulnerable package (note that you'll need a package-lock.json file for this, so you'll need to run npm i), as well as the package that it is a dependency of (if applicable). Note that you can also use npm ls $CHILD_PKG_NAMEto see its parent dependencies.
npm audit将显示易受攻击的包(请注意,为此您需要一个 package-lock.json 文件,因此您需要运行npm i),以及它所依赖的包(如果适用)。请注意,您还可以使用npm ls $CHILD_PKG_NAME来查看其父依赖项。
Quick Fix Attempt
快速修复尝试
npm audit fixand npm audit fix --forceare worth a try, but sometimes the fix will need to be done manually (see below).
npm audit fix并且npm audit fix --force值得一试,但有时需要手动完成修复(见下文)。
Manual Fix
手动修复
Most likely the parent package will have already fixed their dependencies (you can verify this by going to their GitHub and reviewing the recent commits--or just seeing if this fixes it), so you can just run npm i $PARENT_PKG_NAME @$NEW_VERSIONand it will update your package-lock.json.
很可能父包已经修复了它们的依赖项(您可以通过访问他们的 GitHub 并查看最近的提交来验证这一点——或者只是看看这是否修复了它),所以您可以运行npm i $PARENT_PKG_NAME @$NEW_VERSION它并更新您的包锁.json。
If parent has not fixed the vulnerability
如果父级尚未修复漏洞
If the maintainer doesn't seem to be responsive, you may consider using an alternative package that accomplishes the same thing or forking the package and updating the vulnerability yourself.
如果维护者似乎没有响应,您可以考虑使用替代包来完成相同的事情,或者分叉包并自己更新漏洞。
Verify Fix
验证修复
You can now verify that it worked by running npm auditand ensuring that no vulnerabilities are showing up. Commit your changes, push them to GitHub, refresh your notifications/alerts and they should be gone!
您现在可以通过运行npm audit并确保没有出现漏洞来验证它是否有效。提交您的更改,将它们推送到 GitHub,刷新您的通知/警报,它们应该消失了!
回答by Ulysse BN
If you have npm@6 or later, you can use npm audit fixfor your security issues.
如果您有 npm@6 或更高版本,则可以用于npm audit fix解决安全问题。
回答by scorpion
Use:
用:
npm i hoek
npm 我胡说八道
npm will install the latest version of hoek and your package.lock.json become updated.
npm 将安装最新版本的 hoek 并且您的 package.lock.json 会更新。
回答by jvvw
I had this issue and found that it was because the server on which I was running npm had an old version of npm on it- package-lock.json is only supported by newer versions.
我遇到了这个问题,发现这是因为我运行 npm 的服务器上有一个旧版本的 npm - package-lock.json 仅受新版本支持。
回答by CakeL
did you try this: go to your project root, delete the package-lock.jsonfile, node_modulesand .cachefolders, and then npm install.
您是否尝试过:转到您的项目根目录,删除package-lock.json文件node_modules和.cache文件夹,然后npm install.
回答by Jerry Chong
To check vulnerable npm packages, just use following commands:
要检查易受攻击的 npm 包,只需使用以下命令:
npm audit
To fix vulnerable npm packages, just use following commands which will fix package-lock.json too:
要修复易受攻击的 npm 包,只需使用以下命令也可以修复 package-lock.json:
npm audit fix
回答by SA911
After installing new dependencies run the following command to update the package-lock.json file:
安装新依赖项后,运行以下命令更新 package-lock.json 文件:
npm update package-lock.json
