Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
371 views
in Technique[技术] by (71.8m points)

node.js - How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?

Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update, neither of them update the dependency in the package-lock.json file.

I've done a lot of googling on this, as well as deleted the file and done npm install.

If anyone can help resolve this I'd hugely appreciate it. The package in question is Hoek, which I don't actually have in my package.json file.

Many thanks in advance.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it's own package.json).

You've already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified.

Without seeing the package.json for each of your dependencies, it would be difficult to advise further on how to force an update.

Edit: To help you identify which packages are using which dependencies, you can use NPM's ls command: https://docs.npmjs.com/cli/ls

For example, to see which packages are using Hoek: npm ls hoek

Edit 2: As Ulysse BN correctly points out, if you have NPM version 6 or later, you can use npm audit fix to ask NPM to attempt to fix the vulnerabilities for you.

Edit 3: Those reading this should also check out JBallin's answer below. It expands on information I have given here, and is (in my opinion) a more structured answer that addresses OP's question better. However - if you want a quick fix - this answer should suffice.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...